{"id":33119221,"url":"https://github.com/gsauthof/dracut-sshd","last_synced_at":"2026-01-22T04:15:24.927Z","repository":{"id":42495306,"uuid":"134894205","full_name":"gsauthof/dracut-sshd","owner":"gsauthof","description":"Provide SSH access to initramfs early user space on Fedora and other systems that use Dracut","archived":false,"fork":false,"pushed_at":"2025-12-31T15:22:19.000Z","size":161,"stargazers_count":288,"open_issues_count":10,"forks_count":39,"subscribers_count":9,"default_branch":"master","last_synced_at":"2026-01-04T23:52:01.775Z","etag":null,"topics":["dracut-module","initramfs"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gsauthof.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-05-25T18:59:50.000Z","updated_at":"2026-01-02T20:22:15.000Z","dependencies_parsed_at":"2023-12-14T00:25:03.064Z","dependency_job_id":"7d9bf11c-e7e5-411a-a073-bbc88ce2407b","html_url":"https://github.com/gsauthof/dracut-sshd","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/gsauthof/dracut-sshd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsauthof%2Fdracut-sshd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsauthof%2Fdracut-sshd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsauthof%2Fdracut-sshd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsauthof%2Fdracut-sshd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gsauthof","download_url":"https://codeload.github.com/gsauthof/dracut-sshd/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsauthof%2Fdracut-sshd/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28653970,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dracut-module","initramfs"],"created_at":"2025-11-15T04:00:29.679Z","updated_at":"2026-01-22T04:15:24.921Z","avatar_url":"https://github.com/gsauthof.png","language":"Shell","funding_links":[],"categories":["Minimal rootfs"],"sub_categories":[],"readme":"[![CI Build Status](https://github.com/gsauthof/dracut-sshd/actions/workflows/e2e-trigger.yml/badge.svg)](https://github.com/gsauthof/dracut-sshd/actions/workflows/e2e-trigger.yml)\n\nThis [Dracut][dracut] module (dracut-sshd) integrates the\n[OpenSSH][ossh] sshd into the [initramfs][iramfs]. It allows for\nremote unlocking of a fully encrypted root filesystem and remote\naccess to the Dracut emergency shell (i.e. early userspace).\n\nIt's compatible with systems that use Dracut as initramfs manager\nand systemd as init system, such as Fedora, CentOS/RHEL (version\n7 or greater) and SUSE. Gentoo is also to known to work with\ndracut-sshd, as long as it's configured with systemd and Dracut.\n\n2018-2025, Georg Sauthoff \u003cmail@gms.tf\u003e, GPLv3+\n\n## TOC\n\n- [Example: Open Encrypted Root Filesystem](#example-open-encrypted-root-filesystem)\n- [Example: Emergency Shell](#example-emergency-shell)\n- [Install](#install)\n- [Space Overhead](#space-overhead)\n- [Host Keys](#host-keys)\n- [Timeout](#timeout)\n- [Network](#network)\n- [Hardware Alternatives](#hardware-alternatives)\n- [FAQ](#faq)\n- [Related Work](#related-work)\n- [Testing](#testing)\n- [Tested Environments](#tested-environments)\n- [Packages](#packages)\n\n## Example: Open Encrypted Root Filesystem\n\nAfter booting a Fedora system with encrypted root filesystem\n(i.e. a filesystem on a [LUKS volume to be opened with\ncryptsetup][luks]) the [Dracut][dracut] [initramfs][iramfs]\nblocks at the password prompt. With dracut-sshd enabled remote\nunlocking is then as simple as:\n\n $ ssh headless.example.org\n -sh-4.4# systemd-tty-ask-password-agent \n Please enter passphrase for disk luks-123-cafe! *********\n Please enter passphrase for disk luks-124-cafe! *********\n -sh-4.4# Connection to 203.0.113.23 closed by remote host.\n Connection to 203.0.113.23 closed.\n\nThat means under normal circumstances the completion of all\npassword prompts automatically resumes the boot process.\n\nThe command [`systemd-tty-ask-password-agent --list`][pwagent] prints an overview\nover all pending password prompts.\n\n## Example: Emergency Shell\n\nThe start of the [Dracut][dracut] emergency shell can be\nrequested via adding `rd.break` to the kernel command line, but\nit also happens when Dracut is unable to mount the root\nfilesystem or other grave issues. In such cases the emergency\nshell blocks the boot process. Without remote access the machine\nis quite dead then.\n\nExample session:\n\n $ ssh headless.example.org\n -sh-4.4# export TERM=vt220\n -sh-4.4# export SYSTEMD=FRMXK\n -sh-4.4# export LC_ALL=C\n -sh-4.4# less /run/initramfs/rdsosreport.txt\n -sh-4.4# journalctl -e\n -sh-4.4# systemctl status\n -sh-4.4# systemctl list-jobs\n\nAfter fixing potential issues the emergency shell can be terminated to resume the boot:\n\n switch_root:/root# systemctl stop dracut-emergency.service\n switch_root:/root# Connection to 203.0.113.23 closed by remote host.\n Connection to 203.0.113.23 closed.\n\nAlternatively, one can send a signal to the emergency service, e.g.\nwith `systemctl kill ...` or `systemctl kill --signal=... ...`.\n\n## Install\n\nCopy the `46sshd` subdirectory to the [Dracut][dracut] module directory:\n\n # cp -ri 46sshd /usr/lib/dracut/modules.d\n\nAlternatively, you can install the latest stable version from\nyour distribution's package repository, where available (e.g. the\n[dracut-sshd package on Fedora or EPEL][fedora]).\n\nEither way, once present under `/usr/lib/dracut/modules.d` it's\nenabled, by default.\n\nWith an older sshd (i.e. older that 9.8 _and_ lacking patched-in\nsystemd support), one has to adjust the systemd service file:\n\n # echo 'Skip this sed on Fedora/RHEL/CentOS/Debian/Ubuntu/...!'\n # sed -e 's/^Type=notify/Type=simple/' \\\n -e 's@^\\(ExecStart=/usr/sbin/sshd\\) -D@\\1 -e -D@' \\\n -i \\\n /usr/lib/dracut/modules.d/46sshd/sshd.service\n\nDracut-sshd includes the first available ssh authorized keys file of the\nfollowing list into the initramfs:\n\n- /root/.ssh/dracut_authorized_keys\n- /etc/dracut-sshd/authorized_keys\n- /root/.ssh/authorized_keys\n\nNote that on some distributions such as [Fedora\nSilverblue][rpm-ostree] your only option is to create a keys file\nunder `/etc/dracut-sshd` as `/root` isn't accessible during\n`dracut` runtime.\n\nOf course, our initramfs image needs network support. The simplest\nway to achieve this is to include [networkd][networkd]. To install\nthe networkd dracut module and networkd itself:\n\n # dnf install -y dracut-network systemd-networkd\n\nWhen installing from an rpm package, `dracut-network` is automatically\ninstalled as dependency.\n\nCreate a non-[NetworkManager][nm] network config, e.g. via\n[Networkd][networkd]:\n\n```\n$ cat /etc/systemd/network/20-wired.network\n[Match]\nName=e*\n\n[Network]\nDHCP=ipv4\n```\n\nAdjust the `Name=`, if necessary.\n\nNote that the dracut networkd module doesn't include the system's\nnetwork configuration files by default and note that the module\nisn't enabled, by default, either. Thus, you have to configure\nDracut for networkd (cf. the [install_items][iitems] and\n[add_dracutmodules][addmod] directives). Example:\n\n```\n# cat /etc/dracut.conf.d/90-networkd.conf\ninstall_items+=\" /etc/systemd/network/20-wired.network \"\nadd_dracutmodules+=\" systemd-networkd \"\n```\n\nAlternatively, early boot network connectivity can be configured\nby other means (i.e. kernel parameters, see below). However,\nthe author of this README strongly recommends to use Networkd\ninstead of NetworkManager on servers and server-like systems.\n\nIf the above example is sufficient you just need to copy the\nexample configuration files from the `example/` subdirectory:\n\n # cp example/20-wired.network /etc/systemd/network\n # cp example/90-networkd.conf /etc/dracut.conf.d\n\nFinally regenerate the initramfs:\n\n # dracut -f -v\n\nNote that Ubuntu's dracut defaults to an initramfs filename that\nis incompatible with Ubuntu's grub default initrd settings ... m(\nThus, on Ubuntu one has to explicitly specify the initramfs filename like this:\n\n # dracut -f -v /boot/initrd.img-$(uname -r)\n\nVerify that this `sshd` module is included. Either via inspecting the verbose\noutput or via `lsinitrd`, e.g.:\n\n # lsinitrd | grep 'authorized\\|bin/sshd\\|network/20'\n -rw-r--r-- 1 root root 119 Jul 17 15:08 etc/systemd/network/20-wired.network\n -rw------- 1 root root 99 Jul 17 17:04 root/.ssh/authorized_keys\n -rwxr-xr-x 1 root root 876328 Jul 17 17:04 usr/sbin/sshd\n\nFinally, reboot.\n\n\n## Space Overhead\n\nThe space overhead of the [Dracut][dracut] sshd module is\nnegligible:\n\n enabled modules initramfs size\n --------------------------------------\n vanilla -network -ifcfg 16 MiB\n +systemd-networkd 17 MiB\n +systemd-networkd +sshd 19 MiB\n +network +ifcfg 21 MiB\n +network +ifcfg +sshd 21 MiB\n +network +ifcfg +sshd 22 MiB\n +systemd-networkd\n\n(all numbers from a Fedora 28 system, measuring the compressed\ninitramfs size)\n\nTechnically, the [`systemd-networkd`][networkd] Dracut module is\nsufficient for establishing network connectivity. It even\nincludes the `ip` command. Since the network Dracut module is\nincluded by default (under CentOS 7/Fedora 27/28) via the\n[ifcfg][ifcfg]\nDracut module, it may make sense to explicitly exclude it when\nbuilding the initramfs on a system where networkd is available,\ne.g. via\n\n dracut -f -v --omit ifcfg\n\nas this saves a few megabytes.\n\nSince the [initramfs][iramfs] is actually loaded into a\n[tmpfs][tmpfs] that is [freed during switch-root][switchroot] it\ndoesn't really pay off to safe a few mega-/kilobytes in the\ninitramfs. A few KiBs could be saved via switching from\n[OpenSSH][ossh]'s sshd to something like [Dropbear][dropbear],\nbut such an alternative sshd server is likely less well audited\nfor security issues and supports less features (e.g. ssh-ed25519\npublic key authentication was only [added as late as\n2020][drop25519], and, as of 2021, there are some [interoperability\nissues][drop25519b] and [ed25519-sk keys aren't\nsupported][dropsk]).\n\nLast but not least, in times where even embedded systems feature\nhundreds of megabytes RAM, temporarily occupying a few extra\nKiBs/MiBs before switch root has no dramatic impact.\n\n## Host Keys\n\nBy default, this module includes the system's\n`/etc/ssh/ssh_host_*_key` private host keys into the\n[initramfs][iramfs]. Note that this doesn't decrease the security\nin comparison with a system whose root filesystem is unencrypted:\n\n- the generated initramfs image under /boot is only readable by\n the root user\n- if an attacker is able to access the /boot/initramfs file (e.g.\n by booting the machine from a Live stick) then she is also able\n to access all host keys on a unencrypted root filesystem\n\nThat said, if `/etc/ssh/dracut_ssh_host_*_key{,.pub}`\nfiles are present then those are included, instead.\n\nAs always, it depends on your threat model, whether it makes\nsense to use an extra host key for the initramfs or not. Using an\nextra key may complicate the life of an attacker who is able to\nread out the initramfs content but is unable to change it and\nthus the attacker has to wait for the next SSH connection to the\ninitramfs before being able to perform a [MITM attack][mitm]. On\nthe other hand, when the attacker is able to change to initramfs\nimage then an extra key doesn't provide more security than using\nthe system's host key as the attacker can intercept the entered\npassword, anyway.\n\nIf your primary threat model is an attacker who gets access to\ndecommissioned but still readable hard-disks, then the system's\nhost key in the initramfs image provides no value to the\nattacker given that the root filesystem is fully encrypted (and\nthat the host key isn't reused in the replacement system).\n\n## Timeout\n\nWith recent Fedora versions (e.g. Fedora 28) a cryptsetup\npassword prompt shouldn't timeout. If it does then it's a\nregression (cf. [Bug 868421][bug868421]). Even if it times out\nand [Dracut][dracut] drops into the emergency shell then remotely\nconnecting to it should still work with this module. In such\nsituations [`systemd-tty-ask-password-agent`][pwagent] should\nstill work. See also Section 'Example: Emergency Shell' on how\nto resume the boot process then.\n\nA simple way to trigger the timeout is to enter the wrong\npassword 3 times when unlocking a LUKS volume. Under Fedora 28,\nthe timeout is then 2 minutes or so long, i.e. the emergency\nshell is then started after 2 minutes, by default, even without\nexplicitly adding `rd.shell` to the kernel command line. One can\nrecover from such a situation with e.g.:\n\n # systemctl restart 'systemd-cryptsetup@*'\n\nAnother example for the emergency shell getting started is that\na device that is necessary for mounting the root filesystem\nsimply isn't attached - or the UUIDs specified on the kernel\ncommand line don't match. After inspecting the situation with\n`systemctl status ...`, `journalctl -e`, etc. one can\nregenerate some config and restart the appropriate services in a\nsimilar fashion.\n\n## Network\n\nAn alternative to the [networkd][networkd] configuration is to\nconfigure network via additional [Dracut command line\nparameters][dracut-cmdline].\n\nThis requires the activation of the network dracut module, e.g.:\n\n # cat /etc/dracut.conf.d/90-network.conf\n add_dracutmodules+=\" network \"\n\nOn systems without networkd (e.g. CentOS 7/RHEL 8) this is the only way\nto enable network connectivity in early userspace. For example,\nthe following parameters enable DHCP on all network interfaces in\nearly userspace:\n\n rd.neednet=1 ip=dhcp\n\nThey need to be appended either to the kernel command line (like\nreal kernel parameters) or added to the dracut configuration (cf.\n`example/90-networkmanager.conf`).\n\n\n## Hardware Alternatives\n\nA [Baseboard Management Controller (BMC)][bmc] or some kind of [remote KVM][kvm]\ndevice can help with early boot issues, however:\n\n- not all remote machines even have a BMC\n- the BMC often is quite tedious to use and buggy\n- the BMC often contains low quality proprietary software that is\n never updated and likely contains many security issues\n- in some hosting environments a KVM must be manually attached\n and is charged at an hourly rate. That means you end up paying\n the remote hands for attaching the KVM, plus possibly an extra\n charge if you need it outside business hours and the hourly rate.\n\nThus, as a general rule, one wants to avoid a BMC/KVM as much as\npossible.\n\n## FAQ\n\n- How to make the early boot sshd listen on a non-standard port?\n\n A: If you really [want to do that][port] you can provide a\n `/etc/sysconfig/dracut-sshd` that defines `SSHD_OPTS`\n ([see also][port]).\n- Why does sshd hangs during early-boot when running dracut-sshd\n inside a virtual machine (VM)?\n\n A: Most likely the VM guest is short of entropy and thus sshd\n blocks during startup (without logging a warning) for an\n indefinite amount of time. Possible up to the systemd service\n restart timeout. Directing some of the VM host's entropy into\n the VM guest fixes this issue ([cf. these comments for\n examples of how to do this][entropy]).\n- Why do I get `Permission denied (publickey)` although the same\n authorized key works after the system is booted?\n\n A: This can be caused by a root account that is locked with `!`\n instead of `*`. In that case it's enough to change the lock\n method (or set a password) and regenerate the initramfs.\n Background: On some systems Dracut also includes `/etc/shadow`\n which is then used by sshd. In early userspace, there is no\n PAM, thus sshd uses built-in code for shadow handling. In\n contrast to usual PAM configuration (which is used by late\n userspace sshd, by default), sshd itself differentiates\n between `*` and `!` as invalid password field tokens. Meaning\n that only `*` allows public key authentication while `!` blocks\n any login ([see also][i30]).\n- Can I use dracut-sshd when my root account is locked?\n\n A: Yes, you can.\n However, you have to make sure that your account isn't locked\n with a `!` in `/etc/shadow`. If it is locked like that, you\n have to lock it differently, e.g. via `usermod -p '*' root`\n or simply set a strong password for the root user, followed\n by `dracut -f`.\n See also the previous question for additional details.\n- Does dracut-sshd only work with networkd?\n\n A: No, it doesn't.\n Dracut-sshd is network service agnostic.\n It just requires the network being online during early boot.\n Depending on the distribution, there might be different\n alternatives available for bringing network\n interfaces up early, such as Systemd's networkd, legacy network\n scripts, NetworkManager etc.\n A given distribution and release might support one of those\n or many, and default to one of them when the `network` dracut\n module is included.\n Besides selecting a specific dracut network module, there are\n also dracut cmdline parameters for configuring network options\n and addresses.\n Depending on your concrete network setup and distribution, a\n certain network module might be more suitable than another.\n In general, it isn't an issue to use one network service during\n early boot and another for late boot (e.g. networkd and\n NetworkManager).\n The same goes for configurations, e.g. perhaps for early boot a\n simple DHCP setups makes most sense while in late boot you have a\n more complicated network configuration.\n- How do I make it work on Ubuntu 20.04?\n\n A: There are some pitfalls on Ubuntu. Firstly, dracut isn't\n installed by default (fix: `apt install dracut-core\n dracut-network`). Secondly, dracut isn't a first class citizen\n on Ubuntu (i.e. it's only included in the universe repository,\n not in the main repository). As a result, the default dracut\n initramfs filename doesn't match what Ubuntu uses in its\n Grub configuration. Thus, you have to explicitly specify\n the right one (i.e. `/boot/initrd.img-$(uname -r)`) in the\n `dracut` and `lsinitrd` commands.\n- How do I debug dracut-sshd issues in the early boot\n environment?\n\n A: You start by dropping into the dracut emergency shell and\n looking at the journal and status of the involved services.\n For example, via `systemctl status sshd.service`, `journalctl\n -u sshd` etc. You drop into the emergency shell by adding\n `rd.break` (and possibly `rd.shell`) to kernel parameter\n command-line. Of course, you need some kind of console\n access when doing such debugging. Using a virtual machine\n usually is sufficient to reproduce issues which simplifies\n things.\n\n## Related Work\n\nThere is the [unmaintained][cryptssh-unm] (since 2019 or earlier)\n[dracut-crypt-ssh][cryptssh] module which aimed to provide SSH\naccess for remotely unlocking an encrypted LUKS volume. Main\ndifferences to dracut-sshd:\n\n- uses [Dropbear][dropbear] instead of [OpenSSH][ossh] sshd (cf. the Space\n Overhead Section for the implications)\n- doesn't use [systemd][systemd] for starting/stopping the Dropbear daemon\n- generates a new set of host keys, by default\n- listens on a non-standard port for ssh, by default\n- arguably more complex than dracut-sshd - certainly more lines\n of code and some options\n- comes with an unlock command that is superfluous in the\n presence of [`systemd-tty-ask-password-agent`][pwagent] - and it's kind of\n dangerous to use, e.g. when the password prompt times out the\n password is echoed to the console\n\nIn 2017, a [dracut-crypt-ssh pull request][cryptssh-uwe] added\nsupport for optionally using OpenSSH's sshd instead of Dropbear,\nwithout changing the other differences. It was closed without\nbeing merged in 2021.\n\nThere are also some other dracut modules that use Dropbear:\n[mk-fg/dracut-crypt-sshd][mkfg] which was marked\ndeprecated in 2016 in favour of the above dracut-crypt-ssh. It\nuses Dropbear and some console hacks instead of\n`systemd-tty-ask-password-agent`.\n[mdcurtis/dracut-earlyssh][mdcurtis] is a fork\nmk-fg/dracut-crypt-sshd. The main difference is that it also\nsuppports RHEL 6 (which features a quite different version of\ndracut). [xenoson/dracut-earlyssh][xenoson] is a fork of\nmdcurtis/dracut-earlyssh. It has RHEL 6 support removed and some\nquestionable helpers removed. It creates a systemd unit file for\nDropbear although it still explicitly starts/stops it via hook\nfiles instead of making use of the systemd dependency features.\n\nThe [ArchWiki dm-crypt page][arch] lists two initramfs hooks for\nremote access. Both don't use [Dracut][dracut] nor systemd,\nthough. Also, they use Dropbear and Tinyssh as ssh daemon.\n\nAnother initramfs (non-dracut) hook script, but targeting Debian\nsystems, is [UnLUKS][unluks]. Similar to the Arch scripts it\nstarts the SSH daemon directly from the hook script into the\nbackground, i.e. without any systemd integration. However, in\ncontrast to the Arch scripts it uses stock OpenSSH sshd.\n\n[Clevis][clevis], an automatic decryption framework, has some\n[LUKS][luks] unlocking and Dracut support. Looking at its documentation,\nwhen it comes to automatic LUKS unlocking, the LUKS passphrase is\nstored encrypted in the LUKS header. Clevis then decrypts it\nusing an external service/hardware (e.g. a [Tang][tang] server\nor a [TPM] module).\n\nSimilar to Clevis, [Mandos][mandos] also implements a framework\nfor unattended LUKS unlocking. Unlike Clevis, it primarily\ntargets Debian and doesn't support TPM. That means for unlocking\nthe Mandos client fetches the asymmetrically encrypted LUKS\npassword from a Mandos server.\n\nWith version 248 (i.e. available since early 2021 or so),\n[systemd integrated some automatic LUKS2 volume unlocking\nfeatures][systemd248]. Similar to Clevis it supports TPM2 modules.\nIn addition, it also supports smart cards and FIDO2/hmac-secret\ndevices. At least some of those FIDO2 devices seem to support\nnon-interactive HMAC computation and thus allow to auto-unlock\nLUKS volumes as long as the enrolled FIDO2 device is connected.\n\nIf your threat model goes beyond what is described in the [Host\nKeys](#host-keys) Section, you have to look into [authenticated\nboot and disk encryption][authboot].\n\nAlthough enterprise motherboard and server vendors often\nintegrate low-key unpleasant [BMCs][bmc] (a.k.a. [iLO][ilo] on HP\nservers, cf. the [Hardware Alternatives Section](#hardware-alternatives)),\na hardware solution for remote\naccess to early boot doesn't have to be awful. For example, there is\nthe open and DIY [Pi-KVM][pikvm] project which looks quite\npromising.\n\nEven without a dedicated BMC chip present on the motherboard,\nyour CPU might directly integrate very similar features.\nFor example, Intel calls this [Active Management Technology\n(AMT)][amt] and puts it into its vPro marketed CPUs.\nTo actually use it, the motherboard vendor/system integrator need\nto do their homework, such as integrating a compatible onboard\nethernet interface in the right way and exposing the right\nfirmware knobs.\nIdeally, the end-user is able to enable and configure AMT via the BIOS.\nHowever, Intel doesn't really provide much technical\ndocumentation for end-users and developers regarding AMT.\nSee also\n[amtterm(1)](http://www.kraxel.org/blog/linux/amtterm/),\n[amt-howto(7)](https://manpath.be/f39/7/amt-howto),\na [serverfault question](https://serverfault.com/questions/299194/intel-amt-enable-vnc-via-linux)\nand a [blog post](https://senseless.info/amt.html) on AMT usage.\n\nIn 2025, with OSX Tahö (a.k.a. Tahoe) Apple [finally added SSH\naccess](https://www.jeffgeerling.com/blog/2025/you-can-finally-manage-macs-filevault-remotely-tahoe)\nto its OSX early boot environment for remote unlocking encrypted\nvolumes.\n\nRelated Fedora ticket: [Bug 524727 - Dracut + encrypted root + networking (2009)][bug524727]\n\n\n## Testing\n\nThe `test` sub-directory contains an end-to-end test suite that\ndownloads the latest available Fedora cloud image (from a release\nbranch), creates a libvirt VM from it (using\n[virt-install](https://virt-manager.org/) and\n[libvirt](https://libvirt.org/)), encrypts the root filesystem\n(via [guestfish](https://libguestfs.org/)), installs current\ndracut-sshd, including the sample configuration snippets from the\n`example` directory, and verifies that the resulting system can be\nremotely unlocked over ssh and thus fully booted.\n\nExample usage:\n\n```\ncd /temp_directory_with_enough_space\ntdir=/path_to_dracut_sshd_repo/test\n$tdir/get-fedora.sh 41\nls -l f41-latest.x86_64.qcow2\n$tdir/e2e.sh 41\necho $?\n```\n\nSince the test scripts aren't overly long, they can also be used\nas a reference for how to install dracut-sshd, how to use it\nfor unlocking, and even how to transform a vanilla Fedora system\ninto an encrypted without having to re-install it from scratch.\n\n\n## Tested Environments\n\n- Fedora Silverblue 33\n- Fedora 27 to 43\n- Alma 10.1\n- CentOS 7, 8\n- CentOS Stream 9 (by a contributor)\n- RHEL 8 beta 1\n- Rocky Linux 8.8, 9, 10.1 (last two by contributors)\n- Gentoo (by a contributor)\n- SUSE (by a contributor)\n- openSUSE Leap 15.5\n- Arch (by a contributor)\n- Ubuntu 20.04 LTS\n- Debian 12 (by a contributor)\n\n\n## Packages\n\n- [Fedora][fedora]\n- Alma, RHEL, CentOS etc. via [Fedora EPEL][fedora] repository\n- [openSUSE](https://build.opensuse.org/package/show/openSUSE:Factory/dracut-sshd)\n- [Arch AUR](https://aur.archlinux.org/packages/dracut-sshd-git)\n- [Repology.org Overview](https://repology.org/project/dracut-sshd/versions)\n\n\n\n[fedora]: https://src.fedoraproject.org/rpms/dracut-sshd\n[amt]: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology\n[arch]: https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_.28hooks:_netconf.2C_dropbear.2C_tinyssh.2C_ppp.29\n[bmc]: https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface#Baseboard_management_controller\n[bug524727]: https://bugzilla.redhat.com/show_bug.cgi?id=524727\n[bug868421]: https://bugzilla.redhat.com/show_bug.cgi?id=868421\n[clevis]: https://github.com/latchset/clevis\n[cryptssh]: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh\n[cryptssh-uwe]: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/pull/17\n[cryptssh-unm]: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/issues/43\n[dracut]: https://dracut.wiki.kernel.org/index.php/Main_Page\n[dracut-cmdline]: https://manpath.be/f32/7/dracut.cmdline\n[dropbear]: https://en.wikipedia.org/wiki/Dropbear_(software)\n[drop25519]: https://github.com/mkj/dropbear/pull/91\n[drop25519b]: https://github.com/mkj/dropbear/issues/136#issuecomment-913134728\n[dropsk]: https://github.com/mkj/dropbear/issues/135\n[ilo]: https://en.wikipedia.org/wiki/HPE_Integrated_Lights-Out\n[ifcfg]: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-networkscripts-interfaces.html\n[iramfs]: https://en.wikipedia.org/wiki/Initial_ramdisk\n[kvm]: https://en.wikipedia.org/wiki/KVM_switch#Remote_KVM_devices\n[luks]: https://gitlab.com/cryptsetup/cryptsetup\n[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack\n[mkfg]: https://github.com/mk-fg/dracut-crypt-sshd\n[mdcurtis]: https://github.com/mdcurtis/dracut-earlyssh\n[xenoson]: https://github.com/xenoson/dracut-earlyssh\n[networkd]: https://wiki.archlinux.org/index.php/systemd-networkd\n[nm]: https://wiki.archlinux.org/index.php/NetworkManager\n[ossh]: https://en.wikipedia.org/wiki/OpenSSH\n[pwagent]: https://manpath.be/f32/1/systemd-tty-ask-password-agent\n[systemd]: https://en.wikipedia.org/wiki/Systemd\n[systemd248]: http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html\n[switchroot]: https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt\n[tmpfs]: https://en.wikipedia.org/wiki/Tmpfs\n[tpm]: https://en.wikipedia.org/wiki/Trusted_Platform_Module\n[addmod]: https://manpath.be/f32/dracut/050-26.git20200316.fc32.x86_64/5/dracut.conf#L74\n[port]: https://github.com/gsauthof/dracut-sshd/issues/9#issuecomment-531308602\n[entropy]: https://github.com/gsauthof/dracut-sshd/issues/12\n[iitems]: https://manpath.be/f32/dracut/050-26.git20200316.fc32.x86_64/5/dracut.conf#L74\n[i30]: https://github.com/gsauthof/dracut-sshd/issues/30\n[rpm-ostree]: https://discussion.fedoraproject.org/t/using-dracut-sshd-to-unlock-a-luks-encrypted-system/23449/6\n[pikvm]: https://github.com/pikvm/pikvm\n[authboot]: https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html\n[tang]: https://github.com/latchset/tang\n[mandos]: https://www.recompile.se/mandos\n[unluks]: https://github.com/BarbarossaTM/fluffy-unluks\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgsauthof%2Fdracut-sshd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgsauthof%2Fdracut-sshd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgsauthof%2Fdracut-sshd/lists"}