{"id":19388431,"url":"https://github.com/mk-fg/dracut-crypt-sshd","last_synced_at":"2025-04-23T23:31:39.688Z","repository":{"id":144995788,"uuid":"11830617","full_name":"mk-fg/dracut-crypt-sshd","owner":"mk-fg","description":"dracut initramfs module to start sshd on early boot to enter encryption passphrase from across the internets","archived":true,"fork":false,"pushed_at":"2016-02-28T21:38:17.000Z","size":25,"stargazers_count":24,"open_issues_count":0,"forks_count":19,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-13T12:29:21.180Z","etag":null,"topics":["boot","dm-crypt","dracut","dropbear","initramfs","module","shell","sshd"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mk-fg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-08-01T23:55:44.000Z","updated_at":"2024-11-15T21:12:49.000Z","dependencies_parsed_at":"2023-07-16T21:01:19.332Z","dependency_job_id":null,"html_url":"https://github.com/mk-fg/dracut-crypt-sshd","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mk-fg%2Fdracut-crypt-sshd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mk-fg%2Fdracut-crypt-sshd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mk-fg%2Fdracut-crypt-sshd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mk-fg%2Fdracut-crypt-sshd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mk-fg","download_url":"https://codeload.github.com/mk-fg/dracut-crypt-sshd/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250532064,"owners_count":21446107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["boot","dm-crypt","dracut","dropbear","initramfs","module","shell","sshd"],"created_at":"2024-11-10T10:12:40.097Z","updated_at":"2025-04-23T23:31:39.681Z","avatar_url":"https://github.com/mk-fg.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"dracut-crypt-sshd\n--------------------\n\n**Deprecation notice**: there is a much improved and generalized version of this\nmodule, maintained at [dracut-crypt-ssh/dracut-crypt-ssh](https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/).\nThis project here is mostly for historical reasons.\n\n[Dracut initramfs](https://dracut.wiki.kernel.org/index.php/Main_Page) module\nto start [Dropbear sshd](https://matt.ucc.asn.au/dropbear/dropbear.html)\non early boot to enter encryption passphrase from across the internets or just\nconnect and debug whatever stuff there.\n\nIdea is to use the thing on remote VDS servers, where full-disk encryption is\nstill desirable (if only to avoid data leaks when disks will be decomissioned\nand sold by VDS vendor) but rather problematic due to lack of KVM or whatever\ndirect console access.\n\nAuthenticates users strictly by provided authorized_keys (\"dropbear_acl\" option) file.\n\nSee dropbear(8) manpage for full list of supported restrictions there (which are\nfairly similar to openssh).\n\n\n### Obligatory warning\n\nPlease think about your\n[threat model](https://en.wikipedia.org/wiki/Threat_model) first,\nand security/usability trade-off second.\n\nThis module is very unlikely to help at all against malicious hosting provider\nor whatever three-letter-agency that will coerce it into cooperation, should it\ntake interest in your poor machine - they can just extract keys from RAM image\n(especially if it's a virtualized container), backdoor kernel/initramfs and\nforce a reboot, or do whatever else to get encryption keys via hardware/backdoor.\n\nIt can help, as mentioned, against attacks on the data after you're done with it\ncompletely (i.e. shut the machine/container in question down for good), or\nagainst rather clumsy and incompetent \"power off first and think second\"\nattacks.\n\nIf this benefit is worth the hassle of this extra ssh'ing, some maintenance\noverhead and the possibility of loosing the LUKS key/header (and all access to\ndata with it), only then (I think) this module might be useful to you.\n\nPlease also check out \"Bad Things\" section below before use.\n\n\n### Usage\n\nFirst of all, it needs dropbear (at least its sshd, I tested only version built\nwithout pam support, both static and shared should work) and gcc installed (to\nbuild auth.c tool).\n\n- Copy or symlink `60dropbear-sshd` into `/usr/lib/dracut/modules.d/`.\n\n- Add `dracutmodules+=\"dropbear-sshd\"` to dracut.conf\n  (will pull in \"network\" module as dependency).\n\n- Check out supported dracut.conf options below.\n  With no extra options, ad-hoc server rsa key will be generated (and its\n  fingerprint/bbcode will be printed to dracut log),\n  `/root/.ssh/authorized_keys` will be used for ACL.\n\n- See dracut.cmdline(7) manpage for info on how to setup \"network\" module\n  (otherwise sshd is kinda useless).\n\n  Simpliest way might be just passing `ip=dhcp rd.neednet=1` on cmdline, if dhcp\n  can assign predictable ip and pass proper routes.\n\n  Example of luks (uuid starts with \"7a476ea0\") + lvm (vg named \"lvmcrypt\", with lv\n  there having fs with \"root\" label) + static-net (see manpage above for syntax)\n  grub.cfg entry (wrapped for readability):\n\n        menuentry \"My Linux\" {\n          linux /vmlinuz ro root=LABEL=root\n            rd.luks.uuid=7a476ea0 rd.lvm.vg=lvmcrypt rd.neednet=1\n            ip=88.195.61.177::88.195.61.161:255.255.255.224:myhost:enp0s9:off\n          initrd /dracut.xz\n        }\n\n- Run dracut to build initramfs with the thing.\n\n\nOn boot, sshd will be started with:\n\n- Port: ${dropbear_port} (dracut.conf) or 2222 (default).\n\n- User (to allow login as-): root\n\n- Host key: ${dropbear_rsa_key} (dracut.conf) or generated\n  (fingerprint echoed during generation and to console on sshd start).\n  DSA keys are not supported (and shouldn't generally be used with ssh).\n\n- Client key(s): ${dropbear_acl} (dracut.conf) or `/root/.ssh/authorized_keys`\n\n- Password auth and port forwarding explicitly disabled.\n\nDropbear should echo a few info messages on start (unless rd.quiet or similar\noptions are used) and print host ssh key fingerprint to console, as well as any\nlogging (e.g. errors, if any) messages.\n\nDo check the fingerprints either by writing them down on key generation, console\nor through network perspectives at least.\n\n\nTo login:\n\n    % ssh -p2222 root@some.remote.host.tld\n\nShell is /bin/sh, which should be\n[dash](http://gondor.apana.org.au/~herbert/dash/) in most dracut builds, but can\nprobably be replaced with ash (busybox) or bash (heavy) using appropriate modules.\n\n\nOnce inside:\n\n```console\n\n% console_peek   # to see what's on the console (e.g. which dev prompt is for)\n...\n% console_auth    # queries passphrase and sends it to console\nPassphrase:\n%\n```\n\nBoot should continue after last command, which should send entered passphrase to\ncryptsetup, waiting for it on the console, assuming its correctness.\n\nsshd should be killed during dracut \"cleanup\" phase, once main os init is about to run.\nConnection won't be closed, but nothing should work there, as initramfs gets destroyed.\n\n\n### dracut.conf parameters\n\n- dropbear_port\n\n- dropbear_rsa_key\n\n- dropbear_acl\n\nSee above.\n\n\n### Common issues and non-issues\n\n- `Dropbear sshd failed to start`\n\nOnly means what it says, see output of dropbear *before* it died - it should\nprint some specific errors which led to it exiting like that.\n\n- `Failed reading '-', disabling DSS`\n\nWill *always* be printed and should be ignored - DSA keys are not generated/used\nin these scripts, and probably shouldn't be.\n\n- Host hangs in initramfs, but can't be pinged (e.g. `ping my.host.tld`) from outside.\n\nEither no network configuration parameters were passed to dracut, or it failed\nto configure at least one IP address.\n\nDon't forget `rd.neednet=1` on cmdline, as dracut will ignore specified network\nsettings without nfs (or whatever net-) root otherwise.\n\nRead up dracut.cmdline(7), \"Network\" section and/or see why/if dracut failed to\nconfigure net as requested with `rd.debug`.\nSee also \"Debugging tips\" section below.\n\n- Host pings, but ssh can't connect.\n\nTry `nc -v \u003chost\u003e \u003cport\u003e`, or \"ncat\" instead of \"nc\" there.\n\"ncat\" can be found in \"nmap\" package, \"nc\" usually comes pre-installed.\n\nIf it hangs without printing \"Connected to ...\" line - can be some firewall\nbefore host or dropbear failed to start/listen.\n\nIf there's no \"SSH-2.0-dropbear_...\" after \"Connected to ...\" line - some issue\nwith dropbear.\n\n- `lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory`\n\nPops up when logging in, can be safely ignored.\n\n\n### Debugging tips\n\nIf (or rather \"when\") something goes wrong and you can't access just-booted\nmachine over network and can't get to console (hence sshd in initramfs), don't\npanic - it's fixable if machine can be rebooted into some rescue system\nremotely.\n\nUsually it's some dhcp+tftp netboot thing from co-located machine (good idea to\nsetup/test in advance) plus whoever is there occasionally pushing the power\nbutton, or maybe some fancy hw/interface for that (e.g. hetzner \"rescue\" interface).\n\nTo see what was going on during initramfs, open\n\"modules.d/99base/rdsosreport.sh\" in dracut, append this (to the end):\n\n\tset -x\n\tnetstat -lnp\n\tnetstat -np\n\tnetstat -s\n\tnetstat -i\n\tip addr\n\tip ro\n\tset +x\n\n\texec \u003e/dev/null 2\u003e\u00261\n\tmkdir /tmp/myboot\n\tmount /dev/sda2 /tmp/myboot\n\tcp /run/initramfs/rdsosreport.txt /tmp/myboot/\n\tumount /tmp/myboot\n\trmdir /tmp/myboot\n\nBe sure to replace `/dev/sda2` with whatever device is used for /boot, rebuild\ndracut and add `rd.debug` to cmdline (e.g. in grub.cfg's \"linux\" line).\n\nUpon next reboot, *wait* for at least a minute, since dracut should give up on\ntrying to boot the system first, then it will store full log of all the stuff\nmodules run (\"set -x\") and their output in \"/boot/rdsosreport.txt\".\n\nNaturally, to access that, +1 reboot into some \"rescue\" system might be needed.\n\nIn case of network-related issues - e.g. if \"rdsosreport.txt\" file gets created\nwith \"rd.debug\", but host can't be pinged/connected-to for whatever reason -\neither enable \"debug\" dracut module or add `dracut_install netstat ip` line to\n`install()` section of \"modules.d/60dropbear-sshd/module-setup.sh\" and check\n\"rdsosreport.txt\" or console output for whatever netstat + ip commands above\n(for \"rdsosreport.sh\") show - there can be no default route, whatever interface\nnaming mixup, no traffic (e.g. unrelated connection issue), etc.\n\n\n### Bad Things\n\n- Has quite a few rather unnecessary assumptions about environment baked-in\n  (e.g. `/lib/libnss_files.so.2` path), and does `gcc -std=gnu99 -O2 -Wall\n  \"$moddir\"/auth.c -o \"${tmp_file}\"` for that \"console_auth\" binary on dracut\n  run.\n\n  Better way to handle these and compile whatever binaries would be allowing for\n  proper `./configure \u0026\u0026 make \u0026\u0026 make install` process, which I don't know\n  enough about to support.\n\n  Luckily, there are people that do, check out these links for better integrated\n  versions of a similar thing:\n\n  * https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/\n  * https://github.com/artem-sidorenko/dracut-earlyssh/\n  * https://github.com/haraldh/dracut/pull/43\n  * https://github.com/mdcurtis/dracut-earlyssh\n  * https://github.com/philfry/dracut-earlyssh\n\n- Only tested with customized source-based distro\n  ([Exherbo](http://exherbo.org/)), no idea how easy it is to use with generic\n  debian or ubuntu.\n\n- `check()` in module_setup.sh should probably not be empty no-op.\n\n- Should probably have `set -e` or something alike (dracut-specific?) in install().\n\n- No idea how to sanely run `ssh-keygen` (openssh) from a script, maybe use\n  openssl instead?\n\n\n### Based on code, examples and ideas from\n\n- https://bugzilla.redhat.com/show_bug.cgi?id=524727\n- http://roosbertl.blogspot.de/2012/12/centos6-disk-encryption-with-remote.html\n- https://bitbucket.org/bmearns/dracut-crypt-wait\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmk-fg%2Fdracut-crypt-sshd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmk-fg%2Fdracut-crypt-sshd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmk-fg%2Fdracut-crypt-sshd/lists"}