Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/gheja/early-ssh


https://github.com/gheja/early-ssh

Last synced: 18 days ago
JSON representation

Awesome Lists containing this project

README 

        
early-ssh

=========



early-ssh gives you an SSH server during the boot of your Linux system. It starts before the root filesystem is mounted so you can unlock your encrypted root filesystem interactively, you don't have to be at the console of your server. You can also scp files to your server so you can even start your key-encrypted system.



early-ssh is basically an update-iniramfs hook script and a boot script that starts dropbear SSH server in the initramfs during boot.



Features

--------



### SCP to the server

You can copy files to the server using scp from a remote host. This way you it is possible to copy key files to unlock key-based LUKS even for the root filesystem.



### Dedicated root password

It is possible to use a different root password than the one use on your system (it can be disabled as well) by adding a `SHADOW_OVERRIDE` option specifying a different shadow file.



See `PASSWD_OVERRIDE`, `SHADOW_OVERRIDE`, `GROUP_OVERRIDE` in config.



Example: `SHADOW_OVERRIDE="/etc/early-ssh/shadow"`



### Timeout to continue the boot

A timeout can be specified to continue the boot after a certain time.



See `TIMEOUT` in config.



Example: `TIMEOUT=600`



### Specify network interface by MAC address

If you have more than one network interface and they get scrambled on boot it is possible to specify the correct interface by MAC address instead of the name ("eth0" for example).



See `IFACE` in config.



Example: `IFACE="MAC 01:02:03:04:05:06"`



### Put your ssh server on a different port

You can move the early-ssh server on a different port.



See `PORT` in config.



Example: `PORT=2233`



A real-life example with RAID-1 and LUKS

----------------------------------------



Content of `zaphod-init.sh`

```sh

#!/bin/sh



# load the RAID-1 module for mdadm

modprobe raid1



# create the md special devices

for i in 0 1 2 3; do mknod /dev/md${i} b 9 ${i}; done



# scan for all mdadm arrays (can be good if you forget to update your initramfs)

mdadm --examine --scan > /tmp/mdadm.conf



# assemble the RAID-1 arrays

mdadm --assemble --scan --config /tmp/mdadm.conf



# load the dm-crypt module for LUKS

modprobe dm-crypt



# do the LUKS openings (md0 is the /boot, so it is not encrypted!)

for i in 1 2 3; do cryptsetup --key-file /tmp/zaphod-md${i}.key luksOpen /dev/md${i} md${i}_crypt; done

```



An SSH session:

```

mobilem00:/mnt/pendrive# scp zaphod-init/* [email protected]:/tmp

[email protected]'s password:

zaphod-init.sh                                 100%  338     0.3KB/s   00:00

zaphod-md1.key                                 100%  256     0.3KB/s   00:00

zaphod-md2.key                                 100%  256     0.3KB/s   00:00

zaphod-md3.key                                 100%  256     0.3KB/s   00:00



mobilem00:/mnt/pendrive# ssh [email protected]

[email protected]'s password:



Welcome to early-ssh!



After you have finished everything, run the following to continue booting:

  finished



Please send your comments and bugreports to 



BusyBox v1.1.3 (Debian 1:1.1.3-4) Built-in shell (ash)

Enter 'help' for a list of built-in commands.



~ # chmod 700 /tmp/zaphod-init.sh



~ # /tmp/zaphod-init.sh

mdadm: /dev/md0 has been started with 2 drives.

mdadm: /dev/md1 has been started with 2 drives.

mdadm: /dev/md2 has been started with 2 drives.

mdadm: /dev/md3 has been started with 2 drives.

key slot 0 unlocked.

Command successful.

key slot 0 unlocked.

Command successful.

key slot 0 unlocked.

Command successful.



~ # finished

Your session will be now terminated and the boot will be continued. Bye!



Connection to xxx.xxx.xxx.xxx closed by remote host.

Connection to xxx.xxx.xxx.xxx closed.

```



mdadm RAID assembly example [draft]

---------------------------



```

ssh [email protected]

modprobe raid1

mdadm --examine --scan > /tmp/mdadm.conf

mdadm --assemble --scan --config /tmp/mdadm.conf

finished

```



LUKS device unlocking example [draft]

-----------------------------



```

ssh [email protected]

modprobe dm_crypt

cryptsetup luksOpen /dev/sda2 sda2_crypt

finished

```



advanced setup (mdadm + drbd + LUKS + LVM) [draft]

------------------------------------



```

ssh [email protected]

modprobe raid1

mdadm --examine --scan > /tmp/mdadm.conf

mdadm --assemble --scan --config /tmp/mdadm.conf



modprobe drbd

hostname trish

ifconfig eth1 172.16.254.1 netmask 255.255.255.0 up

drbdadm up r0

drbdadm primary r0



modprobe dm_crypt

cryptsetup luksOpen /dev/drbd0 drbd0_crypt



pvscan

vgchange -a y



finished

```



![Google Analytics tracking](http://gabor.heja.hu/google_analytics_tracking/23)