Enable SSH in initramfs
2021-02-28
Major options to remotely unlock fully encrypted systems are dropbear and tinyssh integrated into initramfs. Both are conveniently available in Archlinux through mkinitcpio-dropbear and mkinitcpio-tinyssh.
Add cryptdevice and netconf to grub default config:
~ % grep CMDLINE /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="ip=10.205.80.21::10.205.80.50:255.255.254.0::eth0:none cryptdevice=UUID=a772e288-3a73-4469-851b-5df71c409e98:cryptroot"
Important note (I stumbled over this): In early boot, network adapters may have different names. I.e., my onboard adapter is called eth0 and not eno1. Took me a bit to figure this out as there are no suitable logs for troubleshooting (or at least I haven't found any).
Add mkinitcpio hooks in correct order (sleep > netconf > tinyssh > encryptssh):
~ % grep -E "^HOOKS" /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf block keyboard sleep netconf tinyssh encryptssh filesystems fsck)
Regenerate initramfs (sudo mkinitcpio -P) and grub config (sudo grub-mkconfig -o /boot/grub/grub.cfg).
Finally it works!
toe@detritus2 ~ % ssh root@t21
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:sDEFSL6CN6vZAIgooubIVuwlGeJ8BqpiXwjORpV8+jU.
Please contact your system administrator.
Add correct host key in /home/toe/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/toe/.ssh/known_hosts:140
ED25519 host key for 10.205.80.21 has changed and you have requested strict checking.
Host key verification failed.
toe@detritus2 ~ % ssh root@t21 -o StrictHostKeyChecking=no
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:sDEFSL6CN6vZAIgooubIVuwlGeJ8BqpiXwjORpV8+jU.
Please contact your system administrator.
Add correct host key in /home/toe/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/toe/.ssh/known_hosts:140
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Enter passphrase for /dev/sda20:
Connection to 10.205.80.21 closed.
I still don't like that I have to suppress host key checking. So I need a solution for that as well. Idea (not working yet): Add a dedicated entry to ~/.ssh/config for unlocking, such that host keys are properly verified.
toe@detritus2 ~ % grep t21-disk-unlock .ssh/config -A 4
Host t21-disk-unlock
Hostname 10.205.80.21
User root
#StrictHostKeyChecking no
#-o StrictHostKeyChecking=no
(Simplest alternative would be to use a different IP address during unlocking. But that would not be something feasible for datacenter hosts.)
Reading ssh_config manpage, searching for "key" and here it is: HostKeyAlias
toe@detritus2 ~ % grep t21-disk-unlock .ssh/config -A 3
Host t21-disk-unlock
Hostname 10.205.80.21
User root
HostKeyAlias t21-disk-unlock
(...)
After first connection (without warnings), my known_hosts file has a new entry:
toe@detritus2 ~ % grep t21 ~/.ssh/known_hosts
t21,10.205.80.21 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMTWwX3zRB9TOZaCtoAzzphfRVr/JdZjqGyCcKrIaXSbz5gUZjL1ZMoG32hgo0qNeTVkjny8npBtFKChjPZmh84=
t21-disk-unlock ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7x6h7361cW54m7hYJEXDuwxxsjgOzNvgTRa0PHZZ0a