[Bug 1141868] New: support LUKS unlock via SSH (package: dracut-crypt-ssh)
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868 Bug ID: 1141868 Summary: support LUKS unlock via SSH (package: dracut-crypt-ssh) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: openSUSE Factory Status: NEW Severity: Enhancement Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: kolAflash@kolAhilft.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Please enable booting remote machines with encrypted root partitions. The common way to do this, is to include a minimal ssh/dropbear server into initrd. Debian has a very well working package for this: https://packages.debian.org/buster/dropbear-initramfs And there is an existing dracut-crypt-ssh module. (openSUSE uses dracut as initrd system) https://github.com/dracut-crypt-ssh/dracut-crypt-ssh Additionally the dropbear package is needed. https://build.opensuse.org/package/show/network/dropbear The only problem for using dracut-crypt-ssh on openSUSE-15.1 is, that the openSUSE initrd currently sets the network interface IPs AFTER the LUKS opening is needed. (based on the "rd.neednet=1 ip=dhcp") Note: There's a dirty workaround in the GitHub issue. Maybe this is related to this NFS-root problem!? https://bugzilla.opensuse.org/show_bug.cgi?id=1137104 Additionally, a minor patch may be nessessary. (unknown why the patch is needed) https://build.opensuse.org/package/show/home:duge_at_pre-sense_de/dracut-cry... Encryption mode node: dracut-crypt-ssh only works if the boot partition is unencrypted. But that's OK for me! dracut-crypt-ssh won't work if GRUB is decrypting LUKS, which currently seems to be the openSUSE-15.1 default for encrypted setups. But you can easily setup an openSUSE-15.1 system with an encrypted boot partition. Security note: Surely unlocking via SSH isn't free of security implications. But in scenarios where booting without a local user is necessary, this increases the security compared to an unencrypted root partition. (e. g. when the disk becomes defect and may not be deleted easily anymore, but a competent and persevering attacker may be able to recover data when the disk is found in the trash) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868#c1
--- Comment #1 from kolA flash
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868#c4
Andreas Schneider
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868#c9
Moritz Duge
You should talk a look at:
https://github.com/gsauthof/dracut-sshd
package at:
https://build.opensuse.org/package/show/home:dmolkentin/dracut-sshd
Tried dracut-sshd and it looks great! I think both - dracut-crypt-ssh and dracut-sshd - have their advantages and both provide the same basic set of functionality. Eventually I'd be happy if one of them gets officially integrated into openSUSE-15.2! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868#c10
--- Comment #10 from Moritz Duge
Looks like the NICs IP mechanism isn't as broken as I thought. It just takes very long (> 3 minutes) to get an IP via DHCP.
I think I found an answer to this. The machine I use for testing has two NICs. eth0 is the one I'm using and eth1 is connected to a network without DHCP (it's not totally disconnected - there's just no DHCP). So the timeout (~3 minutes) is created by the attempt to get an IP address for eth1. This seems to happen even before a static address is assigned to eth0. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1141868
Ricardo Branco
participants (1)
-
bugzilla_noreply@novell.com