[pkg-cryptsetup-devel] Bug#866786: Bug#866786: unlock all crypto devices in cryptroot-unlock (remote SSH-based unlocking)
Guilhem Moulin
guilhem at debian.org
Sun Jul 2 21:42:37 UTC 2017
On Sun, 02 Jul 2017 at 17:33:00 -0400, Antoine Beaupré wrote:
> On 2017-07-02 23:16:22, Guilhem Moulin wrote:
>> Control: tag -1 = pending
>>
>> On Sun, 02 Jul 2017 at 17:03:53 -0400, Antoine Beaupré wrote:
>>> Maybe what is needed then is simply a patch to the motd to warn the user
>>> the command may need to be called multiple times? Or just loop over the
>>> devices as you suggested before?
>>
>> I have implemented the later already :-) Not super happy about it as it
>> relies on dropbear to clean up the session properly (also implemented,
>> should be in dropbear-initramfs 2017.75-2), but it does the job.
>>
>> By the way adding a command= authorized_keys(5) option works fine, too
>> :-)
>>
>> $ sudo sed -nr 's/\s.*//p' /etc/dropbear-initramfs/authorized_keys
>> no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock"
>
> ah that's neat too. the only problem is it won't work until that
> workaround of yours is shipped... in stretch, in my case! ;)
That should already work, but to execute the script twice you'll need to
connect twice to the remote host.
> do i still need the IFDOWN=none hack now? i feel that i won't be able to
> run the unlock script multiple times if i remove that tweak...
That should still work because the cryptoot boot script is run at
local-top and local-block time, while the network is currently brought
down afterwards (local-bottom) and dropbear is killed last
(init-bottom).
Unfortunately this means that if your shell is still open when the
network goes away, the SSH connection will hang until it timeouts. But
if you issue two SSH connections (with a forced command) you shouldn't
have this problem as the command should have time to exit properly.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20170702/0a9e2790/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list