Archives

All posts for the month June, 2020

Abstract

Working with one or a fleet of LUKs encrypted Linux machines, it may be necessary to do a remote reboot (as might be the case when you’re using the machine remotely).  But what if the host has entire disk encryption such as LUKs and intended for remote users?  If you ever needed to reboot the host, you would have to physically be present at the local console to enter the LUKs passphrase!  Can’t make it into the office to unlock that drive? You’re SCREWED!  Well, not when you setup dropbear SSH and SSH public key authentication!  Dropbear to the rescue!  Read on!

The Solution

Manual Approach

So let’s say for this example, you’re running either Debian or Ubuntu Linux.  Your entire system drive is LUKs encrypted (likely required by your corporate policy).  You can install the needed package via apt as follows:

apt install dropbear-initramfs

This package allows your system to rebuild the initramfs with a dropbear SSH listener.  This will also work even if you update your kernel so not to worry.  Once you install this package, here’s how you configure it:

nano /etc/dropbear-initramfs/config

When you open the file for editing, you’ll want to add this line to the file, then save and close:

DROPBEAR_OPTIONS=”-p 222 -I 120″

What this line does is configure dropbear to spawn and listen for connections on TCP port 222.  The -I 120 option sets dropbear to disconnect if the session is idle for more than 120 seconds.  Once you have changed the file in this way, there is one more thing to do.  You need to generate ssh keys and copy your public key to the authorized hosts file on the dropbear config folder.   If you already have ssh keys generated, you can simply copy your public key DO NOT copy your private key!  To generate ssh keys:

ssh-keygen

Your keys will be found in ~/.ssh/    you can easily copy your public key by viewing the file ~/.ssh/id_rsa.pub    (on a trusted machine – preferably an SSH jumphost or other trusted SSH host)

less ~/.ssh/id_rsa.pub

Then simply copy the key to another terminal window on the dropbear target host and edit the file:

sudo nano /etc/dropbear-initramfs/authorized_keys

Paste the key into the open file, then save and quit.  The final step is to rebuild your initramfs image so that it now includes dropbear:

sudo update-initramfs -u

This last step is what rebuilds your initramfs image and it will now include dropbear with new kernels.

 

Automated Deployment Using Ansible

But what if you have to do this on many machines?  This setup could take you a while to do manually.  Ansible to the rescue!  I’ll show you how to setup a simple play that will deploy these changes to one host.  You can use an inventory file with multiple hosts to run this against multiple targets:

The play:

If you don’t mind supplying just the hostname and ip for installation targets, I wrote a bash wrapper script to also make deployment easy if you’re just doing about a dozen or so hosts:

First create a target template file:

Then create the wrapper script in bash:

What happens here is that when you run the wrapper script, it’ll ask you for the hostname and IP of the installation target.  It’ll then create the inventory file for you and run the play:

In this example I had already installed dropbear to this host because I didn’t have another one without dropbear.   What you see here is what you could expect except that you would see more changes reflected because the addition of dropbear would have caused more changes to this host.  I only showed this to showcase the example of running the play against a single target using the wrapper.

 

Building The Remote Reboot Tool

Ok now that dropbear is installed on our remote encrypted host, we could manually SSH to the dropbear instance after rebooting the machine by running:

ssh [email protected] -p 222

Once connected, you can manually issue the following commands to unlock your LUKs drive:

cryptroot-unlock  (hit enter)

You then enter your LUKs passphrase just as you would at the local console, then hit Enter again, disconnect, and the host will finish rebooting.  At this point you can access the system as you normally do by remote.  Is there an easier way?  There sure is!  A little PHP, and expect magic to the rescue:

First, we create a web form to take input from the user.  We need the IP address and LUKs passphrase of the target.  Our webform collects this from the user:

When the form is submitted, the inputs are passed to the submit script:

The job of the submit script is to call our expect script and pass the two variables to it.  The expect script does all the heavy lifting and makes the SSH connection to dropbear and provides the information during the session prompts.  We also put the trusted keys in /scripts/key which our unlock.sh expect script uses to authenticate to dropbear:

But BEFORE our expect script will work, we need to install the interpreter on the jump host where our PHP script will call it:

apt install expect

 

Once this script finishes, the remote dropbear host is unlocked.   Our end user only has to interface with the PHP web form:

I hope you find this solution useful.  Please feel free to comment or share your ideas.