Hi all,
Has anyone tried installing Dropbear and dracut-crypt-ssh by hand (to remotely provide a LUKS password via SSH at boot)?
These tools are not (yet) readily available in EPEL and the dracut-crypt-ssh repo, respectively, for RHEL/CentOS version 8.
I could compile & install these tools by hand, but I'm a little worried that I screw up my boot sequence.
See full write-up below.
Solved: booting encrypted CentOS version 8 from remote using ssh
Solved: booting encrypted CentOS version 8 from remote using ssh
Last edited by a3an0 on 2019/12/09 22:49:22, edited 2 times in total.
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Dropbear and dracut-crypt-ssh with CentOS version 8 ?
Maybe you could setup a VM for testing? so nothing to worry if you ruin it.
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: Dropbear and dracut-crypt-ssh with CentOS version 8 ?
Turns out the dracut-crypt-ssh script is no longer being maintained.a3an0 wrote: ↑2019/11/11 22:30:13Has anyone tried installing Dropbear and dracut-crypt-ssh by hand (to remotely provide a LUKS password via SSH at boot)?
These tools are not (yet) readily available in EPEL and the dracut-crypt-ssh repo, respectively, for RHEL/CentOS version 8.
I could compile & install these tools by hand, but I'm a little worried that I screw up my boot sequence.
So I went with dracut-sshd instead, which uses sshd instead of Dropbear.
Here are the steps I took:
Code: Select all
dnf copr enable gsauthof/dracut-sshd
Code: Select all
dnf install dracut-sshd
Code: Select all
ssh-copy-id -i ~/.ssh/id_ecdsa root@192.168.3.50
Code: Select all
dracut -f -v
Code: Select all
GRUB_CMDLINE_LINUX="... rd.neednet=1 ip=192.168.3.50::192.168.3.3:255.255.255.0:centos8:eno1:off"
Code: Select all
grub2-mkconfig --output /etc/grub2.cfg
Code: Select all
ssh root@192.168.3.50
Code: Select all
systemd-tty-ask-password-agent --list
Code: Select all
systemd-tty-ask-password-agent
Remaining issues:
- after a reboot it takes a few minutes before sshd becomes avaiable;
only after this has been completed: "random: crng init done" (apparently blocking) - adding an additional ip-parameter to the kernel options for IPv6 for the same network interface (eno1) results in a system halt:
"FATAL: For argument '...' Duplication configurations for 'eno1'"