Solved: booting encrypted CentOS version 8 from remote using ssh

Support for security such as Firewalls and securing linux
Post Reply
a3an0
Posts: 2
Joined: 2019/11/11 22:19:54

Solved: booting encrypted CentOS version 8 from remote using ssh

Post by a3an0 » 2019/11/11 22:30:13

Hi all,
Has anyone tried installing Dropbear and dracut-crypt-ssh by hand (to remotely provide a LUKS password via SSH at boot)?
These tools are not (yet) readily available in EPEL and the dracut-crypt-ssh repo, respectively, for RHEL/CentOS version 8.
I could compile & install these tools by hand, but I'm a little worried that I screw up my boot sequence.

See full write-up below.
Last edited by a3an0 on 2019/12/09 22:49:22, edited 2 times in total.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Dropbear and dracut-crypt-ssh with CentOS version 8 ?

Post by KernelOops » 2019/11/15 22:29:21

Maybe you could setup a VM for testing? so nothing to worry if you ruin it.
--
R.I.P. CentOS :cry:
--

a3an0
Posts: 2
Joined: 2019/11/11 22:19:54

Re: Dropbear and dracut-crypt-ssh with CentOS version 8 ?

Post by a3an0 » 2019/12/09 22:46:26

a3an0 wrote:
2019/11/11 22:30:13
Has anyone tried installing Dropbear and dracut-crypt-ssh by hand (to remotely provide a LUKS password via SSH at boot)?
These tools are not (yet) readily available in EPEL and the dracut-crypt-ssh repo, respectively, for RHEL/CentOS version 8.
I could compile & install these tools by hand, but I'm a little worried that I screw up my boot sequence.
Turns out the dracut-crypt-ssh script is no longer being maintained.

So I went with dracut-sshd instead, which uses sshd instead of Dropbear.

Here are the steps I took:

Code: Select all

dnf copr enable gsauthof/dracut-sshd

Code: Select all

dnf install dracut-sshd
install pubkey from client onto root@server (for inclusion in initramfs):

Code: Select all

ssh-copy-id -i ~/.ssh/id_ecdsa root@192.168.3.50
regenerate initramfs:

Code: Select all

dracut -f -v
add early network capabilities/configuration parameters to boot image:

Code: Select all

GRUB_CMDLINE_LINUX="... rd.neednet=1 ip=192.168.3.50::192.168.3.3:255.255.255.0:centos8:eno1:off"
regenerate GRUB configuration:

Code: Select all

grub2-mkconfig --output /etc/grub2.cfg
Now to access the system after a reboot:

Code: Select all

ssh root@192.168.3.50
to list all pending password prompts:

Code: Select all

systemd-tty-ask-password-agent --list
to enter password(s):

Code: Select all

systemd-tty-ask-password-agent
Note that the latter command for your convenience is also avaiiable most recent in history (arrow up)

Remaining issues:
  1. after a reboot it takes a few minutes before sshd becomes avaiable;
    only after this has been completed: "random: crng init done" (apparently blocking)
  2. adding an additional ip-parameter to the kernel options for IPv6 for the same network interface (eno1) results in a system halt:
    "FATAL: For argument '...' Duplication configurations for 'eno1'"

Post Reply