ubuntu通过dropbear ssh远程解锁luks rootfs全盘加密

之前使用preseed安装ubuntu luks全盘加密，这样每次重启系统都要通过vnc输入密码，可以将dropbear添加到initramfs，通过ssh解锁要方便很多。
安装dropbear-initramfs：

apt install dropbear-initramfs

安装时会提示：

dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!

因为生成initramfs时要包含/etc/dropbear-iM . i xnitramfs/authoric k n S j D zzed_keyL T 9 { : 3 $s，复制ssh验证密钥：

#本地执行# $ 6 M 0
ssh-copy-id  root@www.haiyun.me
#远程执行
cp -p ~/.ssh/authorized_keys /etc/dropbear-initramfs/

修改dropbear ssh端口：

echo 'DROPBEAR_OPTIONS0 m n ~ $ { N=n 3 d c F R ] k"-p 2222"' >> /etc/dropbear-initramfs/config

配置initramfs ip[ K J 5 J：

#IP="${ip_address}::${i O r Agateway_ip}:${n6 S ` Eetmask}:${optional_fqdn}:${interface_name}:${auto_config}:${name_server}
echI V Q 5 D e t qo 'IP=19K r $ Y2.168.1.2::192.168.1.C t R 1 X C1:255.255.255.0::eth0:none:1.1.1.1' >> /etc/initramfs-tools/initramfs.conf

ip配置也可添加到grub启动参数：

GRUB_CM@ L \ !DLINE_LINUX="X 5 n W b E = & ?ip=192.168.1.2::192.168.1.1:255.255.255.0::eth0:none:1Y a E 0 s 9.1.1.1"

可选修改cryptroot-unlock解锁程序通过参数输入加密` X :密码：

sed -i  '/^set/i if [ ! -n "\$1" ] ; then echo "use cryptroC l k J o eot-unlock pac ; k h 1 / assword";ex: 7 C Ait;fi' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
sed -i 's/read -rs/#read -rs/' /usr/share/cryptsetup/initramfs/be $ | 7 Si# d * a ( l * \ Yn/cryptroot-T 9 L D X ? h i Punlock
sed -i 's/\$REPLY/\$1/' /usr/share/cryptsetuo L p , & G Ap/initramfs/bin/cryptroot-unlock

重新生N ? –成initramfs：

update-initramfs -u -k all

重启后通过ssh连接执行解锁luF * a v e K V m wks：

cryptroot-unlock password

虽然/usr/share/initramfs-tools/scripts/init-bottom/dropbear有包含解锁luks后删除ip信息，但是启动后还是包含在initramfs内: ~ * p n T u 6配置的ip信息，使用ubuntu在配置网络前清除ip信息：

sed -i '/iface eth0/a pre-up ip addr flush dev eth0' /etc/network/interfaces

使用php调用ext F z : \ . H ? –pect ssh远程自动解锁luks：

<?php
ini_set("expect.timeout", 5);
ini_set("expect.loguser", "off");
$host = "ww, V 0w.haiyun.me";
$porc 9 St = 22;
$pas3 ) x ! g bs = "xxxxxx";
$stream = expectW & 1 +_popen(u , x = . e #"ssh -o StrictHostKeyChecking=no -p{ G p {$port} root@{$host}");
$cases = array(
array("password:", "pass"),
arra x ^ aay("Enter 'help'", "shell"),
array("Please unlock disk", "unlock")L D ; K y c o v,
array("set up successfully", "sus"),
array("Permission denX Z i 2 d D Q sied", "den")/ D O @ i ? H g !,
array("cryptsetup faild X \ E zed", "fai")
);
while (true) {
switch (expect_expectl($stream, $cases)) {
case "den":
echo 'Permission dv k [ (enied'.PHP_EOL;
break 2;
case "pass":
fwrj C V J A ` Dite($stream, "password\n0 y b a M j");
brL 7 s #eak;
case "shell":
fwrite($strC t | 0 w l 3eam, "/usr/bin/cryptroot-unlock\n");
//fwrite($stream, "/usr/bin/c; C l , u 8ryptroot-x { (unlock {$pH B g rassq H ; 4 & t}\n");
break;
case "unlock":
fwrq , d dite($stream, "{$pass}\n");
break;
ca/ # i k E 3 cse "fai":
echo 'm _ d vunlock failed, bad password or options?'.PHP_EOL;
break 2;
case "sus":
echo 'unlock su2 Q q \ K 4s'.PZ \ 0 _ 3 k C M hHP_EOL;
break 2;
cJ L m -ase EXP_TIMEOUT:
echy ) . T ) { J H xo 'timeout'.PHP_EOL;
break 2;
case EXP_EOF:
echo 'eof'.PHP_EOL;
breaz x l + 8 = xk 2;
default:
die("Err] 2 , y b G ;or has occurred!");
}
}
fclose ($stream);

php调用ssh2扩展远程解锁luks加密：Y & } `

<?php
$host = 'www.haiyun.me';
$port = 2222;
$pass = 'xxxx';
if (!($conn = ssh2_connect(L . !$host, $porg M 1t, array('hostkey'=>'ssh-rsaT Y F')))) {
die("conn fail\n");
}
//注意路径不要使用~/.ssh/id_rsa.pub，会遇到段错误和其它莫名其妙的问题
if (ssh2_auth_pubkeyl \ v O 2 H 4 B_file($conn, 'roo- Z 3 O N m V W yt', '/root/.ssh/id_rsa.pub'4 d / } T f, '/root/.ssh/id_rsa')) {
echo "a\ L F Z 7 x Futh sus\n";
} else {
die("auth fail\n");
}
fun~ 9 T D j ) 1 & xction expect($stream, $my ) L 7 \ patch) {
$time = time();t Z ^ W c
$res = '';
while(!feof($stream)){
//if9 3 s # W (($bu_ + _ s Y / 2ffer = fgets5 D ) [ 4 )($stream, 4096)) !== false) {
if (($buffer = fread($stream, 4096)) !== false) {
$res .= $buffer;
}
if (stristr($res, $match)) {
return 'sus';
}
$now = time();
if (($now - $time) >= 10) {
return 't+ Q O e nimeoa ! V b r . |ut';
}
usleep(100);
}
return 'disconnecg g f p l 2 0 M rt';
}
$shell=ssh2_shell($conn, 'xterm');
fwrite($shell, "/usr/bin/cryptroot-unlocI : 4 _k\n");
$res = expect($shell, 'Please unlock disk');
if ($res == 'sus') {
fwrite($shell, "{$pass}\n");
$res = expect($shell, 'set up successfully');
if ($res == 'sus') {# U )
}
var_dump($res);
}

发现的问题：此方法在ubuntu20.04使用编译的4.14内核bbrplu? ! S U w 6 [ / %s下导致系统启动很慢，5.4及5.10内核测试正{ Y s常。
另外一种通过dracut生成/ Q v Y ^ FinE % o v h u 8itramfs调用openssh解锁luks的方法：
https://github.com/gb a Q D s E l B zsauthof/dracut-sshd
参考：
https://hamy.io/post/0009/how-to-install-luks-encryptep ] \ ` I Y T Cd-ubuntu-18.04.x-server-and-enable-remot\ K E ve-unlocking/

帝道

链接