LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Serial Console and LUKS Passphrase (http://www.linuxquestions.org/questions/linux-server-73/serial-console-and-luks-passphrase-638474/)

redgoblin 04-28-2008 03:55 PM

Serial Console and LUKS Passphrase
 
I have a server here running headless with Debian Etch using an encrypted LVM. I'm trying to set up a serial console so I can enter the LUKS passphrase from my desktop on the few occasions it needs rebooting.

Serial console now works fine; I can connect from the initial GRUB phase and operate it as normal. I can also see when init comes up, watch it process and enter the passphase when required. The problem is that with this setup I can't enter the passphrase on the physical console (when a monitor and keyboard are attached). init stops where it would normally ask, but no prompt comes up.

Is this normal behaviour? I assume not. How can I have the passphrase prompt on both the serial and physical consoles?

Configuration is as follows

Grub (in /boot/grub/menu.lst)
Code:

serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
terminal --timeout=5 serial console

and the kernel section

Code:

title          Debian GNU/Linux, kernel 2.6.18-6-686
root            (hd0,0)
kernel          /vmlinuz-2.6.18-6-686 root=/dev/mapper/fenris-root ro vga=791 console=tty0 console=ttyS0,115200n8
initrd          /initrd.img-2.6.18-6-686

inittab (in /etc/inittab)
Code:

T0:2345:respawn:/sbin/getty -L ttyS0 115200 vt100
Any thoughts?

rayfordj 04-28-2008 07:40 PM

Quote:

Originally Posted by redgoblin (Post 3135886)
Is this normal behaviour? I assume not. How can I have the passphrase prompt on both the serial and physical consoles?

I suspect it is "normal" behavior. I ran into the same "problem" with a RHEL5 install that I (LUKS) encrypted the entire PV. It was an either/or but not both scenario no matter what combinations I thought to try.

redgoblin 05-02-2008 09:29 AM

Well after coming back to look at the problem again I came up with a reasonable work around. Thought I'd post it here for the benefit of others as this post is now the first hit for "serial console luks passphrase" on Google.

From looking into the Serial Console Howto it does indeed seem to be a known issue;

http://tldp.org/HOWTO/Remote-Serial-...s-monitor.html

When you pass the parameters

Code:

console=tty0 console=ttyS0,38400n8
to the kernel, the last defined console device is the only one capable of receiving input and therefore the LUKS passphrase. In the above example that would be the serial console. Fine for the few occasions I restart the server as I can use my serial connected desktop to enter the passphrase.

To allow you to also enter the passphrase on the physical console you simply need to pass the parameters the other way round;

Code:

console=ttyS0,38400n8 console=tty0
However, with this setup you can't enter the passphrase on the serial console; you must have a keyboard and monitor attached instead.

On a Debian system you can use the defoptions and altoptions in grub to automatically set this up.

In the file /boot/grub/menu.lst change the line

Code:

# defoptions=
to

Code:

# defoptions= console=tty0 console=ttyS0,38400n8
This means that all future kernels will be created with the serial console parameters. The LUKS passphrase will be expected on the serial console.

Now also change the lines;

Code:

# altoptions=(Single-User Mode) single
to

Code:

# altoptions=(Use Physical Console) console=ttyS0,38400n8 console=tty0
# altoptions=(Single-User Mode) single


Debian normally creates a single user boot option by default. In the above example we're also setting it to create another boot options with priority to the physical console. The passphrase is expected on the attached keyboard.

Now when you run update-grub it will create three boot options for each installed kernel; like so

Code:

title          Debian GNU/Linux, kernel 2.6.18-6-686
root            (hd0,0)
kernel          /vmlinuz-2.6.18-6-686 root=/dev/mapper/fenris-root ro console=tty0 console=ttyS0,38400n8
initrd          /initrd.img-2.6.18-6-686
savedefault

title          Debian GNU/Linux, kernel 2.6.18-6-686 (Use Physical Console)
root            (hd0,0)
kernel          /vmlinuz-2.6.18-6-686 root=/dev/mapper/fenris-root ro console=ttyS0,38400n8 console=tty0
initrd          /initrd.img-2.6.18-6-686
savedefault

title          Debian GNU/Linux, kernel 2.6.18-6-686 (Single-User Mode)
root            (hd0,0)
kernel          /vmlinuz-2.6.18-6-686 root=/dev/mapper/fenris-root ro single
initrd          /initrd.img-2.6.18-6-686
savedefault

The first (and default one automatically select by the timeout) will take the LUKS passphrase from the serial console. On the rare occasion you start with a physical console attched you can select the second option. The single user mode is kept for emergencies.

You can use defoptions and altoptions to automatically add any kernel parameters to newly created kernels, so you could also add things like vga=791. Additionally, it seems to can have numerous altoptions configurations.

Hope that helps someone.


All times are GMT -5. The time now is 03:44 PM.