LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 06-18-2018, 03:13 AM   #16
caffe
LQ Newbie
 
Registered: Feb 2015
Posts: 17

Rep: Reputation: Disabled

Ok just to clarify. You can use dropbear on the machine only for use with the initrd. Once the machine boots, you can ignore the fact that dropbear is there. (I use different keys for dropbear and openssh, configuring a different port for the dropbear started from the initrd so I don't have conflicts in ~/.ssh/known_hosts on the client side)

Regarding:
Quote:
to try and connect but I get
Code:
Connection to root@192.168.1.30:22 exited: Connect failed: No route to host
I would start by checking your /etc/early-ssh/early-ssh.conf and making sure everything is correct. Also note the port number you configure there. My example above used a non-standard port. Does your network adapter need a kernel module? Make sure it's included in your initrd then.

If you need DHCP or something, you are unfortunately on your own. You'd have to change /usr/share/mkinitrd/scripts/early_ssh do the stuff you need. The setup I have described is for a static IP.

You said you went to the machine and typed in the password. I don't think this should be the case. It should be waiting in a loop for the server to be killed and then the init script will continue. So it seems either the early_ssh script is not included or if it is, something in it is failing.

If you look in your /tmp/initrd-whatever file tree, do you see early_ssh in the top-level directory, dropbear in sbin and etc/early-ssh/early-ssh.conf? Is /early_ssh line in your init file?

I guess as a final test, you could type in the password incorrectly until it drops you into a shell, then try to run /early_ssh yourself. Maybe then you can see an error message.

Let us know if you come right.
 
1 members found this post helpful.
Old 06-20-2018, 01:29 PM   #17
laxware
Member
 
Registered: Jun 2018
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by caffe View Post
Ok just to clarify. You can use dropbear on the machine only for use with the initrd. Once the machine boots, you can ignore the fact that dropbear is there. (I use different keys for dropbear and openssh, configuring a different port for the dropbear started from the initrd so I don't have conflicts in ~/.ssh/known_hosts on the client side)

Regarding:


I would start by checking your /etc/early-ssh/early-ssh.conf and making sure everything is correct. Also note the port number you configure there. My example above used a non-standard port. Does your network adapter need a kernel module? Make sure it's included in your initrd then.

If you need DHCP or something, you are unfortunately on your own. You'd have to change /usr/share/mkinitrd/scripts/early_ssh do the stuff you need. The setup I have described is for a static IP.

You said you went to the machine and typed in the password. I don't think this should be the case. It should be waiting in a loop for the server to be killed and then the init script will continue. So it seems either the early_ssh script is not included or if it is, something in it is failing.

If you look in your /tmp/initrd-whatever file tree, do you see early_ssh in the top-level directory, dropbear in sbin and etc/early-ssh/early-ssh.conf? Is /early_ssh line in your init file?

I guess as a final test, you could type in the password incorrectly until it drops you into a shell, then try to run /early_ssh yourself. Maybe then you can see an error message.

Let us know if you come right.
For the kernel modules, I have all of the required kernel modules as I used that command Slackware has in the beginners_guide to figure out what modules are needed (my keyboard would not work previously) and added those into your commands.

When I ran this command
Code:
mkinitrd -k 4.4.132 -f ext4 -r /dev/mapper/cryptroot -u -o /boot/initrd-4.4.132.gz -s /tmp/initrd-tree-4.4.132
and reboot my machine I would end up getting an error where Slackware not finding cryptroot I had to change /dev/mapper/cryptroot to just cryptroot and it worked.

I also discovered I had placed the DESTDIR= into luksdev instead of just running the command. So I fixed re-did everything and made sure to run that comamnd instead of placing it in luksdev.

Code:
DISABLED=1
INTERFACE="eth0"
IP="192.168.1.30"
PORT="22"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"
TIMEOUT="300" # in seconds (empty means disabled, will wait forever)
Should DISABLED=1 be set to 0 instead? I think it should be 0, I will try it with disabled=0. I have also changed OpenSSH's port to another port so that there is no conflict. I am using the same static ip that the computer is set to use when the Slackware network interfaces start (should they be different?).

EDIT: I have tried with DISABLED=0 and DISABLED=1 (I re-made the entire /tmp/initrd thing with the mkinitrd command each time) and I still can not connect on boot using dropbear. If I check the monitor it is asking for my password and there is no loop that you mention. I am missing something but can't figure out what.

If I look in /tmp/initrd-tree-4.4.132 I see a green early-ssh file and in sbin I see a green dropbear file and there is /tmp/initrd-tree-4.4.132/etc/early-ssh/early-ssh.conf as well. My init file has a /early_ssh text right above "if [ -x /sbin/cryptsetup ]; then" like so
Code:
/early_ssh
if [ -x /sbin/cryptsetup ]; then
Will try your final test now.

Last edited by laxware; 06-22-2018 at 12:06 PM.
 
Old 06-20-2018, 01:38 PM   #18
laxware
Member
 
Registered: Jun 2018
Posts: 45

Original Poster
Rep: Reputation: Disabled
Decided to make a separate post. I am trying your final test, basically turning on the machine and when I get promtped for a password I just hit enter until I got an error that basically said
Code:
Device /dev/mapper/cryptroot not found
mount: mounting /dev/mapper/cryptroot on /mnt failed: No such file or directory
ERROR:  No /sbin/init found on rootdev (or not mounted). Trouble ahead.
        You can try to fix it. Type ´exit´ when things are done.
and then I got dropped to a shell. Is that normal behavior from entering the password wrong too many times?

Anyway, the OS basically has this on the screen now after the previous code I pasted

Code:
/bin/sh: can't access tty: job control turned off
/#
and then I can enter things into the shell. I try looking for early-ssh but can't find anything, I tried typing /early-ssh it said not found and I ran a "find -name "early-ssh" and alternatively early_ssh and it could not find anything either. So this means early-ssh is not being included for some reason?

Last edited by laxware; 06-20-2018 at 06:31 PM.
 
Old 06-20-2018, 06:35 PM   #19
laxware
Member
 
Registered: Jun 2018
Posts: 45

Original Poster
Rep: Reputation: Disabled
So, I forgot to edit LILO and set it to use /boot/initrd-4.4.132.gz instead of just the default /boot/initrd.gz . Upon doing so, I rebooted the machine and I see how it is sort of waiting in a loop for a connection so it seems to be going okay. The issue however is that I can not connect.

Basically what comes up,

Code:
*** early-ssh 0.3.7-testing ***
Network interface : eth0
IP address: 192.168.1.30
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.1
SSH port: 22

ifconfig: SIOCSIFADDR: No such device
route: SIOCADDRT: Network is unreachable
*** Now you can log in over SSH. You can press enter or wait 300 seconds to continue booting
So the issue now seems to be related to my network setup (which seems fine) or that I am missing network drivers? I ran that special command "/usr/share/mkinitrd/mkinitrd_command_generator.sh" to figure out what type of modules I needed and incorporated that into the mkinitrd command you instructed to execute and I know it is working because previously my wireless keyboard would not work but it does which means the modules are loaded. Any ideas?


EDIT: Okay so for some reason, mkinitrd did not include my network chipset/driver so I had to manually run
Code:
ls -l /sys/class/net/eth0/device/driver
in which my driver was posted on the output as r8169 or something. I had to manually add r8169 to the modules section of the mkinitrd and I was able to connect to the machine during boot and unlock the drive with
Code:
cryptsetup luksOpen /dev/sda1 cryptroot
entered my password and typed finish, however the system was not able to boot and I got this error message

Code:
Device /dev/mapper/cryptroot not found
mount: mounting cryptroot on /mnt failed: No such file or directory
ERROR:  No /sbin/init found on rootdev (or not mounted). Trouble ahead.
        You can try to fix it. Type ´exit´ when things are done.
Going to try a few things but I think I may need some help, what is the proper way to "unlock" the partition?

Last edited by laxware; 06-22-2018 at 12:05 PM.
 
Old 06-22-2018, 12:05 PM   #20
laxware
Member
 
Registered: Jun 2018
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by caffe View Post
Ok just to clarify. You can use dropbear on the machine only for use with the initrd. Once the machine boots, you can ignore the fact that dropbear is there. (I use different keys for dropbear and openssh, configuring a different port for the dropbear started from the initrd so I don't have conflicts in ~/.ssh/known_hosts on the client side)

Regarding:


I would start by checking your /etc/early-ssh/early-ssh.conf and making sure everything is correct. Also note the port number you configure there. My example above used a non-standard port. Does your network adapter need a kernel module? Make sure it's included in your initrd then.

If you need DHCP or something, you are unfortunately on your own. You'd have to change /usr/share/mkinitrd/scripts/early_ssh do the stuff you need. The setup I have described is for a static IP.

You said you went to the machine and typed in the password. I don't think this should be the case. It should be waiting in a loop for the server to be killed and then the init script will continue. So it seems either the early_ssh script is not included or if it is, something in it is failing.

If you look in your /tmp/initrd-whatever file tree, do you see early_ssh in the top-level directory, dropbear in sbin and etc/early-ssh/early-ssh.conf? Is /early_ssh line in your init file?

I guess as a final test, you could type in the password incorrectly until it drops you into a shell, then try to run /early_ssh yourself. Maybe then you can see an error message.

Let us know if you come right.
Okay, I successfully figured out how to be able to boot slackware from the dropbear ssh instance but I have a few questions.

When connecting into the dropbear ssh server I had to first unlock the partition,

Code:
cryptsetup luksOpen /dev/sda1 cryptroot
then I also had to mount /dev/mapper/cryptroot on /mnt (if I try to mount it on / I get an error, and I read through the init file and it mounts it on /mnt for some reason).

Code:
mount /dev/mapper/cryptroot /mnt
The slackware system successfully boots however I see there is a message saying

Code:
ERROR: Root partition has already been mounted read-write. Cannot check!

For filesystem checking to work properly , your system must initially mount the root partition as read only. If you're booting with LILO add a line read-only
That line is already added on my LILO.
I fixed this issue by mounting as read only instead of the first way I did it

Code:
mount -o ro /dev/mapper/cryptroot /mnt
That seemed to fix the issue above. My question now is, why do I have to manually mount the partition? When I had the system set up from following README_CRYPT (before we started making the other initrd's with dropbear/early-ssh support) Slackware would prompt me to enter a password to unlock the partition upon boot and then mount it for me. Is there a way to grab that code and copy it into this init so that when I connect to dropbear I can just run a command or something?

Last edited by laxware; 06-22-2018 at 12:08 PM.
 
Old 06-22-2018, 09:24 PM   #21
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: McKinney, Texas
Distribution: Slackware64 15.0
Posts: 3,858

Rep: Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225
Quote:
Originally Posted by laxware View Post
Is there a way to grab that code and copy it into this init so that when I connect to dropbear I can just run a command or something?
/usr/share/mkinitrd/initrd-tree.tar.gz contains the normal initrd tree. There's a file in there called ./init. It's a script which contains the init code normally run by an initrd.
 
Old 06-22-2018, 09:28 PM   #22
laxware
Member
 
Registered: Jun 2018
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Richard Cranium View Post
/usr/share/mkinitrd/initrd-tree.tar.gz contains the normal initrd tree. There's a file in there called ./init. It's a script which contains the init code normally run by an initrd.
Ohh, yes it is there. Okay so that means (and I confirmed) the init scripts are identical, except in the instructions by caffe I have a ./ealry_ssh above an if statement line. Maybe early_ssh interrupts this procedure and this is the only/best way to do it? I was hoping to just have to type a single command do the unlock and mounting for me but alas.
 
Old 06-22-2018, 10:01 PM   #23
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: McKinney, Texas
Distribution: Slackware64 15.0
Posts: 3,858

Rep: Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225Reputation: 2225
Well, that script contains a lot of other stuff as well.

(As you probably know, running mkinitrd will also dump a copy of everything that will end up in your initrd in /boot/initrd-tree. That's where I normally go to look at the script.)

There's a level of complexity since the standard init script attempts to support people who want to just encrypt a subset of their partitions which may or may not be on raid devices and/or LVM logical volumes.

Ideally, you'd hook into the bit where the system does...
Code:
echo "Unlocking LUKS encrypted device '${LUKSDEV}' as luks mapped device '$CRYPTDEV':"
/sbin/cryptsetup ${LUKSKEY} luksOpen ${LUKSDEV} ${CRYPTDEV} </dev/tty0 >/dev/tty0 2>&1
...but I don't know how you did that in your case.

I'm willing to help a little bit, but this isn't an itch I have at the moment (but I do see how it can be very very useful).

Last edited by Richard Cranium; 06-22-2018 at 11:37 PM. Reason: English is my native language. No, really.
 
1 members found this post helpful.
Old 06-22-2018, 11:47 PM   #24
caffe
LQ Newbie
 
Registered: Feb 2015
Posts: 17

Rep: Reputation: Disabled
Quote:
Originally Posted by laxware View Post
Ohh, yes it is there. Okay so that means (and I confirmed) the init scripts are identical, except in the instructions by caffe I have a ./ealry_ssh above an if statement line. Maybe early_ssh interrupts this procedure and this is the only/best way to do it? I was hoping to just have to type a single command do the unlock and mounting for me but alas.
You should not have to mount the device. init will do it for you if you give mkinitrd the correct parameter. (reading init as Richard Cranium says should be informative. It's quite easy to understand). Anyway, the root device you pass to mkinitrd is written into a file rootdev which is included in the initrd. init looks in this file for the device to mount (yes, it will mount it readonly to /mnt). You should therefore pass in the correct device and it will do the mounting for you. Now you wrote above that you used

Quote:
-r /dev/mapper/cryptroot
and that it fails. But you wrote that when you manually mounted, you used this device. This doesn't seem correct. To be absolutely sure, you could use the uuid of the unlocked partition (you can print them with blkid) in your initrd command:

Quote:
-r /dev/disk/by-uuid/<uuid>
As for using a script to unlock, you should now understand you can add whatever you want to the initrd. So we've proven we don't need to manually mount, but you could script the other.

So in the stage after you've added dropbear to the init but before you've zipped everything back up, just add a script to do the unlocking.

Code:
cat << EOF > /tmp/initrd-tree-xxx/bin/unlock
#!/bin/sh

/sbin/cryptsetup luksOpen /dev/sda1 cryptroot
finished
EOF
chmod +x /tmp/initrd-tree-xxx/bin/unlock
then the command previously used to build the initrd.

Then after you ssh in, just type
Code:
unlock
and it will prompt for the password and disconnect you. You could add any additional commands to this you need.
 
1 members found this post helpful.
Old 06-23-2018, 12:45 PM   #25
laxware
Member
 
Registered: Jun 2018
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by caffe View Post
You should not have to mount the device. init will do it for you if you give mkinitrd the correct parameter. (reading init as Richard Cranium says should be informative. It's quite easy to understand). Anyway, the root device you pass to mkinitrd is written into a file rootdev which is included in the initrd. init looks in this file for the device to mount (yes, it will mount it readonly to /mnt). You should therefore pass in the correct device and it will do the mounting for you. Now you wrote above that you used



and that it fails. But you wrote that when you manually mounted, you used this device. This doesn't seem correct. To be absolutely sure, you could use the uuid of the unlocked partition (you can print them with blkid) in your initrd command:



As for using a script to unlock, you should now understand you can add whatever you want to the initrd. So we've proven we don't need to manually mount, but you could script the other.

So in the stage after you've added dropbear to the init but before you've zipped everything back up, just add a script to do the unlocking.

Code:
cat << EOF > /tmp/initrd-tree-xxx/bin/unlock
#!/bin/sh

/sbin/cryptsetup luksOpen /dev/sda1 cryptroot
finished
EOF
chmod +x /tmp/initrd-tree-xxx/bin/unlock
then the command previously used to build the initrd.

Then after you ssh in, just type
Code:
unlock
and it will prompt for the password and disconnect you. You could add any additional commands to this you need.
Quote:
Now you wrote above that you used

Quote:
-r /dev/mapper/cryptroot
and that it fails. But you wrote that when you manually mounted, you used this device. This doesn't seem correct.
=================================================================================
I figured out why this failed. As I initially was following README_CRYPT.TXT from Slackware repo the mkinitrd command it uses is like so
Code:
mkinitrd -c -k 4.4.14-smp -m ext4 -f ext4 -r cryptroot -C /dev/sdx1
notice how it does not have /dev/mapper/cryptroot. So I basically adapted your first mkinitrd to the one I already had (my mistake) and that is why when I ran the second/final mkinitrd I got an error.

I started from scratch using /dev/mapper/cryptroot in both mkinitrd commands you listed ( I still manually added in the -L option to the first mkinitrd as I am almost certain I will get a boot error if I don't) and the system booted up successfully with no error and launched the early-ssh/dropbear instance. I was able to connect to the dropbear instance, write the command
Code:
cryptsetup luksOpen /dev/sda1 cryptroot
and then hit
Code:
finished
and the slackware system started to boot on its own.

I did not get to try out the custom script but that looks like a very nice addition if I encrypt swap or other drives. I will definitely be trying that out looks very neat!

EDIT: To further add to the discussion, I went back and tried to modify the mkinitrd command from Slackware README_CRYPT.txt to replace cryptroot with /dev/mapper/cryptroot

mkinitrd from README_CRYPT.txt
Code:
mkinitrd -c -k 4.4.14-smp -m ext4 -f ext4 -r cryptroot -C /dev/sda1
Does not work, requires me to add -L option and then the system boots fine

mkinitrd modifying cryptroot to /dev/mapper/cryptroot
Code:
mkinitrd -c -k 4.4.14-smp -m ext4 -f ext4 -r /dev/mapper/cryptroot -C /dev/sda1
Also does not work, even if I add the -L option.

So, this means that when following standard Slackware procedure I HAVE to use 'cryptroot' and can not use '/dev/mapper/cryptroot' AND I also have to add -L . However, for your instructions I don't necessarily have to use '/dev/mapper/cryptroot' but if I do not I have to manually mount the drive when connecting to dropbear.I am writing this mostly for myself but also for others as they may get confused why it differs so much.

Last edited by laxware; 06-23-2018 at 01:06 PM.
 
Old 06-23-2018, 09:20 PM   #26
laxware
Member
 
Registered: Jun 2018
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by caffe View Post
Code:
cat << EOF > /tmp/initrd-tree-xxx/bin/unlock
#!/bin/sh

/sbin/cryptsetup luksOpen /dev/sda1 cryptroot
finished
EOF
chmod +x /tmp/initrd-tree-xxx/bin/unlock
Haaha just tried this out its amazing! Furthermore, using /dev/disk/by-uuid/<uuid> will future proof it if I remove drives (especially if I enable encrypted swap as that gets formatted every boot and shutdown) or for people who have a hotswap setup. Amazing stuff here, thanks for sharing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Tutorials for setting up a server/gateway with ubuntu? rubberducky Linux - Networking 1 04-10-2013 08:56 PM
Hi All, looking for good tutorials for setting up NAS, Domainserver + AD Cba01 Linux - Newbie 3 01-26-2013 09:30 AM
Tutorials for setting up a Dynamic DNS Server? Hewson Linux - Networking 1 07-07-2007 09:21 PM
Tutorials/Guidance on setting up a Linux file Server (on a Windows network) Smiles483 Linux - Networking 4 08-26-2005 05:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration