Bug#1037086: dropbear-initramfs: /etc/dropbear/initramfs/dropbear_dss_host_key file not generated
Georg Gast
Version: 2022.83-1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
One of my systems did not start and landed in rescue shell. I wanted to install
dropbear-initramfs and enable ssh access for rescue target. I installed it and
configured it.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Updated initramfs and created symlinks
/etc/dropbear/dropbear_ecdsa_host_key ->
/etc/dropbear/initramfs/dropbear_ecdsa_host_key
/etc/dropbear/dropbear_ed25519_host_key ->
/etc/dropbear/initramfs/dropbear_ed25519_host_key
/etc/dropbear/dropbear_rsa_host_key ->
/etc/dropbear/initramfs/dropbear_rsa_host_key
DROPBEAR_OPTIONS="-FEsjk"
But dropbear did not start as it was complaining about the missing dss host
key. I generated a new dss key and added the symlink
dropbearkeygen -t dss -f /etc/dropbear/initramfs/dropbear_dss_host_key
/etc/dropbear/dropbear_dss_host_key ->
/etc/dropbear/initramfs/dropbear_dss_host_key
Updated initramfs, reboot into rescue
* What was the outcome of this action?
dropbear did NOT start.
If i delete /etc/dropbear/initramfs/dropbear_dss_host_key and generate a new
one
dropbearkeygen -t dss -f /etc/dropbear/initramfs/dropbear_dss_host_key
in the resuce shell dropbear starts.
Info:
-----
georg@nas-dsm:~$ uname -a
Linux nas-dsm 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08)
x86_64 GNU/Linux
georg@nas-dsm:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
georg@nas-dsm:~$ apt-cache policy dropbear-initramfs
dropbear-initramfs:
Installiert: 2022.83-1
Installationskandidat: 2022.83-1
Versionstabelle:
*** 2022.83-1 500
500 http://ftp.de.debian.org/debian bookworm/main amd64 Packages
100 /var/lib/dpkg/status
georg@nas-dsm:~$ tree /etc/dropbear/
/etc/dropbear/
├── dropbear_dss_host_key -> initramfs/dropbear_dss_host_key
├── dropbear_ecdsa_host_key -> initramfs/dropbear_ecdsa_host_key
├── dropbear_ed25519_host_key -> initramfs/dropbear_ed25519_host_key
├── dropbear_rsa_host_key -> initramfs/dropbear_rsa_host_key
└── initramfs
├── authorized_keys
├── dropbear.conf
├── dropbear_dss_host_key
├── dropbear_ecdsa_host_key
├── dropbear_ed25519_host_key
└── dropbear_rsa_host_key
2 directories, 10 files
-- System Information:
Debian Release: 12.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing-proposed-updates-debug'), (500, 'testing-proposed-updates'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-9-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dropbear-initramfs depends on:
ii busybox-static [busybox] 1:1.35.0-4+b3
pn dropbear-bin <none>
ii initramfs-tools 0.142
ii udev 252.6-1
Versions of packages dropbear-initramfs recommends:
ii cryptsetup-initramfs 2:2.6.1-4~deb12u1
dropbear-initramfs suggests no packages.
Guilhem Moulin
Hi,
On Sun, 04 Jun 2023 at 10:41:56 +0200, Georg Gast wrote:
> But dropbear did not start as it was complaining about the missing dss host
> key.
> one
> dropbearkeygen -t dss -f /etc/dropbear/initramfs/dropbear_dss_host_key
> in the resuce shell dropbear starts.
support DSS, see the NEWS-file.
> Versions of packages dropbear-initramfs depends on:
> ii busybox-static [busybox] 1:1.35.0-4+b3
> pn dropbear-bin <none>
> ii initramfs-tools 0.142
> ii udev 252.6-1
so it can skip over DSS key generation when dependencies are fulfilled.
--
Guilhem.
Michael Meier
nothing is working.
I'm using debian bookworm.
dropbear-initramfs:
Installed: 2022.83-1
dropbear-bin:
Installed: 2022.83-1
I had to edit the file /usr/share/initramfs-tools-hooks so it also
copies the dss key:
< for keytype in dss rsa ecdsa ed25519; do
---
> for keytype in rsa ecdsa ed25519; do
then
dropbearkey -t dss -f /etc/dropbear/initramfs/dropbear_dss_host_key
update-initramfs -u
And finally. Dropbear could be started!
The option DROPBEAR_OPTIONS="-E" should be default, so the user gets
some kind of error message if something is not working. Would have saved
me an hour or so...
Guilhem Moulin
> I had to edit the file /usr/share/initramfs-tools-hooks so it also copies the dss key:
> The option DROPBEAR_OPTIONS="-E" should be default, so the user gets some
> kind of error message if something is not working. Would have saved me an
> hour or so...
this down, because it works just fine here (and in ci).
--
Guilhem.
Michael Meier
ok as it seems, everything I've mentioned was just wrong.
The problem was/is, that if the root filesystem is not encrypted,
dropbear-initramfs does nothing, besides showing cryptic error messages.
To my defense, as it seems I haven't been the only person with that
problem, I've found it in several forums, without answers ;-).
Possible solutions are:
- Encrypt rootfs (Haven't got permission to do so)
- in /etc/crypttab add "initramfs" as parameter to the corresponding
partition
Maybe mentioning that in
/usr/share/doc/dropbear-initramfs/initrfamfs.README
would help future users.
Even more helpful would probably be, that
update-initramfs
would spit out a message, that no encrypted fs have been found.
'
hope you didn't loose too much time trying reproducing the error. sorry.