Upgraded from Stretch to Buster on a machine that has an encrypted disk. I had configured the boot process to allow the disk to be unlocked via SSH, using dropbear.
When it was all setup back in 2017, on connecting via SSH, there was a terminal prompt that said "use cryptroot-unlock" to unlock the disk. Sure enough you entered "cryptroot-unlock" and were prompted for a password.
Come upgrade to Buster, and that message is gone. You now just get a regular terminal prompt. You can still enter "cryptroot-unlock" and continue as before. But there's no message.
This matters, because the person I set this up for had a screenshot showing them what to do when, and with a different screen they were lost.
Not really a bug, but it's a change which has had an effect, so thought I'd note it here. Although if anyone can explain the rationale behind the change (apart from shaving a few bytes off the final image) I'd be interested.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Buster version of dropbear changed (cryptroot-unlock messge)
- ruwolf
- Posts: 641
- Joined: 2008-02-18 05:04
- Location: Banovce nad Bebravou
- Has thanked: 40 times
- Been thanked: 29 times
Re: Buster version of dropbear changed (cryptroot-unlock mes
I do not know, but by Debian Changelog it may be due CVE-2018-15599?
Re: Buster version of dropbear changed (cryptroot-unlock mes
Well I don't know either. Just had to reboot again, and once again noticed it's missing - also missing from the "help" text.
So if anyone else is following a guide on setting up SSH access to allow a remote drive to be decrypted before boot, then be aware that you won't be told the command you need is "cryptroot-unlock" - you just have to know it.
One way of keeping things secure, I guess.
So if anyone else is following a guide on setting up SSH access to allow a remote drive to be decrypted before boot, then be aware that you won't be told the command you need is "cryptroot-unlock" - you just have to know it.
One way of keeping things secure, I guess.
Re: Buster version of dropbear changed (cryptroot-unlock mes
OK, so a bit of further digging reveals that the message appears to be originating in a file in the "cryptsetup" package in Debian.
The initramfs part has been refactored so that the stretch file is now
In that file is the section:
So it looks like for some reason my "motd" file isn't setup properly.
The initramfs part has been refactored so that the stretch file
Code: Select all
~/initramfs/cryptroot-unlock-hook
Code: Select all
~/initiramfs/hooks/cryptroot-unlock
Code: Select all
if [ -f /etc/initramfs-tools/etc/motd ]; then
copy_file text /etc/initramfs-tools/etc/motd /etc/motd
else
cat >>"$DESTDIR/etc/motd" <<- EOF
To unlock root partition, and maybe others like swap, run \`cryptroot-unlock\`.
EOF
fi
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Buster version of dropbear changed (cryptroot-unlock mes
Does /etc/initramfs-tools/etc/motd exist on your system ?
If yes, the hook script just copies it into the initramfs. If no, it creates one with the expected message.
If yes, the hook script just copies it into the initramfs. If no, it creates one with the expected message.
-
- Posts: 677
- Joined: 2018-05-10 19:34
- Location: Some where out west
- Been thanked: 1 time
Re: Buster version of dropbear changed (cryptroot-unlock mes
Another one, http://forums.debian.net/viewtopic.php? ... 47#p725135
Maybe instead of starting a new thread, and then referring back to the original, just answer what is asked here, your responses are needed to determine what has changed, and why ,etc.
See: http://forums.debian.net/viewtopic.php?f=30&t=10653 Forum guidelines. Please read before first post!
Maybe instead of starting a new thread, and then referring back to the original, just answer what is asked here, your responses are needed to determine what has changed, and why ,etc.
See: http://forums.debian.net/viewtopic.php?f=30&t=10653 Forum guidelines. Please read before first post!
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
Re: Buster version of dropbear changed (cryptroot-unlock mes
No it doesn't. But I still don't see the message. That's assuming we are looking at the /etc on my machine, not the /etc that gets built into initrd ???p.H wrote:Does /etc/initramfs-tools/etc/motd exist on your system ?
If yes, the hook script just copies it into the initramfs. If no, it creates one with the expected message.
E2A: I've unpacked my /boot/initrd.img-4.19.0-10-amd64, and there is:
/etc/motd which contains:
Code: Select all
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.
To unlock root-partition run unlock
Re: Buster version of dropbear changed (cryptroot-unlock mes
Possible explanation here
https://matt.ucc.asn.au/dropbear/CHANGES
- Re-enable printing MOTD by default, was lost moving from options.h. Thanks to zciendor
E2A:
So hopefully when v79 is packaged with Debian, the problem is fixed.
E2A:
And here's the horses mouth:
https://github.com/mkj/dropbear/pull/87
https://matt.ucc.asn.au/dropbear/CHANGES
- Re-enable printing MOTD by default, was lost moving from options.h. Thanks to zciendor
E2A:
Code: Select all
xxxx@DellDesktop:~/tmp$ dropbear -V
Dropbear v2018.76
E2A:
And here's the horses mouth:
https://github.com/mkj/dropbear/pull/87
zciendor commented on 6 Jan
The man page (https://github.com/mkj/dropbear/blob/master/dropbear.8) says MOTD will be printed by default for any login shell, but it was disabled at compile time. Probably happened by accident when this code was moved from options.h to default_options.h.
@zciendor
MOTD enabled by default as the manpage says
7f1a885
@zciendor
Contributor Author
zciendor commented on 6 Jan •
I realized this because in Debian stretch this still worked but in buster it is broken, so I compared the sources between the stretch package and buster package.