Bug#714952: cryptsetup: The dropbear portion of README.Debian does not mention host key issues

Thu, 04 Jul 2013 08:39:50 -0700 

Package: cryptsetup
Version: 2:1.4.3-4
Severity: minor
Tags: patch


Hi,

Section 8 of the README.Debian does not mention that the dropbear
default is to use host keys in the initramfs that differ from the
system's regular host keys.  This can cause problems with host key
checking.

The attached patch README.Debian.patch (patched against sid
cryptsetup-1.6.1) adds additional information regarding this issue.

Regards,

Karl O. Pinc

--- README.Debian.orig	2013-07-04 10:24:24.141447222 -0500
+++ README.Debian	2013-07-04 10:25:33.423820089 -0500
@@ -217,8 +217,19 @@
 
 $ scp remote.system.com:/etc/initramfs/root/ssh/id_rsa remote_rsa
 
- Now the remote system should start dropbear automatically during initramfs
-excecution at the boot process. You can login into the initramfs via ssh
+ The remote system should start dropbear automatically during the boot
+process's initramfs execution making it possible to ssh to the remote
+system and supply the rootfs passphrase.  Because the initramfs is
+kept in an unencrypted partition the default dropbear configuration
+uses a different host key in the initramfs than the remote system's
+normal host key.  This means some care must be taken when connecting
+to the remote system so that host key checking does not interfere with
+ssh connection establishment.  When using the OpenSSH client either
+the "-o StrictHostKeyChecking=no" or the "-o
+UserKnownHostsFile=alternate_known_hosts" options are some available
+choices.
+
+You can login into the initramfs via ssh (modified per above)
 
 $ ssh -i remote_rsa -l root remote.system.com
 
@@ -229,6 +240,14 @@
  That's it. Now that the encrypted root device is unlocked, the remote system
 should continue with the boot process.
 
+Should it be desirable to have the remote system use the same host key
+during the boot process as during regular system operation the
+following steps may be taken.
+
+# cp -a /etc/dropbear/dropbear_{dsa,rsa}_host_key \
+        /etc/initramfs-tools/etc/dropbear/
+# update-initramfs -u -k all
+
  /usr/share/doc/cryptsetup/README.remote.gz is a documentation with more
 details on the setup of an initramfs with suppurt to remotely unlock the
 encrypted rootfs.

Reply via email to