Hi Antoine, On Sat, 01 Jul 2017 at 13:35:20 -0400, Antoine Beaupre wrote: > I used to have a custom initramfs script that would do that for me in > jessie, but since the stretch upgrade, it stopped working, and I'm not > exactly sure why: i just don't get the prompt on the SSH commandline > at all anymore when I run my script.
Could actually be a problem with dropbear's hook scripts. From 2015.68-1's
changelog:
+ Bring down interfaces and flush IP routes and addresses before exiting
the ramdisk, to avoid dirty network configuration in the regular kernel.
(Closes: #715048, #720987, #720988.) The interfaces considered are
those matching the $DROPBEAR_IFDOWN shell pattern (default: '*'); the
special value 'none' keeps all interfaces up and preserves routing
tables and addresses.
But that script is run at local-bottom stage, so just after the local root FS
has been mounted. (At the time I chose it rather than init-bottom because for
NFS mounts you clearly don't want to bring down the interface ;-) Since
devices needed to mount / are the first ones to be unlocked, the network
interface is brought down before you have a chance to remotely type in your
password for other devices :-/
Does setting “IFDOWN=none” (the option was latter renamed) in
/etc/dropbear-initramfs/config
solves your problem? Please file a bug against dropbear-initramfs if it does.
> The normal "cryptroot-unlock" program doesn't work either for multiple
> partitions.
That's something which would be nice to have, indeed. In principle it should
work (at least if the network interface was up) if you were to reconnect for
each disk, but I see some benefits in using the same script for all passphrase
prompts ;-) I'll need to test this, but AFAICT a while loop would be enough as
dropbear's cleanup script kills the sshd and all its children (hence the script
itself) at init-bottom stage.
Cheers,
--
Guilhem.
signature.asc
Description: PGP signature
