On Sun, 02 Jul 2017 at 17:33:00 -0400, Antoine Beaupré wrote: > On 2017-07-02 23:16:22, Guilhem Moulin wrote: >> Control: tag -1 = pending >> >> On Sun, 02 Jul 2017 at 17:03:53 -0400, Antoine Beaupré wrote: >>> Maybe what is needed then is simply a patch to the motd to warn the user >>> the command may need to be called multiple times? Or just loop over the >>> devices as you suggested before? >> >> I have implemented the later already :-) Not super happy about it as it >> relies on dropbear to clean up the session properly (also implemented, >> should be in dropbear-initramfs 2017.75-2), but it does the job. >> >> By the way adding a command= authorized_keys(5) option works fine, too >> :-) >> >> $ sudo sed -nr 's/\s.*//p' /etc/dropbear-initramfs/authorized_keys >> >> no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" > > ah that's neat too. the only problem is it won't work until that > workaround of yours is shipped... in stretch, in my case! ;)
That should already work, but to execute the script twice you'll need to connect twice to the remote host. > do i still need the IFDOWN=none hack now? i feel that i won't be able to > run the unlock script multiple times if i remove that tweak... That should still work because the cryptoot boot script is run at local-top and local-block time, while the network is currently brought down afterwards (local-bottom) and dropbear is killed last (init-bottom). Unfortunately this means that if your shell is still open when the network goes away, the SSH connection will hang until it timeouts. But if you issue two SSH connections (with a forced command) you shouldn't have this problem as the command should have time to exit properly. -- Guilhem.
signature.asc
Description: PGP signature
