Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

Matthieu Meurillon Fri, 05 Dec 2025 11:11:15 -0800

Thanks.

I confirm it does not work on my side (with 3 different syntax) :


matthieu@terminator:~$ ssh -T [email protected] <<<'passphrase'
+ ssh -T [email protected]
Please unlock disk md1_crypt
cryptsetup: cryptsetup failed, bad password or options?
++ printf '\033]0;%s@%s:%s\007' matthieu terminator '~'
++ __systemd_osc_context_precmdline
++ local systemd_exitstatus=1
++ '[' -n b00bbf50-b58a-4b10-ae2f-4cf43bc53419 ']'
++ '[' 1 -ge 127 ']'
++ '[' 1 -ne 0 ']'

++ printf '\033]3008;end=%s;exit=failure;status=%s\033\'b00bbf50-b58a-4b10-ae2f-4cf43bc53419 1

++ '[' -z f8634290-25bf-4924-8619-03825b34a790 ']'
+++ __systemd_osc_context_common

+++ printf ';user=%s;hostname=%s;machineid=%s;bootid=%s;pid=%s' matthieuterminator 93618b5697ca460ca18746b74647bea250194169-7d67-457d-bec3-beba55ee8b6e 19336

+++ __systemd_osc_context_escape /home/matthieu
+++ echo /home/matthieu
+++ sed -e 's/\\/\\x5x/g' -e 's/;/\\x3b/g'

++ printf '\033]3008;start=%s%s;type=shell;cwd=%s\033\'f8634290-25bf-4924-8619-03825b34a790';user=matthieu;hostname=terminator;machineid=93618b5697ca460ca18746b74647bea2;bootid=50194169-7d67-457d-bec3-beba55ee8b6e;pid=19336'/home/matthieu

++ read -r systemd_osc_context_cmd_id
++ __vte_precmd
++ local errsv=1
++ __vte_termprop_set vte.shell.postexec 0
++ local errsv=0
++ printf '\033]666;%s=%s\033\\' vte.shell.postexec 0
++ return 0
++ __vte_termprop_signal vte.shell.precmd
++ local errsv=0
++ printf '\033]666;%s!\033\\' vte.shell.precmd
++ return 0
++ return 1
++ __vte_osc7
++ local errsv=1
+++ /usr/libexec/vte-urlencode-cwd
++ printf '\033]7;file://%s%s\033\' terminator /home/matthieu
++ return 1
matthieu@terminator:~$ ssh -T [email protected] <<<passphrase
+ ssh -T [email protected]
Please unlock disk md1_crypt
cryptsetup: cryptsetup failed, bad password or options?
++ printf '\033]0;%s@%s:%s\007' matthieu terminator '~'
++ __systemd_osc_context_precmdline
++ local systemd_exitstatus=1
++ '[' -n 360da059-c3ef-44b9-991e-4c4b7076c00d ']'
++ '[' 1 -ge 127 ']'
++ '[' 1 -ne 0 ']'

++ printf '\033]3008;end=%s;exit=failure;status=%s\033\'360da059-c3ef-44b9-991e-4c4b7076c00d 1

++ '[' -z f8634290-25bf-4924-8619-03825b34a790 ']'
+++ __systemd_osc_context_common

+++ printf ';user=%s;hostname=%s;machineid=%s;bootid=%s;pid=%s' matthieuterminator 93618b5697ca460ca18746b74647bea250194169-7d67-457d-bec3-beba55ee8b6e 19336

+++ __systemd_osc_context_escape /home/matthieu
+++ echo /home/matthieu
+++ sed -e 's/\\/\\x5x/g' -e 's/;/\\x3b/g'

++ read -r systemd_osc_context_cmd_id
++ __vte_precmd
++ local errsv=1
++ __vte_termprop_set vte.shell.postexec 0
++ local errsv=0
++ printf '\033]666;%s=%s\033\\' vte.shell.postexec 0
++ return 0
++ __vte_termprop_signal vte.shell.precmd
++ local errsv=0
++ printf '\033]666;%s!\033\\' vte.shell.precmd
++ return 0
++ return 1
++ __vte_osc7
++ local errsv=1
+++ /usr/libexec/vte-urlencode-cwd
++ printf '\033]7;file://%s%s\033\' terminator /home/matthieu
++ return 1
matthieu@terminator:~$ ssh -T [email protected] <<< 'passphrase'
+ ssh -T [email protected]
Please unlock disk md1_crypt
cryptsetup: maximum number of tries exceeded for md1_crypt
++ printf '\033]0;%s@%s:%s\007' matthieu terminator '~'
++ __systemd_osc_context_precmdline
++ local systemd_exitstatus=1
++ '[' -n e2197e5b-b7d5-4bbd-b145-40bebf0608a9 ']'
++ '[' 1 -ge 127 ']'
++ '[' 1 -ne 0 ']'

++ printf '\033]3008;end=%s;exit=failure;status=%s\033\'e2197e5b-b7d5-4bbd-b145-40bebf0608a9 1

++ '[' -z f8634290-25bf-4924-8619-03825b34a790 ']'
+++ __systemd_osc_context_common

+++ printf ';user=%s;hostname=%s;machineid=%s;bootid=%s;pid=%s' matthieuterminator 93618b5697ca460ca18746b74647bea250194169-7d67-457d-bec3-beba55ee8b6e 19336

+++ __systemd_osc_context_escape /home/matthieu
+++ echo /home/matthieu
+++ sed -e 's/\\/\\x5x/g' -e 's/;/\\x3b/g'

++ read -r systemd_osc_context_cmd_id
++ __vte_precmd
++ local errsv=1
++ __vte_termprop_set vte.shell.postexec 0
++ local errsv=0
++ printf '\033]666;%s=%s\033\\' vte.shell.postexec 0
++ return 0
++ __vte_termprop_signal vte.shell.precmd
++ local errsv=0
++ printf '\033]666;%s!\033\\' vte.shell.precmd
++ return 0
++ return 1
++ __vte_osc7
++ local errsv=1
+++ /usr/libexec/vte-urlencode-cwd
++ printf '\033]7;file://%s%s\033\' terminator /home/matthieu
++ return 1
matthieu@terminator:~$

I'm also sure that it worked with Debian 12 (with the same passphrase).I never had issue with this method before upgrading on Debian 13 Trixie.I always used those above commands or this Ansible task :


- name: Unlock LUKS with ssh
    delegate_to: localhost
    command:
      cmd: "ssh -tt root@{{ dropbear_ip }}"
      stdin: "{{ luks_pwd }}"
    failed_when: false


Let me know if you need more information.

Matthieu

On Fri, 5 Dec 2025 17:11:09 +0100 Guilhem Moulin wrote:

> Control: tag -1 - unreproducible

> Control: retitle -1 dropbear-initramfs: Can't put password throughstdin when a pty has been allocated

> That's not the log trace I asked, but I confirm `ssh -ttroot@remote_server <<> doesn't work on Trixie. Neither does it onBookworm, so this is not a

> regression. I don't know which of the SSH client or server is “at
> fault” here, but AFAIK it's the intended behavior: the standard
> input/output/error are redirected from /dev/tty not
> /dev/std{in,out,err}.
>
> What is the use case for forcing pseudo-terminal allocation while
> unlocking via stdin redirection? It might also break if the passphrase
> contains special characters. The following alternatives disable
> pseudo-terminal allocation, either implicitely by specifying a command,
> orexplicitely via `-T` flag.
>

> $ ssh root@remote_server /nonexistent <<> $ ssh -T root@remote_server<<>

> A third alternative is to use the `no-pty` restriction in the
> authorized_keys file. AFAICT all 3 alternatives work on both Trixie and
> Bookworm systems.
>
> --
> Guilhem.

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

Reply via email to