Your message dated Tue, 16 Jun 2020 02:33:37 +0000
with message-id <[email protected]>
and subject line Bug#934753: fixed in dropbear 2020.79-1
has caused the Debian Bug report #934753,
regarding dropbear-initramfs: please add an autopkgtest
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
934753: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934753
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dropbear-initramfs
Severity: wishlist
Hi,
when I upgraded my Squeeze box to Jessie, remote unlocking via dropbear
in my initramfs stopped working. This is a remote host in a datacenter,
so I cannot directly investigate the issue.
I propose to add an autopkgtest for dropbear-initramfs to make sure that
the functionality continues to work even as the packages around it
change over time.
I attached a shell script which uses qemu to prepare a system that has
an unencrypted /boot and / and swap on an LVM on luks, which I guess is
the classical layout.
If you like the script, then I could prepare a patch against
src:dropbear which implements an autopkgtest that runs the script.
Thanks!
cheers, josch
#!/bin/sh
set -exu
ssh="ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no -i id_rsa"
pkgs="linux-image-amd64,openssh-server,systemd-sysv,libpam-systemd,policykit-1"
pkgs="$pkgs,iproute2,util-linux,e2fsprogs,ifupdown,net-tools,netbase"
pkgs="$pkgs,iputils-ping,isc-dhcp-client,lvm2,parted,cryptsetup"
pkgs="$pkgs,dropbear-initramfs,busybox,fdisk,mmdebstrap,udev"
mmdebstrap --mode=unshare --variant=apt --include=$pkgs \
--customize-hook='chroot "$1" passwd --delete root' \
--customize-hook='chroot "$1" useradd --home-dir /home/user
--create-home user' \
--customize-hook='chroot "$1" passwd --delete user' \
--customize-hook='echo host > "$1/etc/hostname"' \
--customize-hook='echo "127.0.0.1 localhost host" > "$1/etc/hosts"' \
--customize-hook='echo "/dev/sda1 / auto errors=remount-ro 0 1" >
"$1/etc/fstab"' \
unstable debian-unstable.tar
fallocate -l 2G crypt.img
cat << END > extlinux.conf
default linux
timeout 0
label linux
kernel /vmlinuz
append initrd=/initrd.img root=/dev/sda1 console=ttyS0
END
cat << END > interfaces
auto lo
iface lo inet loopback
auto ens3
iface ens3 inet dhcp
END
[ -e ./id_rsa ] && [ -e ./id_rsa.pub ] || ssh-keygen -q -t rsa -f ./id_rsa -N ""
guestfish -N debian-unstable.img=disk:2G -- \
part-disk /dev/sda mbr : \
part-set-bootable /dev/sda 1 true : \
mkfs ext2 /dev/sda1 : \
mount /dev/sda1 / : \
tar-in debian-unstable.tar / : \
extlinux / : \
mkdir /root/.ssh : \
copy-in id_rsa.pub /root/ : \
mv /root/id_rsa.pub /root/.ssh/authorized_keys : \
chown 0 0 /root/.ssh/authorized_keys : \
copy-in extlinux.conf / : \
copy-in interfaces /etc/network
qemu-img convert -O qcow2 debian-unstable.img debian-unstable.qcow2
qemu-system-x86_64 -enable-kvm -m 4G -net user,hostfwd=tcp::10022-:22 \
-net nic -nographic -serial mon:stdio \
-drive file=debian-unstable.qcow2 \
-drive file=crypt.img,format=raw >qemu1.log </dev/null 2>&1 &
QEMUPID=$!
trap "kill $QEMUPID" EXIT
TIMESTAMP=$(sleepenh 0 || [ $? -eq 1 ])
TIMEOUT=3
i=0
while true; do
rv=0
$ssh -p 10022 -o ConnectTimeout=$TIMEOUT root@localhost echo success ||
rv=1
[ $rv -eq 0 ] && break
# if the command before took less than $TIMEOUT seconds, wait the
remaining time
TIMESTAMP=$(sleepenh $TIMESTAMP $TIMEOUT || [ $? -eq 1 ]);
i=$((i+1))
if [ $i -ge 10 ]; then
break
fi
done
if [ $i -eq 10 ]; then
echo "timeout reached: unable to connect to qemu via ssh"
exit 1
fi
$ssh -p 10022 root@localhost << 'SSHSCRIPT'
set -exu
cat << END | sfdisk /dev/sdb
label: gpt
unit: sectors
start= 2048, size= 2048, type=21686148-6449-6E6F-744E-656564454649
start= 4096, size= 999424, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4
start=1003520, type=CA7D7CCB-63ED-4C53-861C-1742536059CC
END
fdisk -l
printf myinsecurepassphrase | cryptsetup luksFormat /dev/sdb3 -
printf myinsecurepassphrase | cryptsetup luksOpen /dev/sdb3 mycrypt
pvcreate /dev/mapper/mycrypt
vgcreate myvg /dev/mapper/mycrypt
lvcreate --name swap --size 15M myvg
mkswap /dev/myvg/swap
swapon /dev/myvg/swap
lvcreate --name root --size 1G myvg
mkfs.ext4 /dev/myvg/root
mkfs.ext2 /dev/sdb2
BOOTUUID=`blkid -s UUID -o value /dev/sdb2`
SDB3UUID=`blkid -s UUID -o value /dev/sdb3`
SWAPUUID=`blkid -s UUID -o value /dev/myvg/swap`
mount /dev/myvg/root /mnt
# need to use /dev/null on stdin because of #934199
mmdebstrap --debug --mode=root --variant=apt unstable /mnt </dev/null
mkdir -p "/mnt/etc/apt/apt.conf.d"
echo 'APT::Install-Recommends "0";' >
"/mnt/etc/apt/apt.conf.d/99no-install-recommends"
cat > "/mnt/etc/apt/apt.conf.d/99autoremove" << END
APT::AutoRemove::SuggestsImportant false;
APT::AutoRemove::RecommendsImportant false;
END
mkdir -p "/mnt/etc/default"
cat > "/mnt/etc/default/grub" << 'END'
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="ip=:::::ens3:dhcp cgroup_enable=memory swapaccount=1
console=ttyS0 "
END
cat > "/mnt/etc/fstab" << END
/dev/myvg/root / auto errors=remount-ro 0 1
UUID=$BOOTUUID /boot auto defaults 0 2
/dev/myvg/swap none swap sw 0 0
END
chroot /mnt passwd --delete root
chroot /mnt useradd --home-dir /home/user --create-home user
chroot /mnt passwd --delete user
echo host > "/mnt/etc/hostname"
echo "127.0.0.1 localhost host" > "/mnt/etc/hosts"
cat > "/mnt/etc/crypttab" << END
mycrypt UUID=$SDB3UUID none luks
END
mkdir -p "/mnt/etc/initramfs-tools/conf.d"
echo RESUME=UUID=$SWAPUUID > "/mnt/etc/initramfs-tools/conf.d/resume"
cat > "/mnt/etc/initramfs-tools/conf.d/dropbear" << END
IP=":::::ens3:dhcp"
END
mkdir -p /mnt/etc/dropbear-initramfs
{ printf
'no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock"
';
head -1 /root/.ssh/authorized_keys;
} > /mnt/etc/dropbear-initramfs/authorized_keys
mkdir -p /mnt/root/.ssh
cp /root/.ssh/authorized_keys /mnt/root/.ssh/authorized_keys
mkdir -p /mnt/etc/network/
cat << END > /mnt/etc/network/interfaces
auto lo
iface lo inet loopback
auto ens3
iface ens3 inet dhcp
END
mount -t proc proc "/mnt/proc"
mount -t sysfs sysfs "/mnt/sys"
mount --bind /dev "/mnt/dev"
mount --bind /run "/mnt/run"
mount /dev/sdb2 "/mnt/boot"
cat > "/mnt/usr/sbin/policy-rc.d" << END
#!/bin/sh
echo "sysvinit: All runlevel operations denied by policy" >&2
exit 101
END
chmod +x "/mnt/usr/sbin/policy-rc.d"
export DEBIAN_FRONTEND=noninteractive
export DEBCONF_NONINTERACTIVE_SEEN=true
chroot "/mnt" apt-get update
chroot "/mnt" apt-get upgrade
chroot "/mnt" apt-get dist-upgrade
chroot "/mnt" apt-get -y install lvm2 grub2 linux-image-amd64 openssl
cryptsetup dropbear-initramfs busybox udev mount systemd-sysv util-linux
e2fsprogs initramfs-tools cryptsetup-initramfs cryptsetup-run console-setup
openssh-server ifupdown net-tools netbase iproute2 libpam-systemd policykit-1
iputils-ping isc-dhcp-client
rm "/mnt/usr/sbin/policy-rc.d"
echo 'DROPBEAR_OPTIONS="-p 2222"' >> /mnt/etc/dropbear-initramfs/config
chroot /mnt update-initramfs -u -k all
chroot /mnt grub-install --no-floppy --modules=part_gpt /dev/sdb
chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
umount "/mnt/proc"
umount "/mnt/sys"
umount "/mnt/dev"
umount "/mnt/run"
umount "/mnt/boot"
umount "/mnt"
swapoff /dev/myvg/swap
vgchange -an myvg
cryptsetup luksClose mycrypt
SSHSCRIPT
trap - EXIT
$ssh -p 10022 root@localhost systemctl poweroff
wait $QEMUPID
qemu-system-x86_64 -enable-kvm -m 4G -net
user,hostfwd=tcp::10022-:22,hostfwd=tcp::12222-:2222 \
-net nic -nographic -serial mon:stdio \
-drive file=crypt.img,format=raw >qemu2.log </dev/null 2>&1 &
QEMUPID=$!
trap "kill $QEMUPID" EXIT
TIMESTAMP=$(sleepenh 0 || [ $? -eq 1 ])
TIMEOUT=3
i=0
while true; do
rv=0
printf myinsecurepassphrase | $ssh -p 12222 -o ConnectTimeout=$TIMEOUT
root@localhost || rv=1
[ $rv -eq 0 ] && break
# if the command before took less than $TIMEOUT seconds, wait the
remaining time
TIMESTAMP=$(sleepenh $TIMESTAMP $TIMEOUT || [ $? -eq 1 ]);
i=$((i+1))
if [ $i -ge 10 ]; then
break
fi
done
if [ $i -eq 10 ]; then
echo "timeout reached: unable to connect to qemu via ssh"
exit 1
fi
TIMESTAMP=$(sleepenh 0 || [ $? -eq 1 ])
TIMEOUT=3
i=0
while true; do
rv=0
$ssh -p 10022 -o ConnectTimeout=$TIMEOUT root@localhost echo success ||
rv=1
[ $rv -eq 0 ] && break
# if the command before took less than $TIMEOUT seconds, wait the
remaining time
TIMESTAMP=$(sleepenh $TIMESTAMP $TIMEOUT || [ $? -eq 1 ]);
i=$((i+1))
if [ $i -ge 10 ]; then
break
fi
done
if [ $i -eq 10 ]; then
echo "timeout reached: unable to connect to qemu via ssh"
exit 1
fi
$ssh -p 10022 root@localhost mount
$ssh -p 10022 root@localhost systemctl poweroff
wait $QEMUPID
trap - EXIT
--- End Message ---
--- Begin Message ---
Source: dropbear
Source-Version: 2020.79-1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated dropbear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2020 02:50:00 +0200
Source: dropbear
Architecture: source
Version: 2020.79-1
Distribution: unstable
Urgency: low
Maintainer: Guilhem Moulin <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 934146 934753 943459
Changes:
dropbear (2020.79-1) unstable; urgency=low
.
[ Guilhem Moulin ]
* New upstream release. Highlights and potentially breaking changes include
+ Add ed25519 host and client keys support.
+ Add ChaCha20/Poly1305 authenticated cipher support.
+ X11 forwarding is disabled at compile time.
+ AES-CBC and 3DES ciphers are disabled at compile time.
+ Use getrandom() call for entropy collection.
* debian/README.initramfs: fix path to cryptsetup's README.Debian.gz.
(Closes: #934146)
* debian/initramfs/dropbear-hook: Don't mention cryptroot in warning
messages, only SSH login.
* debian/initramfs/bottom-dropbear: Wait for drobear to start before
bringing the network down. This avoids a race where the network stack were
fully not configured yet by the time the execution is handed over to the
main system. (Closes: #943459)
* debian/dropbear.postinst: Remove comparison with ancient version 0.50-4
(released in 2008).
* debian/control: dropbear: Add Pre-Depends: ${misc:Pre-Depends}.
* debian/control: Bump Standards-Version to 4.5.0 (no changes necessary).
* debian/control: Set 'Rules-Requires-Root: no'.
* debian/control: Remove duplicate Depends: lsb-base.
* debian/control: Bump minimum version for libtomcrypt and libtommath.
* Install dropbearconvert(1) to /usr/bin, and add a compatibility symlink
in its previous location /usr/lib/dropbear.
.
[Johannes 'josch' Schauer]
* Add autopkgtest to test dropbear-initramfs. (Closes: #934753)
* Enable Salsa CI tests.
.
[ Debian Janitor ]
* Trim trailing whitespace.
* Add missing dependency on lsb-base.
* Bump debhelper from old 9 to 12.
* Drop unnecessary dependency on dh-autoconf.
* Rely on pre-initialized dpkg-architecture variables.
* Fix day-of-week for changelog entries 0.32cvs-1, 0.32cvs-1.
* Wrap long lines in changelog entries: 2014.64-1.
Checksums-Sha1:
69ac1e9a064c8e7f01a4efc9d6af9a77450e487c 2554 dropbear_2020.79-1.dsc
fb2a9d0c94508314d5d22bbe8f1316954eb84fee 2290687 dropbear_2020.79.orig.tar.bz2
1b1960769c5e01ab69c85a09c36c3c93ab13ba2d 833 dropbear_2020.79.orig.tar.bz2.asc
8a67f0bc3c34251dd1b45b8dc3fe97da53d11db4 29848 dropbear_2020.79-1.debian.tar.xz
c416c90a3766206a13ac1cf14ab64e1d1ad4a827 6606
dropbear_2020.79-1_amd64.buildinfo
Checksums-Sha256:
b23095098f26d71227038b190f3073c74fa71c8dcecd440f06ce797bc19f6df8 2554
dropbear_2020.79-1.dsc
084f00546b1610a3422a0773e2c04cbe1a220d984209e033b548b49f379cc441 2290687
dropbear_2020.79.orig.tar.bz2
2575a2ea0b9be9923465802cdd8a1c57521a918df0fa9ab8eacd5d2eee7659a1 833
dropbear_2020.79.orig.tar.bz2.asc
4ea34172eb10a3fb68e82f621a5f01c3789d3b9dac3f198854a3a6598d23945b 29848
dropbear_2020.79-1.debian.tar.xz
7e8c5ef5623f966c27f9540e09d0c852fc95b56297c60af0bfab024cef3a6202 6606
dropbear_2020.79-1_amd64.buildinfo
Files:
41dd08bdc9349da1f092cf703d68324e 2554 net optional dropbear_2020.79-1.dsc
830a7bf6349ac52a39c487d061efb352 2290687 net optional
dropbear_2020.79.orig.tar.bz2
d078ae156375746ddc8d9cde9b48c29c 833 net optional
dropbear_2020.79.orig.tar.bz2.asc
1af97040b8f6be2f4abf25006f7af639 29848 net optional
dropbear_2020.79-1.debian.tar.xz
7a4c15c44a22dba8731fbfd00e055901 6606 net optional
dropbear_2020.79-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl7oGiEACgkQ05pJnDwh
pVKKshAAyawI80zv/rKeY45bcv9foDpz6T1ycdjOfz+hsFdP0r5RVm9MgJq/hJFd
leDNS/QiLdo1jBpjozqbWFXrX0alPEhUjGvgKLYh3p/HORjFCMi6B5DewNBKRFqf
XgCirGeVNJqpr5LysXx6xnJ/XwVbcvNhxp+IAyjSH3Ahe+vCmrRqjF3IBjFQUcE/
3f1JY7P0PMNou2P4Tj+Omt1mGDKYSRGL2xIjge9/PHEYP5VCbyh47PCA9pwUIJL3
v5RMZMNpAOufmfKkcRAzjI1iwAyD98zg46FxfRIqEbXKQsKaWfnnjhCSSlyqaDv9
RFkkWSzbZXt+1aWTUTma12DmT0vQajSzaJaJiHpdPXK+F5bF1NY3fadTlBjAhAZS
jHUJW2RYJ9XWuMBG+TiiQco/nnoKcNM37yGOQ4ILURq7y+dT2yvZrABesghevtvY
puyHfSsprVPhuLQJXSGLPqNU0sjRxm5AWiJuztFDwO9QjAJJ46TKtqGZ9y/Gir3J
ufxxP9s25+gD37JdmS40RSPyq8qz9dq/vUTQdxR+2Yqk+saGSqSbwUmOP9l/uBcw
yyhDwe9BMIx0f9RCbM6q3SuL7+QmhUm7UPpNILEu/a70qSZJtMCPJoZTbKBxhzFu
BY/5jo0jRJgQK6tKAfDYZva4V2xmT5pIS8hXq0s6RAo+zdk9yVg=
=AZh5
-----END PGP SIGNATURE-----
--- End Message ---
