Bug#524728: [mar...@better.se: Bug#524728: dropbear: cryptroot boot broken by dropbear remote unlocking feature]
Hi, please see http://bugs.debian.org/524728 and below for a bug report with severity grave filed against the dropbear package. The bug report is about the cryptroot remote unlocking on boot feature you contributed to the dropbear package. Can you please take a look? Thanks, Gerrit. - Forwarded message from Marcus Better mar...@better.se - Subject: Bug#524728: dropbear: cryptroot boot broken by dropbear remote unlocking feature Reply-To: Marcus Better mar...@better.se, 524...@bugs.debian.org Date: Sun, 19 Apr 2009 20:27:09 +0200 From: Marcus Better mar...@better.se User-Agent: Mozilla-Thunderbird 2.0.0.19 (X11/20090103) To: 524...@bugs.debian.org X-Enigmail-Version: 0.95.0 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 and instead of the usual cryptsetup password prompt, it prints a message about starting dropbear and then stuck. I should add that it printed IP-Config: eth0 ... and apparently tried to configure eth0 with DHCP, but that interface is not connected to any network. (Perhaps that would eventually time out but my patience with a non-booting laptop is not long.) Cheers, Marcus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknrbPwACgkQXjXn6TzcAQkJWACfT8ok4aiO8K53FcwCwahALTyA kHwAoMNi/LDSTQktd3Ouhcq4cdRKjgI5 =Unl8 -END PGP SIGNATURE- - End forwarded message - -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524728: [mar...@better.se: Bug#524728: dropbear: cryptroot boot broken by dropbear remote unlocking feature]
hi! and instead of the usual cryptsetup password prompt, it prints a message about starting dropbear and then stuck. I should add that it printed IP-Config: eth0 ... and apparently tried to configure eth0 with DHCP, but that interface is not connected to any network. (Perhaps that would eventually time out but my patience with a non-booting laptop is not long.) when your initramdisk is built, you should get the following warning: Dropbear has ben added to your initramfs. Don't forget to check your ip= kernel bootparameter to match your desired initramfs ip configuration. i guess your choices are: - disable remote cryptroot unlocking completely by adding DROPBEAR=n to /etc/initramfs-tools/initramfs.conf. without dropbear, ip config won't be forced. (don't forget to update-initramfs afterwards to actually make it effective) - configure your kernel's ip setup on boot (probably in /boot/grub/menu.lst if you're using grub: either add it to the respective 'kernel' line(s) or the '# kopt=' lines) which is done with a kernel boot parameter 'ip='. e.g.: ip=none (i haven't tested that, but i guess it should do the obvious: prevent any ip configuration on bootup, so you won't be able to connect to your dropbear even if it's being started), or: ip=client-ip:server-ip:gw-ip:netmask:hostname:device:autoconf to configure a static ip setup (see Documentation/nfsroot.txt in the kernel source tree). i'll put 'see if/how we can push initrd ip config into background' on my 2do list (but don't wait for it). regards, Chris -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524728: [mar...@better.se: Bug#524728: dropbear: cryptroot boot broken by dropbear remote unlocking feature]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 deb...@x.ray.net skrev: when your initramdisk is built, you should get the following warning: I somehow missed that. Anyway IMHO it's not enough with a warning for a change that is almost guaranteed to render a system unbootable. It should just be off by default. - disable remote cryptroot unlocking completely by adding DROPBEAR=n to /etc/initramfs-tools/initramfs.conf. Good to know. Thanks, Marcus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn4Vf8ACgkQXjXn6TzcAQnZAgCglWG9fozigWnMQNGQdlCNUQxq dVUAnjehJjlnzWnad7BVArPHn1nIt+D0 =YuD8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524728: [mar...@better.se: Bug#524728: dropbear: cryptroot boot broken by dropbear remote unlocking feature]
hi! deb...@x.ray.net skrev: heh, so i kind of skreved up or what? ;) I somehow missed that. Anyway IMHO it's not enough with a warning for a change that is almost guaranteed to render a system unbootable. It should just be off by default. not having a way to unlock a cryptroot from remote while the system might be several thousand km away from you (or behind a locked door or whatever), might do so, too, therefore i personally somehow don't like an (unconditional) 'disabled' default. apart from that, as i meant to indicate before, i got your point and i wasn't really happy with the situation, too. but i was wrong regarding my estimate of the effort necessary to resolve this. please see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514213 for a solution (which can be applied without having to patch and install resp. having to wait for a new package). regards, Chris -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org