christiansaga.de
Unlock LUKS via SSH in Debian
As already described in my previous post Headless Debian install via SSH, I am dealing with a headless system. As I am encrypting my system and drives with LUKS, I need a way to enter the password in case of a reboot.
So what is the solution
First install Dropbear on the server by apt-get install dropbear
. Then configure initramfs network usage; edit /etc/initramfs-tools/initramfs.conf
. You probably have to add the lines for dropbear and update the device string.
This configuration is using DHCP to obtain an IP, if you have a static configuration, use: IP=<SERVER-IP>::<STANDARD-GATEWAY>:<SUBNETMASK>:<HOSTNAME>:eth0:off
Next, delete the standard private and public keys on the server
Then create your own key pair (we assume you use id_rsa as a name) on your client machine and upload it to the server.
After that, log in to the server and add the key to authorized_key file an remove the public key on the server.
Now we need to update initramfs and grub by update-initramfs -u -k all
and update-grub2
On some configurations the network won’t get reconfigured on runtime values, hence we need to trigger an update. Edit /etc/network/interfaces
and add as first line of the primary interface pre-up ip addr flush dev eth0
Restart server and log in from your client with ssh -i ~/.ssh/id_rsa root@<server-ip>
to set the password to unlock
EDIT: on newer systems a cryptroot-unlock
will suffice.
The server should now boot normally and regular SSH should come up.
Optional
You can also create a little script for the passphrase in /etc/initramfs-tools/hooks/unlock
Do not forget to make it executable with chmod +x /etc/initramfs-tools/hooks/unlock
and update initramfs with update-initramfs -u -k all
and update-grub2
Headless Debian install via SSH
Having build my own NAS system recently, I realised I do not have any monitors or keyboards at home anymore. Hence installing Debian will be hard. I looked around and the solution would be a headless install via ssh.
This post is based on some work from S.G. Vulcan’s post Installing Debian using only SSH His post was a good start, but I only could make it work for a Debian Jessie netinstall image after some changes.
So what is the solution
Download the latest netinstall image from Debian, I used debian-8.3.0-amd64-netinst.iso
Mount the ISO to a folder
Copy to new folder called isonew
Change the menu to load SSH on boot by default, edit isonew/isolinux/txt.cfg
remove (if existing) menu default
from label install
and add:
Create isonew/preseed.cfg
file. I adapted the locale and keyboard settings for Germany and added the selection of the keyboard-configuration. This would otherwise be an open question during the install and we won’t reach the SSH startup.
Also I added a check for non-free firmware, which popped up on one of my machines which had wireless.
Recreate the isonew/md5sum.txt
, it is read only, so you need to change this. Also I had better luck with creating the md5sum.txt
with the changed commands below.
Create ISO file to burn with xorriso. If you do not have it installed use apt-get install xorriso
.
xorriso is creating a correct partition table, which is for some reason not done with mkisofs only. The original command would work in VMs, maybe even on a cd-rom, however not for USB sticks.
The ISO can be burned to an USB stick and used to boot. It will automatically configure the network with DHCP (yes, you need to have a way to find the IP, e.g. on your router) and start SSH.
The user for the ssh connection is installer
the password is install
.
Upgrading Spamassassin Debian Wheezy to Jessie
After the upgrade of Wheezy to Jessie, Spamassassin is not added to the startup services. Hence if you were using it before in your mail setup, you will run into the following error in /var/log/syslog
Debian has a similar bug filed (#764438), even after a fresh reinstall.
So what is the solution
Simply activate Spamassassin via systemctl enable spamassassin
RSyslog simple sorting to files, here iptables
If you have a firewall, you probably have 99% of the entires in your syslog filled with iptables denied info. So there are two options to get rid of that. Turn of the logging of iptables or move it out of the syslog.
As I want to have the logging, I need to move it. You will find a lot of explanations on RSyslog in the official documentation, however I found that the simple case I was looking for was not described.
I am using the following to create the syslog entries:
So what is the solution
You might have more logging or similar ones in your configuration. The important part here is the --log-prefix
as we will sort via this.
To create a filter, create /etc/rsyslog.d/iptables.conf
and add the following
After restarting rsyslogd, this will now divert the iptables entries to the new logging location identified by the prefix.
The stop
is particularly important, as the rule above diverts the logging, but without the stop
it would still end up in syslog. If you google setups like this you will often find a ~
instead of the stop
. Which is deprecated and cause a warning in the log, however works as well.
Sidenote: Remember to put the stop
in brackets for the if/then clause, otherwise you stop all logging to syslog.
As a last step you should create a logrotation for the new log. I did it very simple by creating the file /etc/logrotate.d/iptables
and added
Logrotate is started via cron and will read the new config in the next run. Alternatively you can run the config directly via logrotate -f /etc/logrotate.d/iptables
Duplicity backup to Amazon S3 on Debian
I am using duplicity with duply to do PGP encrypted backups to Amazon S3. As there are enough guides around for the basic setup (i used Backup unter Linux mit duply), I won’t go into details of that.
However if you are planning to use the new EU (Frankfurt) location called eu-central-1 you will run into problems as this location only supports the V4 authentication. You might encounter the following error when using duply (even if the config worked on other locations before)
So what is the solution
This is a bit tricky, as the Debian packages are not up to date and you need to mix backports and unstable versions. To solve this you will need to upgrade your duplicity and boto framework packages as following:
-
duplicity needs version 0.7.02-1 This version is available within the
backport
branch of Debian. I used package pinning to get this package. You can easily find articles for this via Google, I found APT Pinning helpful. Be careful to understand pinning, as you might confuse APT with a wrong configuration. You should always usesudo apt-cache policy [packagename]
and the-s
parameter on upgrades first to check what will happen. Currently I am using duplicity 0.7.06-1~bpo8+1. -
python-boto needs version 2.36.0 Previously this was only available via PyPi, however a newer version is now available in the
unstable
branch. Hence again you can install this via pinning. Currently I am using python-boto 2.40.0-1 -
duply did not need additional changes, I am using version 1.9.1-1 out of the regular stable branch.