-- Leo's gemini proxy
-- Connecting to warp.geminispace.club:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en
ISSUED: 2023-11-18 EDITED: 2023-12-07
> π’ this gemlog is part of series use the link below to go the main menu!
In a previous gemlog I illustrated how to installed Debian over an encrypted file-system, perhaps you want to connect to this board remotely and therefore you need to unlock it from your terminal otherwise you need at least a keyboard plugged into, and this is not very handy.
As usual the most relevant sources that helped me out:
The "Predictable Network Interfaces Names" introduced by systemd (π€¦) perhaps is very useful when you have to handle a server rack with dozen of NICs; but with a board with just one ethernet port it is just dumb, better reverting the kernel to the legacy scheme adding the following options to grub:
net.ifnames=0 (restores the default kernel behavior β cit.[4])
biosdevname=0 (kernel parameters to achieve that β cit.[4])
As ROOT user:
micro /etc/default/grub ## GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" update-grub
Now modify the file: /etc/network/interfaces
auto lo iface lo inet loopback # eth0 auto allow-hotplug end0 iface end0 inet dhcp
Reboot the board!
Dropbear it is a small SSH server that supports only RSA algorythm.
As a local SSH server for an under-powered SBC is a preferable alternative to OPENSSH, even though you don't need to unlock anything.
Since it is very small it can be embedded inside the INITRAFMS image and therefore invoked before to boot the board.
You need, besided `cryptsetup` and `cryptsetup-intiramfs` the following packages:
apt install -y dropbear dropbear-initramfs
> π‘ After the installation it will generates some keys and update the INITRAMFS complaining; you can ignore it!
Unfortunately unlocking from the boot stage requires the use of the RSA key even though your network is your local one and you are the only one who is going to unlock itβ¦
> π‘ Your are on the computer you want to use to SSH into the ROC-RK3328-CC
*nix systems:
ssh-keygen -t rsa -f .ssh/unlock_luks
> β I reused the same key name from [3]
Windows systems:
ssh-keygen -t rsa -f .\.ssh\unlock_luks
> π‘ I intentionally left the passphrase blank
*nix systems:
scp .ssh/unlock_luks.pub root@[your-assigned-ip]:~/
Windows systems:
scp.exe .\.ssh\unlock_luks root@[your-assigned-ip]:~/
ssh root@[your-assigned-ip]
ls (was the key there?) cat unlock_luks.pub >> /etc/dropbear/initramfs/authorized_keys
micro /etc/dropbear/initramfs/dropbear.conf DROPBEAR_OPTIONS="-p 222 -c cryptroot-unlock"
Explanation:
-P 222 β it will put Dropbear on listening on that port
> β οΈ It is important to specify a different port from the one you're going to use; since I didn't change anything I am going to use the standard 22 port.
-c cryptroot-unlock β it will launch that command so you only need to type the passphrase
Modify the file: /etc/initramfs-tools/initramfs.conf
and change the this line:
BUSYBOX=auto ==> BUSYBOX=y
Create a new file:
micro /etc/initramfs-tools/conf.d/IP
With the following content:
DEVICE=eth0 IP=::::::dhcp
> β οΈ Loading a WiFi driver for a USB dongle is way beyond my knowledge; if you know how to do that, please let me know! π
update-initramfs -u reboot
Now it is time to cross the fingers and preparing for pebcak...
*nix:
ssh -i .ssh/unlock_luks -O "HostKeyAlgorithms ssh-rsa" -p 222 root@[your-assigned-ip] -v
Windows
ssh -i .\.ssh\unlock_luks -O "HostKeyAlgorithms ssh-rsa" -p 222 root@[your-assigned-ip] -v
If you see the prompt you it means you have been spared by pebcak this timeβ¦
Unlock you board locally doesn't really make sense for any purpose but oneβ¦ Which is going to be unveiled at the end of this series (if you missed my diaryβ¦ π)
To unlock a system remotely it may have more sense using a static ip, but this gemlog is regarding the Libre Computer "Renegade" SBC thus anything beyond that board is outside my goal. π€·
Please should you find any typos or other mistakes do not hesitate to contact me by email! π
ββββββββββββ
For comments or suggestions write me at:
-- Response ended
-- Page fetched on Tue May 21 21:18:09 2024