[pkg-cryptsetup-devel] Bug#697156: [patch] maybe a better solution

Matthias Buecher / Germany maddes+debian at maddes.net
Mon Apr 6 16:08:22 UTC 2015


Goal is to be able to unlock root partition via an SSH shell remotely,
while plymouth is installed and used in initramfs.

I sent a patch that works well for me on Debian 7.8 "Wheezy" when
plymouth is asking for password on local screen and I connect remotely
via SSH.

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782024

-------------- next part --------------
--- /usr/share/initramfs-tools/scripts/local-top/cryptroot	2012-11-07 16:28:47.000000000 +0100
+++ /usr/share/initramfs-tools/scripts/local-top/cryptroot	2015-03-11 23:25:18.000000000 +0100
@@ -16,11 +16,15 @@ prereqs()
 	done
 }
 
+NOPLYMOUTH=0
+
 case $1 in
 prereqs)
 	prereqs
 	exit 0
 	;;
+noplymouth)
+	NOPLYMOUTH=1
 esac
 
 # source for log_*_msg() functions, see LP: #272301
@@ -31,7 +35,7 @@ esac
 #
 message()
 {
-	if [ -x /bin/plymouth ] && plymouth --ping; then
+	if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
 		plymouth message --text="$@"
 	else
 		echo "$@" >&2
@@ -269,7 +273,7 @@ setup_mapping()
 
 		if [ -z "$cryptkeyscript" ]; then
 			cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
-			if [ -x /bin/plymouth ] && plymouth --ping; then
+			if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
 				cryptkeyscript="plymouth ask-for-password --prompt"
 				cryptkey=$(printf "$cryptkey")
 			else
@@ -291,6 +295,12 @@ setup_mapping()
 			return 1
 		fi
 
+		# Kill all remaining processes that ask for the password
+		for PID in $(ps | grep -e '/lib/cryptsetup/askpass' -e 'plymouth.*ask-for-password' | sed -n -e '/grep/! { s#[[:space:]]*\([0-9]\+\)[[:space:]]*.*#\1#p ; }')
+		 do
+			kill -9 "${PID}"
+		done
+
 		#FSTYPE=''
 		#eval $(fstype < "$NEWROOT")
 		FSTYPE="$(blkid -s TYPE -o value "$NEWROOT")"
--- /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh	2014-12-28 22:16:37.909586616 +0100
+++ /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh	2015-03-11 22:33:41.000000000 +0100
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+#
+# This InitRAMFS hook provides:
+# Simple script to easily unlock LUKS encrypted root partition from remote (SSH, Telnet)
+# Intended for Debian 6.0 Squeeze
+#
+# Copyright: Matthias Bücher, see http://www.maddes.net/
+# License: GNU GPL v2 or later, see http://www.gnu.org/licenses/gpl.html
+#
+# Adopted from http://www.howtoforge.com/unlock-a-luks-encrypted-root-partition-via-ssh-on-ubuntu#comment-25990
+#
+# Thanks to:
+# - Wulf Coulmann; http://gpl.coulmann.de/ssh_luks_unlock.html
+#   for his tremendeous effort to unlock LUKS root parititon remotely on Debian 5.0 Lenny and before
+#
+# History:
+# v1.0 - 2011-02-15
+#  initial release
+# v1.1 - 2011-03-29
+#  fixed some typos
+#  (also thanks to Sven Greuer)
+#
+
+PREREQ=""
+
+prereqs()
+{
+	echo "${PREREQ}"
+}
+
+case "${1}" in
+ prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+#
+# Begin real processing
+#
+
+SCRIPTNAME=unlock
+
+# 1) Create script to unlock luks partitions
+cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF'
+#!/bin/sh
+PATH='/sbin:/bin'
+/scripts/local-top/cryptroot noplymouth
+__EOF
+chmod 700 ${DESTDIR}/bin/${SCRIPTNAME}
+
+
+# 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition
+cat >> ${DESTDIR}/etc/motd << __EOF
+
+To unlock root partition, and maybe others like swap, run "${SCRIPTNAME}"
+__EOF


More information about the pkg-cryptsetup-devel mailing list