- How to use dropbear ssh via usb on yalu102 install#
- How to use dropbear ssh via usb on yalu102 password#
ssh/authorized_keys /var/ssh/%u/authorized_keys
How to use dropbear ssh via usb on yalu102 install#
To fix this, assuming you're using ecryptfs-mount-home, tell your users to run ecryptfs-umount-private and then install their pubkeys into the unencrypted ~/.ssh/authorzied_keys file (which may require creating ~/.ssh – don't forget to chmod 700 ~/.ssh or it won't work!).Īlternatively, you could add something like this to your /etc/ssh/sshd_config file: AuthorizedKeysFile. If you're encrypting home directories, note that SSH pubkeys stored in each user's ~/.ssh/authorized_keys file will be unavailable to authenticate users that are not logged in. Then you'd need to create the encrypted (or, if you're using a hardware key, the double-encrypted) area(s) and symlink to them from the various locations you've already got configured for use. In order to get to this kind of setup, you'd have to back up your data, repartition your disk(s) and reinitialize your filesystem(s), then restore your data atop the new filesystem(s). Once the system is up and running (and online), you can SSH in and manually unlock the server's encrypted storage. IIRC, TrueCrypt (and presumably therefore VeraCrypt, the still-active fork of TrueCrypt) supports using arbitrary files on USB sticks as passcodes. That way, you can "lock" the server by powering it off and walking away with the USB key. I think trusted autounlock needs to happen and fortunately there are a couple methods available.The easiest solution would be to have installed your server so it can (minimally) boot without a passcode, either by not having it encrypted, or by using some kind of hardware key, like a USB stick, that has the data necessary for the system to automatically boot. Again, modify the init scripts to be able to bring up the network, start the communication with the specified server, retrieve the password, then pipe it into decryption.
Others use neighboring servers to provide the password. I am still making sure I am doing this the most effective way before writing up a guide (and maybe getting the parts included in ZOL). I have this working on both TPM 1.2 and 2.0. This would check PCR values to make sure the system hasn't been altered.
How to use dropbear ssh via usb on yalu102 password#
I have been working on using TPM to store the password also. Not only does this obscure the password a little, but it prevents needing to make init able to understand usb devices and mount a filesystem, in order to read a file.īut. The easiest is to can have your init script look at a usb and "dd" read a sector with the password and pipe it into the decrypt command. Half the point of asking questions in a public sub is so that everyone can benefit from the answers-which is impossible if you go deleting everything behind yourself once you've gotten yours.
If I catch anybody else deleting their question and all their comments on it immediately after getting an answer, they're getting an instant banhammer. But please don't flame people for not using your own personal One True Platform.
If there's useful information about a difference in implementation or performance between OpenZFS on FreeBSD and/or Linux and/or Illumos - or even Oracle ZFS! - great. If your post or comment gets hidden, send modmail and we'll take a look. NOTE: sometimes Reddit's auto-spam system flags links it shouldn't. This isn't an issue we usually have trouble with, so let's just keep not having trouble with it. BUT, only if it's materially useful to answer a question, or offer information, in some sense other than "this will get people to give me money." It's fine to link to youtube videos, blog posts, what have you. If you think somebody's wrong, you can say that without casting aspersions or being super sarcastic.