Koen

Members
  • Content Count

    11
  • Joined

  • Last visited

About Koen

  • Rank
    Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I don't know this build stuff. And my issue isn't over ssh but serial console. I worked the old fashioned way: booting a vanilla image, installing cryptsetup & dropbear-initramfs, deal with the first 2k bytes & /boot, making crypto partition, rsync'ing the system, configure initramfs & generate a new one, edit armbianEnv & generate new boot.cmd. On ssh it automatically runs the "unlock" command and all i need to do is enter the password (over serial or SSH). It's basically a minor nuisance, over serial console only. But i rather have everything proper, to avoid issues later and in case of network unavailable. It's a weird fluke, that seems related to authentication (whether that's login or sudo elevation).
  2. It uses standard debian packages ? I can do (and have done) the same on x64 or raspbian. Or is there some tool to generate custom images that has / had cryptoroot ?
  3. Next i'm trying to get a LUKS encrypted system. It looks okay. Ish. If i unlock over SSH via dropbear, logging in to serial console is buggy and terminal laggy. Sometimes the login prompt line is all in green text rather than white. First attempt always fails. I seem to need to hit every key twice too. I get these errors : Cannot initialize device-mapper. Is dm_mod kernel module loaded? Cannot use device sdcard, name is invalid or still in use. In /etc/crypttab is (which hints at the 2nd line). sdcard /dev/mmcblk0p3 none luks If i login via SSH first, then the login via serial goes okay, but the first sudo authentication fails and those two lines appear. Anyone know what's happening or how to fix ?
  4. @aprayoga Maybe #1 is a result of removing the default en_US and only enabling localised version ? Whatever i tried, i couldn't get it fixed, so went the manual conf file way and it vanished immediately (even within armbian-config everything then looked fine). #4 yes, iptables-legacy works fine, apparently also required for fail2ban which doesn't (yet) support nftables.
  5. Yes, fixed with : update-alternatives --set iptables /usr/sbin/iptables-legacy apparently also needed if you want to use fail2ban. So (currently) no need to convert rules and blabla. I'm also wondering if nftables will stick around longer than the firewalld from before, nothing as annoying than learning new firewall speak, especially since security is tantamount.
  6. I'm trying to start afresh on the latest buster image, but failing miserably. 1. Armbian-config setting Locale not working and subsequently giving perl errors. (Fixed by manually editing /etc/default/locale) 2. Arbmian-config setting Keyboard not doing anything. (Fixed by manually edditing /etc/default/keyboard) 3. Arbmian-config accessing "system - CPU" crashes armbian-config. cat: /sys/devices/system/cpu/cpufreq/policy0/scaling_available_frequencies: File or folder doesn't exist cat: /sys/devices/system/cpu/cpufreq/policy0/scaling_available_governors: File or folder doesn't exist 4. Can't do anything iptables, not even -L to see existing rules, let alone actually configuring anything. iptables v1.8.2 (nf_tables): CHAIN_ADD failed (No such file or directory): chain INPUT Haven't been able to get around the last one. Tried removing and reinstalling the iptables package, but same result.
  7. Any ETA on Debian 10 (Duster) ?
  8. This is very useful information, as i'm planning to have boot root (SD) and data (SATA mirror) encrypted, with BTRFS on top. Better get started the good way. @djurny : did you come across good links explaining the differences / risks of cbc versus xtc, or even essiv versus plain64 ? Found this guide for the root fs : And the data fs i should be able to do with a keyfile on the rootfs. I think it needs to be 2x LUKS and BTRFS "mirror" on top, so i could actually benefit from the self healing functionality, in case of a scrub. @gprovost : am i correct to understand the CESA will be used automatically by dm-crypt, if aes-cbc-essiv (or another supporter cypher) is used ? Also looking forward to read updated performance numbers, to understand if it would be worth modifying the openssl libraries or not.
  9. I guess we know what DPD should do then for its delays and tracking issues. Imho, since my understanding is you need a microSD card to get started (even if you eventually would choose to install to USB / SATA), is it would be good if it were included (even at extra cost) so one can get started once the kit arrives; or at least made more clear it's something to procure separately. Anyway, i hope to soon take it for a spin.
  10. Finally my purchase arrived. I was so excited to check it out, but no microSD in the box. I thought i had read something about a sandisk UHS-I 16Gb card being in the bundle, @gprovost ?
  11. It could be interesting to see the test repeated while on a LUKS encrypted filesystem?