0
switch

Building with cryptroot (with SSH-unlock) seems broken?

Recommended Posts

I'm attempting to build an image for the ROC-RK3328-CC (Renegade) with cryptroot encryption (and SSH unlock) enabled, but I run into weird behavior.

 

The board will start and I can SSH in and reach the BusyBox prompt. So far so good but from what I've gathered I should enter the command "unlock" there to display the cryptroot password prompt. However it only results in the message -sh: unlock: not found. I read somewhere else the command might be "cryptroot-unlock" but that instead gives nothing, not even the error message.

 

Furthermore, regardless whether I enter any commands, around 10 seconds into the SSH session it will freeze and I eventually get kicked off with a broken pipe error. I suspect the board is restarting by itself but it is difficult to verify because it is running headless. After a few seconds I'm able to SSH in again for another ~10 sec session.

 

Building it without cryptroot works just fine and the board starts normally and I can SSH in. I have not tested building it with cryptroot only (without the SSH-unlock ability), because again it is difficult to verify due to the headless setup.

 

Has anyone run into these kind of behavior when building Armbian images with cryptroot setup or have any idea what's gone wrong? Is it a bug in the build cryptroot feature?

 

Below is my config-default.conf

 

KERNEL_ONLY="no"
KERNEL_CONFIGURE="no"
CLEAN_LEVEL="make,debs,oldcache"

DEST_LANG="en_US.UTF-8"

EXTERNAL_NEW="prebuilt"
INSTALL_HEADERS="yes"
LIB_TAG="master"
USE_TORRENT="yes"
CARD_DEVICE="/dev/sdb"

BOARD="renegade"
RELEASE="buster"
BUILD_MINIMAL="yes"

CRYPTROOT_ENABLE="yes"
CRYPTROOT_PASSPHRASE="password"
CRYPTROOT_SSH_UNLOCK="yes"
CRYPTROOT_SSH_UNLOCK_PORT="2222"

 

Share this post


Link to post
Share on other sites
6 hours ago, switch said:

Has anyone run into these kind of behavior when building Armbian images with cryptroot setup or have any idea what's gone wrong? Is it a bug in the build cryptroot feature?


This feature was a work from someone that was not a part of the core group. I said: do it and if it doesn't break anything we will accept it. We are unable to support it so functionality will be either removed or if someone takes a look what is wrong. I saw other people reporting, so its indeed broken.

Share this post


Link to post
Share on other sites
On 10/2/2019 at 3:57 AM, Igor said:


This feature was a work from someone that was not a part of the core group. I said: do it and if it doesn't break anything we will accept it. We are unable to support it so functionality will be either removed or if someone takes a look what is wrong. I saw other people reporting, so its indeed broken.

This is unfortunate because building an image with cryptroot pre-installed is a very useful feature to have, doing it manually later is hell.

 

I'll create a Github issue and ping the author of the pull to see if he or anyone else is able to fix it.

Share this post


Link to post
Share on other sites
3 hours ago, switch said:

This is unfortunate because building an image with cryptroot pre-installed is a very useful feature to have, doing it manually later is hell.

 

Development is nice and glorious. Most of people like to do that. Me included. Hell is maintaining this project with our private time.

 

3 hours ago, switch said:

I'll create a Github issue and ping the author of the pull to see if he or anyone else is able to fix it.


Good idea. Let's see.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
0