Dropbear initramfs hook creates authorized_keys file in an invalid folder

Bug #1645555 reported by Ibrahim Karahan on 2016-11-29
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
dropbear (Ubuntu)
Undecided
Unassigned

Bug Description

Dropbear initramfs hook copies `/etc/initramfs-tools/root/.ssh/authorized_keys` into initramfs for passwordless login during boot.

The script responsible is `/usr/share/initramfs-tools/hooks/dropbear`. The destination folder is set at line 37:

`home=$(mktemp -d "$DESTDIR/root-XXXXXX")`

which ends up creating a temp directory in initramfs file, similar to `/root-hZQ48a`, instead of `/root`. Dropbear fails to find `/root/.ssh/authorized_keys` at boot and does not allow remote logins.

See the contents of a generated initrd with:
`cd `mktemp -d` && gzip -dc /boot/initrd.img-`uname -r` | cpio -ivd`

Setting the $home variable with the following lines should solve the issue:
```
home="$DESTDIR/root"
mkdir -p $home
```

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dropbear (Ubuntu):
status: New → Confirmed
Jamie Lokier (jamie-shareable) wrote :

The temp directory is fine, because the script also generates /etc/passwd setting root's home directory to be the temp directory.

Jérôme Drouet (jerome-drouet) wrote :

not so fine to me because it changes ~root directory in a way you can not predict/reuse in any other hook

for instance :
*****
/ # cat /etc/passwd
root:*:0:0::/root-nlmn09:/bin/sh
/ # cd
~# pwd
/root-nlmn09
*****

how can we guess the name in other hooks, let's say to put some files in ~root ?

this change seems to be related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558115 , but other hooks should not use /root as a mountpoint as described (haven't check if it is still the case)

Still exists on Ubuntu 18.04:

$ sudo lsinitramfs /boot/initrd.img-4.15.0-29-generic | grep root
root-Fc4un7
root-Fc4un7/.ssh
root-Fc4un7/.ssh/authorized_keys

The temp folder created with "$DESTDIR/root-XXXXXX" scheme is garbage. It's never renamed to /root folder, thus Dropbear fails to find the authorized_keys file.

The workaround in #1 still works.

Everything looks OK in /boot/initrd.img-4.15.0-*

etc/group
etc/passwd
root-xxxxxx
root-xxxxxx/.ssh
root-xxxxxx/.ssh/authorized_keys

NB: root-xxxxxx/.ssh/autorized_keys comes from /etc/dropbear-initramfs/authorized_keys must be in 'dropbear' format, not 'openssh' format, then use dropbearkey or dropbearconvert, and update-initramfs to recreate your initrd image.

But it seems that root-xxxxxx/.ssh/authorized_keys isn't expanded properly from initrd !!!???

Because:

First, I worked around with /usr/share/initramfs-tools/hooks/dropbear script to create several copies of this authorized_keys in $home and $DESTDIR, then in BusyBox, on (initramfs) prompt, I can find one in / from $DESTDIR, one in /root-xxxxxx/ from $home, but none in /root-xxxxxx/.ssh/ !!!???

Second, I'm booting thru PXE, and iPXE, with an HTTP server, then I have the ability to download authorized_keys, or to move other copies that I stressed above, into /root-xxxxxx/.ssh/, and can, then, log in...

Why is not expanded properly even it is well located in the initrd image????

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.