Erling Westenvik <erling.westen...@gmail.com> writes:
> Since none of the servers have tools for remote administration, my only
> option for unlocking any crypto volumes will be over ssh(4). AFAIK that
> means I cannot encrypt any parts of the OS itself since all partitions
> are required to be present for the OS to be able to boot up to a point
> where it can offer sshd(8), right?
I have a not-so-simple setup for this. Everything but / is into a
crypto softraid. Upon startup I run a self-content sshd with the
following patch against a 5.4 /etc/rc:
--- etc/rc Tue Jul 30 19:52:22 2013
+++ /etc/rc Tue Mar 25 15:23:48 2014
@@ -284,8 +284,19 @@
exit 1
;;
8)
- echo "Automatic file system check failed; help!"
- exit 1
+ echo "Automatic file system check failed; help (from
outterspace)!"
+ ifconfig em0 x.x.x.x netmask 255.255.255.0
+ route -qn add default x.x.x.x
+ mount -uw /
+ /root/sshd -De \
+ -o PasswordAuthentication=no \
+ -o PermitRootLogin=yes \
+ -o ChallengeResponseAuthentication=no \
+ -o UsePrivilegeSeparation=no \
+ -o UseDNS=no
+ mount -ur /
+ route -qn flush
+ ifconfig em0 down delete
;;
12)
echo "Boot interrupted."
I can then connect as root (with the correct authorized_keys) and bioctl
the crypto softraid and finally kill this sshd.
Drawbacks:
- compile a self-content sshd (see crunchgen(8) for this) (if
possible do this with after the time_t patch)
- be careful with /etc/rc merge
--
Manuel Giraud
