Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Guilhem Moulin]

Looking at the ansible documentation [0], this appears to the culprit:

stdin_add_newline   If set to true, append a newline to stdin data.
boolean Choices:
added in Ansible 2.8false
true ← (default)

So presumably

command:
  cmd: "ssh -T root@{{ dropbear_ip }}"
  stdin: "{{ luks_pwd }}"
  stdin_add_newline: false

would work too, and is arguably more robust.

-- 
Guilhem.

[0] 
https://docs.ansible.com/projects/ansible/latest/collections/ansible/builtin/command_module.html


signature.asc
Description: PGP signature

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Matthieu Meurillon]

Yes it works with both commands !

So I mean, this should be enough to close the case, but I'm really 
curious why the behavior changed between the two Debian versions. I 
don’t even know which package is causing the issue. All I know is that 
my method worked on Debian 12 but no longer works on Debian 13.


By the way, thank you very much for debugging, it will be very important 
for my work.


Matthieu

On 12/5/25 22:04, Guilhem Moulin wrote:

On Fri, 05 Dec 2025 at 21:08:24 +0100, Matthieu Meurillon wrote:

matthieu@terminator:~$ ssh -T root@192.168.1.100 <<<'passphrase'

Oh my bad, here strings add a linefeed which is passed along with the
passphrase.  That linefeed is trimmed when using the interactive mode,
see the “Passphrase processing for LUKS” section in cryptsetup(8).

How about

 printf '%s' "$REAL_PASSPHRASE" | ssh -T root@192.168.1.100

or

 printf '%s' "$REAL_PASSPHRASE" | ssh root@192.168.1.100 /nonexistent

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Guilhem Moulin]

On Fri, 05 Dec 2025 at 21:08:24 +0100, Matthieu Meurillon wrote:
> matthieu@terminator:~$ ssh -T root@192.168.1.100 <<<'passphrase'

Oh my bad, here strings add a linefeed which is passed along with the
passphrase.  That linefeed is trimmed when using the interactive mode,
see the “Passphrase processing for LUKS” section in cryptsetup(8).

How about

printf '%s' "$REAL_PASSPHRASE" | ssh -T root@192.168.1.100

or

printf '%s' "$REAL_PASSPHRASE" | ssh root@192.168.1.100 /nonexistent

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Matthieu Meurillon]

> Stupid question but… does it work with the correct passphrase?

No, it does not work with the correct passphrase, the only way I can 
unlock LUKS on Debian 13 for the moment is to connect in ssh manually 
and type the passphrase myself.


> I don't know how ansible's command module deals with TTYs, but again
> that `ssh` invocation looks wrong. Does it work when you use one of the
> 3 alternatives I suggested?

No, nothing works.

> That's still not the debug output I asked for. From my first message:

Yes sorry, here is the output :

matthieu@terminator:~$ ssh -T root@192.168.1.100 <<<'passphrase'
+ set -ue
+ PATH=/sbin:/bin
+ TIMEOUT=10
+ PASSFIFO=/lib/cryptsetup/passfifo
+ ASKPASS=/lib/cryptsetup/askpass
+ UNLOCK_ALL=n
+ '[' -f /lib/cryptsetup/functions ]
+ . /lib/cryptsetup/functions
+ '[' /usr/bin/cryptroot-unlock '!=' /usr/bin/cryptroot-unlock ]
+ '[' /usr/bin/cryptroot-unlock '!=' /usr/bin/cryptroot-unlock ]
+ '[' /usr/bin/cryptroot-unlock '!=' /usr/bin/cryptroot-unlock ]
+ TABFILE=/etc/crypttab
+ export 'DM_DEFAULT_NAME_MANGLING_MODE=hex'
+ TABFILE=/cryptroot/crypttab
+ unset -v IFS
+ '[' '!' -f /cryptroot/crypttab ]
+ '[' /cryptroot/crypttab -ot /proc/1 ]
+ '[' -t 0 ]
+ wait_for_prompt
+ local pid timer 'num_locked_devices=-1' n
+ :
+ count_locked_devices
+ local 'COUNT=0'
+ crypttab_foreach_entry count_locked_devices_callback
+ local 'callback=count_locked_devices_callback' IFS
+ local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS 
CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS

+ '[' -f /cryptroot/crypttab ]
+ IFS='     ' read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY 
_CRYPTTAB_OPTIONS

+ '[' md1_crypt '!=' md1_crypt ]
+ '[' -z md1_crypt ]
+ printf '%b' md1_crypt
+ CRYPTTAB_NAME=md1_crypt
+ '[' -z 'UUID=37271a9b-560a-4863-9eb6-6d74b38e493e' ]
+ '[' -z none ]
+ printf '%b' 'UUID=37271a9b-560a-4863-9eb6-6d74b38e493e'
+ CRYPTTAB_SOURCE='UUID=37271a9b-560a-4863-9eb6-6d74b38e493e'
+ printf '%b' none
+ CRYPTTAB_KEY=none
+ printf '%b' luks,discard
+ CRYPTTAB_OPTIONS=luks,discard
+ count_locked_devices_callback
+ dm_blkdevname md1_crypt
+ local 'name=md1_crypt' dev
+ dmsetup info -c --noheadings -o blkdevname -- md1_crypt
+ dev=
+ return 1
+ COUNT=1
+ IFS='     ' read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY 
_CRYPTTAB_OPTIONS

+ printf '%d\n' 1
+ n=1
+ '[' 1 -eq 0 ]
+ '[' -1 -lt 0 ]
+ timer=100
+ num_locked_devices=1
+ get_askpass_pid
+ local pid
+ pgrep_exe /lib/cryptsetup/askpass
+ local exe pid
+ readlink -f -- /lib/cryptsetup/askpass
+ exe=/usr/lib/cryptsetup/askpass
+ '[' -f /usr/lib/cryptsetup/askpass ]
+ ps -eo 'pid='
+ read pid
+ readlink -f /proc/1/exe
+ '[' /usr/bin/sh '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/2/exe
+ '[' /proc/2/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/3/exe
+ '[' /proc/3/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/4/exe
+ '[' /proc/4/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/5/exe
+ '[' /proc/5/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/6/exe
+ '[' /proc/6/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/7/exe
+ '[' /proc/7/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/8/exe
+ '[' /proc/8/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/9/exe
+ '[' /proc/9/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/10/exe
+ '[' /proc/10/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/11/exe
+ '[' /proc/11/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/12/exe
+ '[' /proc/12/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/13/exe
+ '[' /proc/13/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/14/exe
+ '[' /proc/14/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/15/exe
+ '[' /proc/15/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/16/exe
+ '[' /proc/16/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/17/exe
+ '[' /proc/17/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/18/exe
+ '[' /proc/18/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/19/exe
+ '[' /proc/19/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/20/exe
+ '[' /proc/20/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/21/exe
+ '[' /proc/21/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/22/exe
+ '[' /proc/22/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/23/exe
+ '[' /proc/23/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/24/exe
+ '[' /proc/24/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/25/exe
+ '[' /proc/25/exe '!=' /usr/lib/cryptsetup/askpass ]
+ read pid
+ readlink -f /proc/26/exe
+ '[' /proc/26/exe '!=' /usr/lib/cryptsetup/askpass ]

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Guilhem Moulin]

Control: tag -1 unreproducible

On Fri, 05 Dec 2025 at 20:03:04 +0100, Matthieu Meurillon wrote:
> I confirm it does not work on my side (with 3 different syntax) :
>
> matthieu@terminator:~$ ssh -T root@192.168.1.100 <<<'passphrase'
> […]
> matthieu@terminator:~$ ssh -T root@192.168.1.100 << […]
> matthieu@terminator:~$ ssh -T root@192.168.1.100 <<< 'passphrase'

FWIW your local shell parses these as the exact same thing.  The
alternatives I suggested use different local and remote code paths.

Stupid question but… does it work with the correct passphrase?  Unlike
your earlier `-tt` output the passphrase isn't returned as is, and there
is the prompt from cryptroot-unlock.  So at least the tooling does seem
to work somewhat.

> Let me know if you need more information.

That's still not the debug output I asked for.  From my first message:

| Please provide a debug trace by adding `set -x` to
|
|/usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
|
| (and rebuild the initramfs afterwards).

> command:
>   cmd: "ssh -tt root@{{ dropbear_ip }}"
>   stdin: "{{ luks_pwd }}"

I don't know how ansible's command module deals with TTYs, but again
that `ssh` invocation looks wrong.  Does it work when you use one of the
3 alternatives I suggested?

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Matthieu Meurillon]

Thanks.

I confirm it does not work on my side (with 3 different syntax) :

matthieu@terminator:~$ ssh -T root@192.168.1.100 <<<'passphrase'
+ ssh -T root@192.168.1.100
Please unlock disk md1_crypt
cryptsetup: cryptsetup failed, bad password or options?
++ printf '\033]0;%s@%s:%s\007' matthieu terminator '~'
++ __systemd_osc_context_precmdline
++ local systemd_exitstatus=1
++ '[' -n b00bbf50-b58a-4b10-ae2f-4cf43bc53419 ']'
++ '[' 1 -ge 127 ']'
++ '[' 1 -ne 0 ']'
++ printf '\033]3008;end=%s;exit=failure;status=%s\033\' 
b00bbf50-b58a-4b10-ae2f-4cf43bc53419 1

++ '[' -z f8634290-25bf-4924-8619-03825b34a790 ']'
+++ __systemd_osc_context_common
+++ printf ';user=%s;hostname=%s;machineid=%s;bootid=%s;pid=%s' matthieu 
terminator 93618b5697ca460ca18746b74647bea2 
50194169-7d67-457d-bec3-beba55ee8b6e 19336

+++ __systemd_osc_context_escape /home/matthieu
+++ echo /home/matthieu
+++ sed -e 's/\\/\\x5x/g' -e 's/;/\\x3b/g'
++ printf '\033]3008;start=%s%s;type=shell;cwd=%s\033\' 
f8634290-25bf-4924-8619-03825b34a790 
';user=matthieu;hostname=terminator;machineid=93618b5697ca460ca18746b74647bea2;bootid=50194169-7d67-457d-bec3-beba55ee8b6e;pid=19336' 
/home/matthieu

++ read -r systemd_osc_context_cmd_id
++ __vte_precmd
++ local errsv=1
++ __vte_termprop_set vte.shell.postexec 0
++ local errsv=0
++ printf '\033]666;%s=%s\033\\' vte.shell.postexec 0
++ return 0
++ __vte_termprop_signal vte.shell.precmd
++ local errsv=0
++ printf '\033]666;%s!\033\\' vte.shell.precmd
++ return 0
++ return 1
++ __vte_osc7
++ local errsv=1
+++ /usr/libexec/vte-urlencode-cwd
++ printf '\033]7;file://%s%s\033\' terminator /home/matthieu
++ return 1
matthieu@terminator:~$ ssh -T root@192.168.1.100 <<++ printf '\033]3008;end=%s;exit=failure;status=%s\033\' 
360da059-c3ef-44b9-991e-4c4b7076c00d 1

++ '[' -z f8634290-25bf-4924-8619-03825b34a790 ']'
+++ __systemd_osc_context_common
+++ printf ';user=%s;hostname=%s;machineid=%s;bootid=%s;pid=%s' matthieu 
terminator 93618b5697ca460ca18746b74647bea2 
50194169-7d67-457d-bec3-beba55ee8b6e 19336

+++ __systemd_osc_context_escape /home/matthieu
+++ echo /home/matthieu
+++ sed -e 's/\\/\\x5x/g' -e 's/;/\\x3b/g'
++ printf '\033]3008;start=%s%s;type=shell;cwd=%s\033\' 
f8634290-25bf-4924-8619-03825b34a790 
';user=matthieu;hostname=terminator;machineid=93618b5697ca460ca18746b74647bea2;bootid=50194169-7d67-457d-bec3-beba55ee8b6e;pid=19336' 
/home/matthieu

++ read -r systemd_osc_context_cmd_id
++ __vte_precmd
++ local errsv=1
++ __vte_termprop_set vte.shell.postexec 0
++ local errsv=0
++ printf '\033]666;%s=%s\033\\' vte.shell.postexec 0
++ return 0
++ __vte_termprop_signal vte.shell.precmd
++ local errsv=0
++ printf '\033]666;%s!\033\\' vte.shell.precmd
++ return 0
++ return 1
++ __vte_osc7
++ local errsv=1
+++ /usr/libexec/vte-urlencode-cwd
++ printf '\033]7;file://%s%s\033\' terminator /home/matthieu
++ return 1
matthieu@terminator:~$ ssh -T root@192.168.1.100 <<< 'passphrase'
+ ssh -T root@192.168.1.100
Please unlock disk md1_crypt
cryptsetup: maximum number of tries exceeded for md1_crypt
++ printf '\033]0;%s@%s:%s\007' matthieu terminator '~'
++ __systemd_osc_context_precmdline
++ local systemd_exitstatus=1
++ '[' -n e2197e5b-b7d5-4bbd-b145-40bebf0608a9 ']'
++ '[' 1 -ge 127 ']'
++ '[' 1 -ne 0 ']'
++ printf '\033]3008;end=%s;exit=failure;status=%s\033\' 
e2197e5b-b7d5-4bbd-b145-40bebf0608a9 1

++ '[' -z f8634290-25bf-4924-8619-03825b34a790 ']'
+++ __systemd_osc_context_common
+++ printf ';user=%s;hostname=%s;machineid=%s;bootid=%s;pid=%s' matthieu 
terminator 93618b5697ca460ca18746b74647bea2 
50194169-7d67-457d-bec3-beba55ee8b6e 19336

+++ __systemd_osc_context_escape /home/matthieu
+++ echo /home/matthieu
+++ sed -e 's/\\/\\x5x/g' -e 's/;/\\x3b/g'
++ printf '\033]3008;start=%s%s;type=shell;cwd=%s\033\' 
f8634290-25bf-4924-8619-03825b34a790 
';user=matthieu;hostname=terminator;machineid=93618b5697ca460ca18746b74647bea2;bootid=50194169-7d67-457d-bec3-beba55ee8b6e;pid=19336' 
/home/matthieu

++ read -r systemd_osc_context_cmd_id
++ __vte_precmd
++ local errsv=1
++ __vte_termprop_set vte.shell.postexec 0
++ local errsv=0
++ printf '\033]666;%s=%s\033\\' vte.shell.postexec 0
++ return 0
++ __vte_termprop_signal vte.shell.precmd
++ local errsv=0
++ printf '\033]666;%s!\033\\' vte.shell.precmd
++ return 0
++ return 1
++ __vte_osc7
++ local errsv=1
+++ /usr/libexec/vte-urlencode-cwd
++ printf '\033]7;file://%s%s\033\' terminator /home/matthieu
++ return 1
matthieu@terminator:~$


I'm also sure that it worked with Debian 12 (with the same passphrase). 
I never had issue with this method before upgrading on Debian 13 Trixie. 
I always used those above commands or this Ansible task :


- name: Unlock LUKS with ssh
    delegate_to: localhost
    command:
      cmd: "ssh -tt root@{{ dropbear_ip }}"
      stdin: "{{ luks_pwd }}"
    failed_when: false


Let me know if you need more information.

Matthieu

On Fri, 5 Dec 2025 17:11:09 +0100 Guilhem Moulin wrote:

> Control: tag -1 - unreproducible
> Control: retitle

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Guilhem Moulin]

Control: tag -1 - unreproducible
Control: retitle -1 dropbear-initramfs: Can't put password through stdin when a 
pty has been allocated

That's not the log trace I asked, but I confirm `ssh -tt root@remote_server 
<<

signature.asc
Description: PGP signature

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[matthieu.meurillon]

2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send_close2
debug2: channel 0: send close for remote id 0
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 [session] r0 nm0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock 
-1 cc -1 nc0 io 0x00/0x00)

debug3: obfuscate_keystroke_timing: stopping: no active channels (0 chaff 
packets sent)
Connection to 172.19.128.3 closed.
debug3: send packet: type 1
Transferred: sent 4148, received 2420 bytes, in 0.0 seconds
Bytes per second: sent 120380.5, received 70231.6
debug1: Exit status -1
matthieu@YYY:~$

This above example does not unlock the LUKS partition on Debian 13 but it does 
on Debian 12.

My dropbear options are : DROPBEAR_OPTIONS="-j -k -s -c cryptroot-unlock"

I noticed this behavior as I use Ansible to unlock physical encrypted servers 
with this task :

  - name: Unlock LUKS with ssh
delegate_to: localhost
command:
  cmd: "ssh -tt root@{{ inventory_hostname }}"
  stdin: "{{ luks_pwd }}"
failed_when: false

Matthieu

-----Message d'origine-
De : Guilhem Moulin  
Envoyé : vendredi 5 décembre 2025 15:50
À : MEURILLON Matthieu (SMEG) ; 
1121...@bugs.debian.org
Objet : Re: Bug#1121980: dropbear-initramfs: Can't put password through stdin 
to unlock LUKS partition since Debian 13

Control: tag -1 unreproducible moreinfo

Remote SSH locking does work on my system as well as in the autopkgtest.
Please provide a debug trace by adding `set -x` to

/usr/share/cryptsetup/initramfs/bin/cryptroot-unlock

(and rebuild the initramfs afterwards).

> Versions of packages dropbear-initramfs depends on:
> pn  busybox | busybox-static  
> pn  dropbear-bin  
> pn  initramfs-tools   
> ii  udev  257.8-1~deb13u2
>
> Versions of packages dropbear-initramfs recommends:
> pn  cryptsetup-initramfs  

Doesn't look like a viable system for dropbear-initramfs.  Did you run
reportbug(1) on another system?

-- 
Guilhem.

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[matthieu.meurillon]

It works with a classic interactive SSH connection like :  ssh 
root@remote_server (then type the passphrase) but not if I want to unlock 
automatically without an interactive shell or force pseudo-terminal like : echo 
"passphrase" | ssh -tt root@remote_server.



Example :



matthieu@YYY:~$ echo 'passphrase' | ssh -tt 
root@172.19.128.3 Enter passphrase for key 
'/home/matthieu/.ssh/id_ed25519':

passphrase

Connection to 172.19.128.3 closed.

matthieu@ YYY:~$



But the LUKS partition is still locked.



For the debug logs :



matthieu@ YYY:~$ echo 'passphrase' | ssh - -tt 
root@172.19.128.3

debug1: OpenSSH_10.0p2 Debian-7, OpenSSL 3.5.4 30 Sep 2025

debug3: Running on Linux 6.6.87.2-microsoft-standard-WSL2 #1 SMP 
PREEMPT_DYNAMIC Thu Jun  5 18:30:46 UTC 2025 x86_64

debug3: Started with: ssh - -tt root@172.19.128.3

debug1: Reading configuration data /etc/ssh/ssh_config

debug3: /etc/ssh/ssh_config line 19: Including file 
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0

debug1: Reading configuration data 
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

debug1: /etc/ssh/ssh_config line 21: Applying options for *

debug2: resolve_canonicalize: hostname 172.19.128.3 is address

debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 
'/home/matthieu/.ssh/known_hosts'

debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 
'/home/matthieu/.ssh/known_hosts2'

debug3: channel_clear_timeouts: clearing

debug3: ssh_connect_direct: entering

debug1: Connecting to 172.19.128.3 [172.19.128.3] port 22.

debug3: set_sock_tos: set socket 3 IP_TOS 0x10

debug1: Connection established.

debug1: identity file /home/matthieu/.ssh/id_rsa type 0

debug1: identity file /home/matthieu/.ssh/id_rsa-cert type -1

debug1: identity file /home/matthieu/.ssh/id_ecdsa type -1

debug1: identity file /home/matthieu/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/matthieu/.ssh/id_ecdsa_sk type -1

debug1: identity file /home/matthieu/.ssh/id_ecdsa_sk-cert type -1

debug1: identity file /home/matthieu/.ssh/id_ed25519 type 3

debug1: identity file /home/matthieu/.ssh/id_ed25519-cert type -1

debug1: identity file /home/matthieu/.ssh/id_ed25519_sk type -1

debug1: identity file /home/matthieu/.ssh/id_ed25519_sk-cert type -1

debug1: identity file /home/matthieu/.ssh/id_xmss type -1

debug1: identity file /home/matthieu/.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_10.0p2 Debian-7

debug1: Remote protocol version 2.0, remote software version dropbear_2025.88

debug1: compat_banner: no match: dropbear_2025.88

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 172.19.128.3:22 as 'root'

debug3: record_hostkey: found key type ED25519 in file 
/home/matthieu/.ssh/known_hosts:2

debug3: record_hostkey: found key type RSA in file 
/home/matthieu/.ssh/known_hosts:3

debug3: record_hostkey: found key type ECDSA in file 
/home/matthieu/.ssh/known_hosts:4

debug3: load_hostkeys_file: loaded 3 keys from 172.19.128.3

debug1: load_hostkeys: fopen /home/matthieu/.ssh/known_hosts2: No such file or 
directory

debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory

debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or 
directory

debug3: order_hostkeyalgs: have matching best-preference key type 
ssh-ed25519-cert-...@openssh.com, 
using HostkeyAlgorithms verbatim

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: 
mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha...@openssh.com,curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-...@openssh.com

debug2: host key algorithms: 
ssh-ed25519-cert-...@openssh.com,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25...@openssh.com,sk-ecdsa-sha2-nistp...@openssh.com,rsa-sha2-512,rsa-sha2-256

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Guilhem Moulin]

Control: tag -1 unreproducible moreinfo

Remote SSH locking does work on my system as well as in the autopkgtest.
Please provide a debug trace by adding `set -x` to

/usr/share/cryptsetup/initramfs/bin/cryptroot-unlock

(and rebuild the initramfs afterwards).

> Versions of packages dropbear-initramfs depends on:
> pn  busybox | busybox-static  
> pn  dropbear-bin  
> pn  initramfs-tools   
> ii  udev  257.8-1~deb13u2
>
> Versions of packages dropbear-initramfs recommends:
> pn  cryptsetup-initramfs  

Doesn't look like a viable system for dropbear-initramfs.  Did you run
reportbug(1) on another system?

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#1121980: dropbear-initramfs: Can't put password through stdin to unlock LUKS partition since Debian 13

[Matthieu Meurillon]

Package: dropbear-initramfs
Version: 2025.88-2
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

Since Debian 13, i'm no longer able to unlock the LUKS cryptroot through SSH. 
In Debian 12, I was able to do something like : echo "password" | ssh 
root@remote_server and it worked to unlock the LUKS partition.
However, now it's no longer possible and the LUKS partition stays locked. I do 
not know if it is related to a change with dropbear or another package in 
Debian 13.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

echo "password" | ssh root@remote_server

   * What was the outcome of this action?

LUKS partition is not unlocked.

   * What outcome did you expect instead?

LUKS is unlocked.

*** End of the template - remove these template lines ***

-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.87.2-microsoft-standard-WSL2 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dropbear-initramfs depends on:
pn  busybox | busybox-static  
pn  dropbear-bin  
pn  initramfs-tools   
ii  udev  257.8-1~deb13u2

Versions of packages dropbear-initramfs recommends:
pn  cryptsetup-initramfs  

dropbear-initramfs suggests no packages.