0

I use dropbear-initramfs (like this) to decrypt the root drive on my Ubuntu 20.04.3 headless server. Recently the server was abruptly powered off (power went out I think?) and now the dropbear SSH server rejects my public key.

I can successfully connect a keyboard and monitor and type in my decryption key, and I can reach the full SSH server after that, but then I still have the same issue with the public key. I've checked /etc/dropbear-initramfs/{authorized_keys,config}, but everything seems as it should be.

I'd like to see what's happening from the dropbear SSH side, but I don't know how to view the logs. Any ideas?

UPDATE:

I've run sudo lsinitramfs /boot/initrd.img-5.4.0-90-generic which gives me something interesting:

...
etc/dropbear  # no etc/dropbear/authorized_keys!
etc/dropbear/config
etc/dropbear/dropbear_dss_host_key
etc/dropbear/dropbear_ecdsa_host_key
etc/dropbear/dropbear_rsa_host_key
...
root-IEiu10  # what is this folder and why is authorized_keys here?
root-IEiu10/.ssh
root-IEiu10/.ssh/authorized_keys

UPDATE2: I think my issue is related to this.

Kyle
  • 121
  • 6
  • What does mean "rejects public key"? What exactly is going on? // As of initramfs logging, read here: https://wiki.debian.org/InitramfsDebug#Saving_debug_information . – Nikita Kipriyanov Oct 17 '21 at 17:38
  • I mean that usually I SSH into the dropbear and use public key authentication, but now I get `Permission denied (publickey).` – Kyle Oct 19 '21 at 12:28
  • Are you able to check it is o.k. while in the initramfs shell, or, at least, unpack initrafms and see inside (lsinitramfs or better actually unpack cpio archive)? I.e. to confirm if initramfs build script actually put things inside as expected. – Nikita Kipriyanov Oct 20 '21 at 05:49

1 Answers1

2

After running through several rabbit holes, I finally found this post describing how newer SSH clients are starting to disable ssh-rsa authentication. Turns out that the solution was to temporarily add PubkeyAcceptedKeyTypes +ssh-rsa to my SSH config for this server. The long-term solution is to update dropbear, but this works for now.

The strange root-XXXXX folder is as it should be apparently.

Kyle
  • 121
  • 6