Remote reboot with encrypted disk and SSH security

7 Antworten [Letzter Beitrag]
Jane
Offline
Beigetreten: 09/02/2014

Hi,

I would like to access a Trisquel server through SSH. The server's disk is encrypted. So, if a reboot is needed, it will ask for the key to decrypt the disk before I can access it through SSH.

According to the following link, it can be solved.
https://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot

Do you like that solution?
Which one? In the link I can see slightly different solutions.
Do you know any other solution?

And, what about SSH?
Do you consider it safe?
According to this link, the NSA can sometimes decrypt it.

https://en.wikipedia.org/wiki/Secure_Shell

Thank you

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

SSH is the safest protocol we know of to get a remote Shell. You can configure the server so that it only accepts the use of the strongest ciphers.

knacky
Offline
Beigetreten: 04/06/2016

Here is a page with a good explanation of the different ciphers and hashes used in SSH, and makes suggestions on what to use and what to avoid when configuring your SSH server...

https://stribika.github.io/2015/01/04/secure-secure-shell.html

Jane
Offline
Beigetreten: 09/02/2014

Thank you

Jane
Offline
Beigetreten: 09/02/2014

Hi,

I need some help, I am a beginner with these things.

I had my ssh working. Then I tried to follow the link
https://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot
so that I can remotely access my encrypted-disk server through ssh after a reboot (before the encryption disk password is asked). It didn't work. But now I am not going to ask help about that, I am just mentioning it just in case it has anything to do with my current problem. now I cannot even do the normal ssh as before.

With the server on, and the disk encryption password locally entered successfully, I cannot do a normal ssh from my laptop to the server as before. I guess it must be something really easy, but I do not know what.

If a enter

ssh -p 2001 -Y admin@server

I get

"Permission denied (publickey)."

Please see with more detail:

jane2@jane2Laptop:~$ ssh -p 2001 -Y -v admin@server
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for server
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.27 [192.168.1.27] port 2001.
debug1: Connection established.
debug1: identity file /home/jane2/.ssh/id_rsa_dropbear type -1
debug1: identity file /home/jane2/.ssh/id_rsa_dropbear-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Trisquel_GNU/linux_7.0-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Trisquel_GNU/linux_7.0-1
debug1: match: OpenSSH_6.6.1p1 Trisquel_GNU/linux_7.0-1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr name at domain none
debug1: kex: client->server aes128-ctr name at domain none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ae:1c:c3:6c:11:e8:a0:ed:01:ca:3b:cf:f7:20:c9:c3
debug1: Host '[192.168.1.27]:2001' is known and matches the ECDSA host key.
debug1: Found key in /home/jane2/.ssh/know_hosts.initramfs:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: jane2@jane2Laptop
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/jane2/.ssh/id_rsa_dropbear
debug1: No more authentication methods to try.
Permission denied (publickey).
jane2@jane2Laptop:~$

Thank you!

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

Have you copied your public key to the server? Here is the command:
$ ssh-copy-id -i /path/to/key.pub SERVERNAME

If that is not enough, it may be a configuration problem in ~/.ssh/config and you can show us that file.

Jane
Offline
Beigetreten: 09/02/2014

Thank you. I tried with the commands you suggested and I got again "Permission denied (publickey)". Please see below:

jane2@jane2Laptop:~$ ssh-copy-id -p 2001 -i ~/.ssh/id_rsa.pub server
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Permission denied (publickey).
jane2@jane2Laptop:~$

Which file exactly is the one that I could show you? Is it in the server or the client?

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

The config of the server but see first if https://superuser.com/questions/890128/ssh-copy-id-public-key-denied helps.