Comments (12)
Hello,
Thanks for the report, this is actually fixed in this branch: #366
It's not yet merged, if you want to go through manually, you can run this before calling setup-encryption.sh
:
cp /opt/bastion/etc/bastion/luks-config.sh.dist /etc/bastion/luks-config.sh
from the-bastion.
Fix merged to main branch, closing as fixed. Please reopen if needed :)
from the-bastion.
Thank you!
from the-bastion.
Hello @speed47,
I'm not able to encrypt /home before installation like this issue, i've done this cp /opt/bastion/etc/bastion/luks-config.sh.dist /etc/bastion/luks-config.sh
when i've this error [ERR.] The '/etc/bastion/luks-config.sh' file doesn't exist, did you run the '/opt/bastion/bin/admin/install' script before?
do you have any idea ?
Kélian
from the-bastion.
Hello @keliansrdl,
To resolve the problem, I install the bastion, then I encrypt the /home :
/opt/bastion/bin/admin/install --new-install
/opt/bastion/bin/admin/setup-encryption.sh
from the-bastion.
Hello @f-fatien, Thanks for answer, i already tried this, my bastion is installed now and i have the error :
i had to run this command before launch the script ?
UPDATE : i've generated codes with the command before run script, and i've the error aswell
Kélian
from the-bastion.
No, pwgen is just to generate a strong password for the passphrase.
Maybe the script abort because you write 'yes' in lowercase. Try to write YES in capital letters.
from the-bastion.
Ok you're right, that was "YES" instead of "yes" but now I have a new error 😢 thanks
Do you know if LVM impact this ?
Kélian
from the-bastion.
The script tries to umount
the partition before calling cryptsetup
on it, this is precisely to ensure the partition is not currently used. So either the umount
didn't work (but the script should have told you and abort), or you have this partition mounted in several different places (maybe using mount -o bind
).
The script can't detect all cases and oddities that can occur on all systems, this is just a helper to save you some time. You can always encrypt your /home
partition yourself before installing the bastion. If you want to retry it, can you try a clean reinstall, and if it fails, paste the complete non-truncated output you have?
Side note: LVM shouldn't cause any problem, we use it without issues.
from the-bastion.
Hello @speed47,
i'm able to umount /home
without error :
where i can see if /home is in use and blocking the script ?
Kélian
from the-bastion.
@speed47
UPDATE : i've uninstalled snapd
and it's good now :
*** Checking whether the proper tools are installed
`-> [ OK ]
*** Checking whether the install script has run
`-> [ OK ]
*** Checking whether /home is a separate partition
`-> [ OK ] ... found /dev/mapper/ubuntu--vg-homedir
*** Checking whether /home is in /etc/fstab
`-> [ OK ] ... # /home was on /dev/ubuntu-vg/homedir during curtin installation
/dev/disk/by-id/dm-uuid-LVM-U3Qe7Pacb26uyDdpO9D0KbYfzrvxRI1K0VECS0UZMkQ1T1b6GAmXiPy1cixe0ztW /home ext4 defaults 0 1
*** Checking whether we can umount /home
`-> [ OK ]
*** Checking whether we can remount /home
`-> [ OK ]
*** Checking used space in /home
`-> [ OK ] ... 1 MiB
*** Checking available space in /
`-> [ OK ] ... 9021 MiB
*** Checking whether there is enough available space in / to hold /home contents temporarily
`-> [ OK ]
*** Creating temporary /tmphome
`-> [ OK ]
*** Rsyncing /home to /tmphome
sending incremental file list
./
user/
user/.bash_history
27 100% 0,00kB/s 0:00:00 (xfr#1, to-chk=8/11)
user/.bash_logout
220 100% 214,84kB/s 0:00:00 (xfr#2, to-chk=7/11)
user/.bashrc
3.771 100% 3,60MB/s 0:00:00 (xfr#3, to-chk=6/11)
user/.profile
807 100% 788,09kB/s 0:00:00 (xfr#4, to-chk=5/11)
user/.sudo_as_admin_successful
0 100% 0,00kB/s 0:00:00 (xfr#5, to-chk=4/11)
user/.cache/
user/.cache/motd.legal-displayed
0 100% 0,00kB/s 0:00:00 (xfr#6, to-chk=1/11)
user/.ssh/
user/.ssh/authorized_keys
0 100% 0,00kB/s 0:00:00 (xfr#7, to-chk=0/11)
sent 5.531 bytes received 168 bytes 11.398,00 bytes/sec
total size is 4.825 speedup is 0,85
`-> [ OK ]
*** Rsync done, here are some details:
`-> ls /home : . ./lost+found ./user ./user/.ssh ./user/.ssh/authorized_keys ./user/.bashrc ./user/.profile ./user/.bash_history ./user/.cache ./user/.cache/motd.legal-displayed ./user/.bash_logout ./user/.sudo_as_admin_successful
`-> ls /tmphome: . ./user ./user/.bashrc ./user/.bash_logout ./user/.bash_history ./user/.profile ./user/.sudo_as_admin_successful ./user/.cache ./user/.cache/motd.legal-displayed ./user/.ssh ./user/.ssh/authorized_keys
`-> du -shc /home : 48K total
`-> du -shc /tmphome: 32K total
`->
`-> Does this look reasonable? [CTRL+C if not]
*** Umounting /home
`-> [ OK ]
*** Erasing /home block device and encrypting it (last chance to cancel!)
`-> You should generate a strong password on your desk, with e.g. `pwgen -s 10`
WARNING: Device /dev/mapper/ubuntu--vg-homedir already contains a 'ext4' superblock signature.
WARNING!
========
This will overwrite data on /dev/mapper/ubuntu--vg-homedir irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/mapper/ubuntu--vg-homedir:
Verify passphrase:
`-> [ OK ]
*** Opening newly encrypted block device
Enter passphrase for /dev/mapper/ubuntu--vg-homedir:
`-> [ OK ]
*** Creating a new filesystem on top of the encrypted block device
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 3789824 4k blocks and 3789952 inodes
Filesystem UUID: 96685440-2a58-4f6b-86f0-cea0fe1e2e27
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
`-> [ OK ]
*** Setting up /etc/bastion/luks-config.sh with encrypted block device
`-> [ OK ]
*** Setting up /etc/fstab with encrypted block device
`-> [ OK ]
*** Remounting /home after encryption
`-> [ OK ]
*** Rsyncing back /home contents
sending incremental file list
./
user/
user/.bash_history
27 100% 0,00kB/s 0:00:00 (xfr#1, to-chk=8/11)
user/.bash_logout
220 100% 214,84kB/s 0:00:00 (xfr#2, to-chk=7/11)
user/.bashrc
3.771 100% 3,60MB/s 0:00:00 (xfr#3, to-chk=6/11)
user/.profile
807 100% 788,09kB/s 0:00:00 (xfr#4, to-chk=5/11)
user/.sudo_as_admin_successful
0 100% 0,00kB/s 0:00:00 (xfr#5, to-chk=4/11)
user/.cache/
user/.cache/motd.legal-displayed
0 100% 0,00kB/s 0:00:00 (xfr#6, to-chk=1/11)
user/.ssh/
user/.ssh/authorized_keys
0 100% 0,00kB/s 0:00:00 (xfr#7, to-chk=0/11)
sent 5.526 bytes received 336 bytes 11.724,00 bytes/sec
total size is 4.825 speedup is 0,82
`-> [ OK ]
*** Removing /tmphome
`-> [ OK ]
*** Testing whether we can properly unlock /home after boot
Mounting /dev/mapper/ubuntu--vg-homedir as home
Enter passphrase for /dev/mapper/ubuntu--vg-homedir:
Mounting...
Success!
`-> [ OK ]
Thanks for all
Kélian
from the-bastion.
another question @speed47 , is it normal that with encryption the connection is not instantly? I have to wait ~1m30s for it to connect me
video link where i try to connect : https://youtu.be/THCfnwCp3Zg
UPDATE : i've installed a new VM with a new bastion install and that's works fine, i can connect instantly, all good 👍
Thanks :)
Kélian
from the-bastion.
Related Issues (20)
- Connect through Bastion using SSH config file HOT 4
- vim seems to crash session replay HOT 9
- Enforce connecting with user login8 on group access server HOT 2
- Take global `ssh_config` file into account and autocomplete host names HOT 2
- Connection to the Bastion takes many seconds HOT 2
- SCP Failure - Error 255
- master can't sync with slave HOT 1
- Arista - Add ssh key on a switch with "from" pattern HOT 1
- An alternative method to log into bastion.
- Synchronization between master and slave HOT 6
- Use a global folder for ttyrec sessions HOT 1
- SFTP plugin instead of SCP on recent OpenSSH versions HOT 2
- Login with user@domain HOT 2
- Accepting [email protected] for ingress key HOT 1
- Upgrade errors: [ERR.] <x> doesn't seem to be a valid bastion group HOT 1
- User suffix for device/network HOT 3
- pam-u2f in code or a configuration to do ? HOT 3
- Error when installing with ttyrec HOT 3
- Disable MFA verification when using an SK
- Feature Request: `*-sk` keys supporting PIV-like policies HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from the-bastion.