SOLVED: building an initramfs with dropbear...

eccerr0r · Last edited by eccerr0r on Sun Aug 28, 2022 1:30 am; edited 2 times in total

I was trying to drop a dropbear on my minimal initramfs. Unfortunately when running it, it claims none of the users are available - if I ssh root@initramfsmachine it reports 'root' as an invalid user despite not setting -w (disallow root) or -g (disallow password root logins) despite root being in /etc/passwd .. Adding another user in /etc/passwd also gets rejected as an invalid user.

As far as I can tell by looking at the sourcecode, I think getpwnam is failing. I dared not to install gdb on my intitramfs to debug...

Anyone have an idea why it's rejecting users in /etc/passwd to get an initramfs working with dropbear? My current guess is that I'm missing some file somewhere? Probably something with glibc...

edit: corrected function name...
---Solved---
Needed to copy the optional /lib/libnss* to the initramfs and mount devpts!
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

pingtoo · Posted: Sat Aug 27, 2022 3:40 pm Post subject:

Is your dropbear statically linked? is it a MULTI build? which LibC used?

In which state your dropbear server started? after devtmpfs mounted?

I don't necessary know the detail of how dropbear work, but I like to build a initrd with dropbear also, So I would like to help debug this problem to learn how to configuration/build correctly.

eccerr0r · Posted: Sat Aug 27, 2022 8:00 pm Post subject:

Not statically built, not multilib(x86)/not multicall(separate dropbear and dbclient), and using glibc.
Started after devtmpfs mounted.
Actually I might have to say I did cheat and this might have to be in unsupported software as I built this binary without portage so I could statically build the internal libtom but also have it dynamically link to glibc ...oops... But anyway.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

pingtoo · Posted: Sat Aug 27, 2022 8:47 pm Post subject:

I check the repo, README said

eccerr0r · Posted: Sat Aug 27, 2022 9:02 pm Post subject:

Only root on initramfs.
Built without pam or shadow.
Used -R to get host key and forgot the other options. I logged to stderr and saw the error on stderr.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

pingtoo · Posted: Sat Aug 27, 2022 9:14 pm Post subject:

I am curious how without shadow work, I think glibc would need to build/configured to bypass /etc/shadow.

I will have a look at source code to see when using configure option "--disable-shadow", how the code path work.

pingtoo · Posted: Sat Aug 27, 2022 10:15 pm Post subject:

Do your inited have /etc/shells?

according

eccerr0r · Posted: Sat Aug 27, 2022 10:17 pm Post subject:

Hmm ... Gives me some ideas to try... Glibc might be freaking out due to incomplete shadow ...

No, not sure if it was that check that failed, backtracking through the logic, the error must have been a getpwnam that failed...

---- edit ----
My conclusion may or may not be right ... I tried tracing the binary and it never even tried to check /etc/passwd for entries which is darn weird...

---- edit ----
Corrected function name
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

pingtoo · Posted: Sat Aug 27, 2022 11:31 pm Post subject:

Can you share what exact error message for those failed session?

Is it "Max auth tries reached - user is invalid"?

It will help to know what error message because there are several code logic path will exit(1) with error message this will help narrow down which path the logic took.

eccerr0r · Posted: Sun Aug 28, 2022 12:14 am Post subject:

Login attempt for nonexistent user

Using debug statements it is failing with ENOENT .

-EDIT-

FOUND IT.

Looks like I neglected to copy the optional /lib/libnss* shared libraries...

Now onto the next problem: no ptys...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

pingtoo · Posted: Sun Aug 28, 2022 1:06 am Post subject:

Thanks for the information.

I am not sure if it is possible to get that error message without reading /etc/passwd. As far as I can tell from code logic, it will require to use getpwnam(), however since glibc can use nsswitch.conf to direct where to get passwd entries, do you have /etc/nsswitch.conf file in your initrd? if you do have /etc/nsswitch.conf the "passwd:" entry should have "files" in it.

Also is /etc/passwd permission is correct? if it is more than root:rw I wonder maybe getpwnam() may fail.

Finally could it be /etc/passwd corrupted? have hidden character(s) embedded? One of my early debug session in this forum was /etc/passwd each line have extra blank at EOL. so sudo/su error was always the "shell" not found. which is very confusing since the "shell" binary dose in in file system. the OP only find out because he saw someone use a WINDOWs tool edit the file.

eccerr0r · Posted: Sun Aug 28, 2022 1:17 am Post subject:

Didn't need nsswitch.conf, but needed the optional shared libraries. now to figure out how to create a pty...

Solved!!! just needed to mount /dev/pts and all is well!

Thanks, we're done, off to finalizing my initramfs!
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

pingtoo · Posted: Sun Aug 28, 2022 1:22 am Post subject:

Just remember a command line tool you can use *getent* it is part of glibc (I think). maybe try to load it in to your initrd to help debug. on my machine it is in /usr/bin/getent

use