1. Forum
  2. FidoNet
  3. linux.debian.user

  • dropbear-initramfs failing - following update?

    From Gareth Evans@3:633/10 to All on Wednesday, January 21, 2026 14:30:01
    Hello,

    dropbear-initramfs seems to have stopped working, perhaps since a recent update:

    $ cat /etc/debian_version
    13.3

    $ ls -l /etc/dropbear/initramfs|grep autho
    -rw------- 1 root root 389 Oct 16 15:57 authorized_keys

    $ sudo update-initramfs -uk all
    update-initramfs: Generating /boot/initrd.img-6.12.63+deb13-amd64 update-initramfs: Generating /boot/initrd.img-6.12.57+deb13-amd64 update-initramfs: Generating /boot/initrd.img-6.12.48+deb13-amd64 update-initramfs: Generating /boot/initrd.img-6.12.43+deb13-amd64

    $ sudo lsinitramfs /boot/initrd.img-$(uname -r) | grep authorized_keys root-cSYi50V2T3/.ssh/authorized_keys
    $

    This lsinitramfs listing seems to show openssh's file, rather than /etc/dropbear/initramfs which, iirc, is to be expected.

    Keys in /etc/dropbear/initramfs/authorized_keys fail when ssh connects to dropbear.
    When the crypt is unlocked manually, openssh takes over after boot and ssh functions normally.

    This worked previously, but certainly prior to the 13.3 update.

    Can anyone reproduce this behaviour, or have any suggestions?

    Many thanks
    Gareth

    --- PyGate Linux v1.5.2
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Jonathan Dowland@3:633/10 to All on Wednesday, January 21, 2026 17:20:01
    On Wed Jan 21, 2026 at 1:21 PM GMT, Gareth Evans wrote:
    Can anyone reproduce this behaviour, or have any suggestions?

    I'll have a go at reproducing Today or Tomorrow.


    --
    Please do not CC me for listmail.

    ?? Jonathan Dowland
    ? jmtd@debian.org
    ? https://jmtd.net

    --- PyGate Linux v1.5.2
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Gareth Evans@3:633/10 to All on Wednesday, January 21, 2026 18:50:01


    On 21 Jan 2026, at 16:13, Jonathan Dowland <jmtd@debian.org> wrote:

    ?On Wed Jan 21, 2026 at 1:21 PM GMT, Gareth Evans wrote:
    Can anyone reproduce this behaviour, or have any suggestions?


    I'll have a go at reproducing Today or Tomorrow.

    Thanks very much
    G

    --- PyGate Linux v1.5.2
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Jonathan Dowland@3:633/10 to All on Thursday, January 22, 2026 10:00:01
    On Wed Jan 21, 2026 at 4:12 PM GMT, Jonathan Dowland wrote:
    On Wed Jan 21, 2026 at 1:21 PM GMT, Gareth Evans wrote:
    Can anyone reproduce this behaviour, or have any suggestions?

    I'll have a go at reproducing Today or Tomorrow.

    This is a shallow test: I didn't regenerate my initramfs first, but I
    (by coincidence) had to cold boot my desktop, so I gave it a go. I was
    able to SSH in and run cryptroot-unlock successfully.

    dropbear-initramfs:
    Installed: 2025.89-1~deb13u1
    Linux 6.16.9+deb14-amd64 #1

    /etc/dropbear/initramfs/authorized_keys contains two entries, labelled jon@phobos and jon@qusp (the latter of which my client issued)

    The server does not have a /root/.ssh/authorized_keys so the initramfs
    has not picked it up from there (unless there's another place it could
    be hidden)

    My initramfs dates from:

    -rw------- 1 root root 129582334 Jan 11 14:36 "/boot/initrd.img-6.16.9+deb1 4-amd64"

    I'd wager that was triggered by installing 2025.89-1~deb13u1.

    I'll try regenerating it later and see what happens.


    --
    Jonathan Dowland
    jmtd@debian.org
    https://jmtd.net

    --- PyGate Linux v1.5.2
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Gareth Evans@3:633/10 to All on Saturday, January 24, 2026 04:20:01
    After some further research and testing:

    /usr/share/initramfs-tools/hooks/dropbear

    includes:

    <snip>
    # Copy config and host keys
    mkdir -p -- "$DESTDIR/etc/dropbear"
    if [ -e /etc/dropbear/initramfs/dropbear.conf ]; then
    cp -pt "$DESTDIR/etc/dropbear" "/etc/dropbear/initramfs/dropbear.conf"
    fi

    copied_hostkey="n"
    for keytype in rsa ecdsa ed25519; do
    hostkey="/etc/dropbear/initramfs/dropbear_${keytype}_host_key"
    if [ -f "$hostkey" ]; then
    cp -pt "$DESTDIR/etc/dropbear" "$hostkey"
    copied_hostkey="y"
    fi
    done
    if [ "$copied_hostkey" = "n" ]; then
    dropbear_warn "Missing host keys, SSH login to initramfs won't work!"
    fi

    # Copy authorized_keys
    mkdir -m0700 -- "$home/.ssh"
    if [ -e /etc/dropbear/initramfs/authorized_keys ]; then
    cat /etc/dropbear/initramfs/authorized_keys
    else
    for keytype in dsa rsa ecdsa ed25519; do
    pubkey="/etc/dropbear/initramfs/id_${keytype}.pub"
    if [ -e "$pubkey" ]; then
    cat "$pubkey"
    fi
    done
    fi >"$home/.ssh/authorized_keys"
    </snip>

    ...which suggests

    [main or whatever]/etc/dropbear/initramfs/authorized_keys

    should not exist as such within initramfs.

    I can confirm:

    $ unmkinitramfs /boot/initrd.img-$(uname -r) .

    $ sudo cat /etc/dropbear/initramfs/authorized_keys | wc -l
    5

    $ sudo diff /etc/dropbear/initramfs/authorized_keys ./main/root-jjnlnk7i54/.ssh/authorized_keys
    $

    So all seems to be in order.

    Rumour has it that if dropbear is installed as well as dropbear-initramfs, this can cause problems, though that's a bit vague and I am doubtful.

    Nonetheless I will test again having removed dropbear when I'm near the machine to press buttons if needed, probably mid week.

    Thanks
    G

    --- PyGate Linux v1.5.2
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)