These instructions explain how to prepare a Debian installation to run with Caisleán, without or with full disk encryption (FDE) on a remote server to which physical access is not possible.
During installation, we recommend that you choose only to install the Standard system utilities and the SSH server.
As soon as installing Debian is done, make sure the non-privileged user created
during the installation has a valid SSH public key in
/home/user/.ssh/authorized_keys. Caisleán disables password-based SSH, and
failing to do this will result in being locked out.
Apart from this step, Caisleán is designed to run smoothly on a standard Debian installation. Preferably, run Caisleán on a freshly installed system, to make sure you avoid conflicts between what Caisleán configures and previously installed software.
Remote access to the screen and keyboard with KVM/IP is necessary in order to access the Debian installer that normally appears when physically using the machine.
Alternately, a method without KVM/IP exists if your hosting provider enables you to boot your machine on a rescue GNU/Linux system loaded into the RAM of your machine. This is notably the case for OVH/SoYouStart.
For disk partitioning, select "Use entire disk and set up encrypted LVM". Make sure you use a secure passphrase.
After partitioning the disk and installing basic packages, the "Software Selection" dialog will open. Only check SSH server and Standard system utilities, leave the rest unchecked.
At the end of the installation process, when it asks for reboot, choose "Go
back" and select "Execute a shell". Then, run these commands to obtain root
access to the system being installed:
chroot /target/
mount /proc
mount /sys
bash
Install the dropbear package:
aptitude install dropbear
Copy your SSH public key to the non-root user's authorized keys file, in
/home/user/.ssh/authorized_keys. Make sure this file belongs to the user,
not root, with the right permissions.
Copy your SSH public key a second time, to the file
/etc/initramfs-tools/root/.ssh/authorized_keys. Edit that file and prepend
the following string at the very beginning of the file, before ssh-rsa:
command="cat - >/lib/cryptsetup/passfifo"
Unless your hoster provides DHCP, setup a static IP configuration in
/etc/initramfs-tools/initramfs.conf, by adding a line that follows this
syntax:
IP=<local_IP>::<gw_IP>:<netmask>:<hostname>:<network_interface>:off
where (you can find examples here):
<local_IP>is the public IP address assigned to your server<gw_IP>is your hoster's Internet gateway IP address<netmask>is your host's network mask using an IP format (your public IP and the gateway IP must be in the same subnet)<hostname>is your server's hostname, as you configured during the installation process<network_interface>is the network interface name connected to the Internet, typicallyeth0(check this usingip address show up)
Run this command to ensure the network is enabled within the initramfs (change
eth0 to your actual network interface name if necessary):
grep DRIVER= /sys/class/net/eth0/device/uevent | cut -d= -f2 >>/etc/initramfs-tools/modules
Rebuild the initramfs:
update-initramfs -u
The file /etc/network/interfaces needs a little tweaking to ensure the network
is setup properly. Inside the section corresponding to your network interface
(such as eth0, as said above), you must add the following line (again, replace
eth0 by your actual network interface if necessary):
ip addr flush dev eth0
Exit the shell, you will have to type exit three times.
Select "Finish the installation".
Reboot the server when the installation is complete. When the initramfs starts, it should setup its network configuration and start the dropbear SSH server.
Unlock the root disk from your machine using this command:
echo -n yourpassphrase|ssh -o UserKnownHostsFile=~/.ssh/known_hosts.initramfs root@yourserver
The system will startup as soon as the root disk has been successfully unlocked. Once it has finished booting, it is possible to login using:
ssh username@yourserver