Compaq Evo N800v & Debian 8 (Jessie)

How to get Debian 8 (Jessie) running properly on an ancient Compaq Evo N800v machine

Installing required packages:

aptitude install firmware-amd-graphics

Touchpad works out of the box: Enable clicking and scrolling on the touchpad via mouse settings. (Mate-Desktop)

Unresolved issued

  • Standby may freeze cursors occasionally
  • Hibernation results in graphic glitches

Backup with rsnapshot

Backup concept

A backup server which can be woken via wake-on-lan will pull data from live servers via rsnapshot . Waking, creating a backup, and shutting down will be done from a specific live server.

Key generation and automated login

First create an SSH key which will authorize the backup server against the live servers: On the backup server run ssh-keygen -b 4096 -f backup_auth. The generated file backup_auth.pub has to be appended to /root/.ssh/authorized_keys to enable automated login. Later we will limit commands availabe to rsync only for safety reasons. Check that the clients /etc/ssh/sshd_config sets PermitRootLogin without-password so that a first connection test from the backup server can succeed. Do this vice-versa for the live server which will later control the backup server.

Rsnapshot

Run aptitude install rsnapshot and modify /etc/rsnapshot.conf to at least (see comments in config file for explanations):

snapshot_root <path>
no_create_root 1
cmd_ssh /usr/bin/ssh
retain ...
ssh_args -i /root/.ssh/backup_auth

# live server directories
backup root@server.local:/etc/ ./
backup root@server.local:/home/ ./
[...]

Limiting rights of automated login

Extract (Debian 8/9) or copy (Debian 10) rrsync (restricted rsync) from /usr/share/doc/rsync/scripts to /usr/local/bin/rrsync and make it executable. The backup auth key can now be restricted in /root/.ssh/authorized_keys. Prepend the entry with command="/usr/local/bin/rrsync -ro /" which limits access with this key to just this command. Additionally limiting measures can be implemented by adding further restrictions after command:

command="/usr/local/bin/rrsync -ro /",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa ...

Additionally change PermitRootLogin in /etc/ssh/sshd_config to forced-commands-only.

Automation

Waking the backup server

wakeonlan [...]

Creating backups

ssh -i <keyfile> rsnapshot [...]

Keyfile should authenticate the live server against the backup server.

Shutting the backup server down

ssh -i <keyfile> /sbin/ethtool -s eth0 wol g
ssh -i <keyfile> /sbin/shutdown -h -t 1

Remotely unlocking LUKS encrypted headless system

Define a fixed IP address for initramfs in /etc/initramfs-tools/initramfs.conf otherwise the kernel will try to get an address via DHCP (eth0 has to be adapted to the actual network card for Debian Stretch, such as enp3s0):

DEVICE=eth0
IP=192.168.33.33:::255.255.255.224::eth0:off

Install dropbear which automatically gets installed into the initramfs and implicitly updates the initramfs image:

apt-get install dropbear
  • For Debian Stretch/Buster this ends with the following warning: dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work! The reason is that dropbear no longer generates a default key anymore. Thus, copy your own public key into /etc/dropbear-initramfs/authorized_keys and run update-initramfs -u which should not show the warning above again. Afterwards copy your private key to a client machine. To finally¬† resolve the key-mismatch warnings, let dropbear listen on a different port by changing DROPBEAR_OPTIONS to "-p 2222 -s -j -k -I 30" in /etc/dropbear-initramfs/config. This prevents port forwarding, password logins, and sets an inactivity timeout. Additionally, set IFDOWN=none to keep any network settings. This later lets opensmtpd start cleanly on boot (otherwise it complains not finding its network device to listen on). Run update-initramfs -u to activate these settings for the next reboot.
  • For Debian Jessie copy the newly generated /etc/initramfs-tools/root/.ssh/id_rsa to a client machine.

Add the following on a clients .ssh/config file to avoid key-mismatch errors stemming from entries in known_hosts:

Host debian_unlock
  User root
  Hostname 192.168.33.33
  Port 22 # or whatever is used for dropbear
  IdentityFile path/to/previously/copied/private_key

To unlock the drives on boot-up ssh debian8_unlock into the system. ps will print the needed cryptsetup command:

# ps
124 root /sbin/dropbear
133 root {cryptroot} /bin/sh /scripts/local-top/cryptroot
138 root /lib/cryptsetup/askpass Please unlock disk sda5_crypt:
139 root /sbin/cryptsetup -T 1 open --type luks /dev/disk/by-uuid/715ac060-2efc-491a-9c96-6898e18c01bd sda5_crypt --key-file=-

Copy the cryptsetup command which will ask for your passphrase and unlocks your drive.

Debian Jessie: The askpass process still prevents booting up (as it is asking on the boot console which nobody sees) so kill -9 that one to continue the boot process.

Debian Buster: Run cryptroot-unlock only, this will ask for the password and continues booting afterwards.