I am trying to set up an encrypted Raspberry Pi running Kali with the capability of remote SSH in case it stalls/reboots/etc (as described here (https://www.kali.org/tutorials/secure-kali-pi-2018/)). The Kali running on an encrypted partition works fine as long as I can locally log in. But when trying to login using SSH via DropBear as per the Kali instructions:

root@kali:~# ssh-o"UserKnownHostsFile /dev/null" [email protected]

I get:

[email protected]: Permission denied (publickey)

I found a bug report (https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1645555) that suggests it has to with the DropBear script, so I tried:

Code:
nano /usr/share/initramfs-tools/hooks/dropbear
and replacedCode:
`home=$(mktemp -d "$DESTDIR/root-XXXXXX")`

with

Code:
home="$DESTDIR/root"
mkdir -p $home


But the error persists.

Anyone able to help on this? Or someone have this working???

So I was able to find (what I believe to be) the error in the Kali 2018 instructions. Basically, it tells you what the authorized_keys (at sudo nano /etc/dropbear-initramfs/authorized_keys) should look like, but it doesn't tell you how to create and append your dropbear id_rsa keys.


Here is what I did (from htps://github.com/chadoe/luks-triple-unlock/blob/master/install.sh):

ssh-keygen -t rsa -N '' -f /etc/dropbear-initramfs/id_rsa #creates the dropbear id_rsa keys
cat /etc/dropbear-initramfs/id_rsa/id_rsa.pub >> /etc/dropbear-initramfs/authorized_keys


After I did that and completed the rest of the instructions, I can ssh in to the encrypted Pi and get it to boot using dropbear, but only from within the same network, using:



ssh -o "UserKnownHostsFile /dev/null" [email protected]


or (after copying the private keys from the Pi's dropbear to the client at ~/.ssh/):



ssh -i /home/root/.ssh/id_rsa [email protected]


What I can't do, and want to do, is be able to remote in at the dropbear boot stage from a different or remote network, like:



ssh -o "UserKnownHostsFile /dev/null" [email protected] -p 5555


I have ssh set up so that if the Pi is already booted and past the encryption, I can access the Pi from a different network using:



ssh -X [email protected] -p 5555


So I don't get why ssh works for the Pi remotely after boot using the same port, but does not work for the Pi remotely before boot, during the dropbear stage.

Thanks @TheRoark, this was helpful to me:
Code:
ssh-keygen -t rsa -N '' -f /etc/dropbear-initramfs/id_rsa #creates the dropbear id_rsa keys
cat /etc/dropbear-initramfs/id_rsa/id_rsa.pub >> /etc/dropbear-initramfs/authorized_keys

Sure @3dog. Does anyone happen to know how to get this working from outside the network? That's the key issue at this point.