[Pkg-cryptsetup-devel] Bug#465902: Bug#465902: cryptroot remote unlocking on boot feature
debian at x.ray.net
debian at x.ray.net
Wed Feb 27 16:41:36 UTC 2008
hi!
jonas wrote:
>>> That would mean to have a 'killall cryptsetup' at the end of every
>>> >> cryptroot execution.
>> >
>> > right. i think that's ok.
>
> Not sure. It's ok in a common setup, but what about users who use custom
> scripts in their initrd which invoke cryptsetup as well. sure, sounds
> like a corner case, but I still don't like the idea to kill every
> cryptsetup process per default in cryptroot initramfs script.
actually the console cryptroot instance (or actually: all) should be
killed by the (shell) cryptroot instance after successful completion.
as this already means the boot process will continue, the killall
cryptsetup could be spared. but this means that in case of unlocking
from remote, this would produce a dangling cryptsetup... so i guess the
killall cryptsetup would still be nicer. theoretically there shouldn't
be any valid cryptsetups left after one of the cryptroots finished.
killing the cryptroots and their child processes would be most elegant i
guess, but i wasn't able to find such a solution with the means
available in initramfs...
also, in this scenario, the check for existence of the crypttarget isn't
necessary anymore, so this change can be spared too.
i attached a new patch according to this.
david wrote:
> The addition of "[ "`tty`" == "/dev/console" ]" I did not quite
> understand. What was the purpose there? Manual invocations of the
> cryptsetup initramfs script I assume?
correct. taking care the splash-stuff is done exclusively by the
instance running on the console.
> As for the rest of the patch, I am still not convinced.
the killall cryptsetup/cryptroot? while i, too, would certainly prefer
to kill exactly the pid of the cryptsetup i'm looking for, in the
absence of means allowing this (afaik), i personally think a killall
would be acceptable (and preferable to just letting cryptsetup hang
around doing nothing) at this point.
> On the other hand, I already have some code for a simple program (in C)
> that automatically uses usplash or console to get a passphrase from a
> user. Perhaps it is time to dust it off, add fifo as a third input method
> and add it to cryptsetup.
right, i guess in c this could be done, one thread could read from stdin
while another thread reads from the fifo. and atomicity/locking should
be less of an issue there.
> It should make writing keyscripts simpler and should allow this ssh
> support to be written as a keyscript...in addition, we could remove some
> special cases from the initramfs script as that binary could be used as
> the keyscript when no particular keyscript has been defined (meaning we
> always run a "keyscript" and can move some of the usplash special cases
> from the initramfs script).
right, in this case the 'calling cryptsetup and typing in the password'
case would be one (standard/default/shipped) keyscript (that's what i
meant by 'removing the non-keyscript cryptsetup part' from the
cryptroot-script).
> I have exams on 4:th, 5:th, 6:th and 12:th of March, so I won't have time
> to hack on that for another week or two though (not intended to try your
> patience Chris :))
well, no prob for me, as i've got working packages (now even supporting
multiple crypttargets! ;) ) i'm using for etch and lenny installations
for quite a while now...
i just thought this is certainly an issue for quite some people out
there... i wondered what the cases-per-day rate of incidents where
somebody sits some hundereds or thousands of kilometers away from his
box that waits for his cryptroot passphrase at the console might be...
so i felt kind of obliged to provide the solution and the corresponding
amount of work to the community, too. i guess i can rest my conscience
now... :)
> On an unrelated note...what host key does the dropbear daemon use in the
> initramfs?
in the current dropbear patch the mkinitramfs takes the host- and
authentication-keys from /etc/initramfs-tools and copies them to the
initramfs.
if they aren't already there, the mkinitramfs run will create them.
i.e. the installer could create them on installation, they can be
exchanged as needed, and they don't change over mkinitramfs-runs.
to log in, the secret authentication key from /etc/initramfs-tools is
needed (and the hostkey should be compared/fingerprint checked/added to
known_hosts).
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptsetup_2:1.0.6~pre1-1.x.diff
Type: text/x-patch
Size: 2735 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20080227/27f4b9b6/attachment.bin
More information about the Pkg-cryptsetup-devel
mailing list