[pkg-cryptsetup-devel] Bug#611897: Bug#611897: cryptsetup: tries should default to 0, at least for devices required to boot
Jonas Meurer
jonas at freesources.org
Fri Feb 4 11:30:58 UTC 2011
Hey Christoph,
On 04/02/2011 Christoph Anton Mitterer wrote:
> On Fri, 2011-02-04 at 00:11 +0100, Jonas Meurer wrote:
> > for security reasons
> Which are these?
the same as for every login system that locks after X failed retries.
simply the reason, that invaders don't have infinitive retries to guess
the passphrase.
and yes, this is no real security, as anybody with physical access will
just take the harddisk and use his own operating system for attacking
the encryption. but another common szenario (especially for laptops) is,
that someone around tries to guess the passphrase while you're not at
home, on toilet, whatever. and for this szenario, the default of three
retries is sane.
> > and since cryptsetup upstream has a default of
> > three retries
> Well because upstream cryptsetup just doesn't have any direct support
> for booting encrypted root-fs-systems.
>
> I've just thought that change would be a convenience setting for those
> users, where setting anything else then =0 doesn't make sense anyway.
i guess i don't get that argument. if i got it right, then simply turn
it around: the current default is a convenience setting for those users
who're happy with it.
to be honest, neither the arguments for, nor against the change of
default retries (at initramfs) are very strong. it's a matter of taste
to me. if more users will complain, then I'm happy to change the
default. is that ok for you?
greetings,
jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20110204/72763792/attachment.pgp>
More information about the pkg-cryptsetup-devel
mailing list