[pkg-cryptsetup-devel] Bug#611897: Bug#611897: cryptsetup: tries should default to 0, at least for devices required to boot

[Christoph Anton Mitterer]

On Fri, 2011-02-04 at 12:30 +0100, Jonas Meurer wrote:
> the same as for every login system that locks after X failed retries.
> simply the reason, that invaders don't have infinitive retries to guess
> the passphrase.

if that's a system booting from an encrypted root,... you likely don't
have any network at that point (apart from the fact that networking is
typically not supported by the keyscripts anyway.

if an attacker has direct access (or serial console) he can reboot the
system anyway as often as he wants.

> and yes, this is no real security, as anybody with physical access will
> just take the harddisk and use his own operating system for attacking
> the encryption. but another common szenario (especially for laptops) is,
> that someone around tries to guess the passphrase while you're not at
> home, on toilet, whatever.
That sounds very like security by obscurity... therefore we have the
iterations in dm-crypt, that trying takes so long that this isn't
useful.


> to be honest, neither the arguments for, nor against the change of
> default retries (at initramfs) are very strong. it's a matter of taste
> to me. if more users will complain, then I'm happy to change the
> default. is that ok for you?
Well it's also not a big issue for me, I rather considered that just
something cosmetic.
Cause if a user enters his root-fs-password 3 times wrong he can also
easily reboot.


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20110204/c82d37f6/attachment.bin>