[pkg-cryptsetup-devel] Bug#537842: Configuration file

Jonas Meurer jonas at freesources.org
Sun Feb 13 12:39:21 UTC 2011 

Hey,

On 12/02/2011 Rodolfo kix Garcia wrote:
> For the accessibility bug, probably a good idea is write something like:
> 
> ACCESSIBILITY=YES
> or
> ACCESSIBILITY=BEEP

The more I think about this bug, the more I get the feeling that a clean
implementation is nearly impossible with the current design of cryptroot
and cryptdisks.

with the current design we have two options for the beep before
passphrase prompt:

1) patch askpass to support beep before passphrase prompt when
   environment variable is set. this environment variable would need to
   be set in cryptdisks and cryptroot, preferably with the help of a
   crypttab option.

2) write a keyscript which beeps before invoking askpass.

both solutions have the disadvantage, that custom keyscripts, which
provide custom passphrase prompts (e.g. openssl or gnupg) don't beep.
I guess we can ignore this for now.

In fact I prefer the first solution, which would mean in detail:

- add a crypttab option 'accessibility' or 'beep'
- set a environment variable ACCESSIBILITY or BEEP in parse_opts() of
  cryptdisks and parse_options() of cryptroot-script if the crypttab
  option is detected.
- patch askpass to beep before passphrase prompt when the environment
  variable is set. (Andrew, if I got you right, you have a patch ready
  for that part. Can you send it along?)

the bigger problem is the beep after passphrase prompt. This cannot be
done by askpass, as askpass doesn't know whether unlocking the disk with
cryptsetup was successful or not.

the easiest solution would be something like
[ "$ACCESSIBILITY" ] && beep
for successfull unlocking.

This introduces a dependency on beep, which is
1. in an own package -> new package dependency
2. in /usr/bin -> not available at cryptdisks_early
3. not in initramfs

why not add some simple option to askpass which results in the
'success'-beep to prevent all extra dependencies? this would result in:

[ "$ACCESSIBILITY" ] && /lib/cryptsetup/askpass --success-beep

in the long term a clean pre- and post-hook interface should be added to
cryptdisks and cryptroot in order to support any custom pre- and post-
unlocking events.

greetings,
 jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20110213/64c44968/attachment.pgp>

More information about the pkg-cryptsetup-devel mailing list