[pkg-cryptsetup-devel] Bug#826122: crypttab's thrid field: documentation, quoting, multi-options

Christoph Anton Mitterer calestyo at scientia.net
Thu Jun 2 13:20:22 UTC 2016 

Package: cryptsetup
Version: 2:1.7.0-2
Severity: wishlist


Hi.

Perhaps this is rather an upstream thingy... or at least I think it
would also make sense to move the crypttab stuff itself upstream, after
all each distro has a crypttab.
(Which is why I'v CCed Milan)


I think it would make sense to re-designate crypttab's third field to
be the keyfile (i.e. when no keyscript is given and it isn't "none") OR
the keyscript's parameters.
Perhaps explaining it at least in the documentation.

The rationale behind is, that this field is typically what's used with
keyscripts to specify parameters for that script, which can also be
multiple parameters and not just filenames.

E.g. a keyscript for openpgp could get a device and pathname, where to
look for the openpgp encrypted key file,... or it could get a mode
where to retrieve the key from (file, smartcard) and then perhaps a
slot number, if there are more than one keys on the smartcard.
A keyscript that authenticates via ssh, could specify all kinds of ssh
options like server, trusted keys and so on.

As such I think, it would also make sense to a) clarify which
characters are allowed in the third filed (probably at least not tab
and space), and maybe even recommend a quoting schema and a syntax for
specifying multiple options, like
e.g. device=foo:pathname=bar:...
One could e.g. define that the option name is only allowed to have
alphanumeric characters, ".", "-", and "_", and everything after the =
would be %-encoded value.


Whether that quoting is already decoded and whether the options are
parsed and split by cryptsetup,... or whether this should be left off
as a duty to the respective keyscripts (thereby allowing them to use
different schemas) could be thought about.
But if it's not done automatically one could perhaps provide a small
helper binary, that takes the whole third field, and spits out the
split and decoded values, e.g. in --shell mode, as shell-escaped
variable asignments of the style
KEYSCRIPT_OPTION_<optionname>=value
KEYSCRIPT_OPTION_<optionname>=value
KEYSCRIPT_OPTION_<optionname>=value

The benefit would be, that this is made more uniform across keyscripts.


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20160602/babf0fd3/attachment.bin>

More information about the pkg-cryptsetup-devel mailing list