[pkg-cryptsetup-devel] Bug#826127: cryptsetup: clarify crypttab tries option

[Christoph Anton Mitterer]

Package: cryptsetup
Version: 2:1.7.0-2
Severity: wishlist


Hey.

The crypttab's tries option is currently documented as this.
>tries=<num>
>The input of the passphrase is tried <num> times in case of
>failure. If you want to disable retries, pass “tries=1”.
>Default is 3. Setting “tries=0” will ask for the passphrase
>until a correct one has been submitted (infinitive retries).

However, AFAIU, it's not really the number of passphrase retries
but the number of keyscript retries (which happens to be passphrase
retries if no keyscript is given, keyfile=none (see #826124)
or keyscript=askpass).

a) I think it would be better if this is documented more like
   that, i.e. saying that it's the number of tries to set up
   a mapping, after executing the keyscript (+whatever that does)
   OR asking for a passphrase.

b) Further, I think it would be a good idea, to add an encouragement
   to the documentation for keyscript developers:
   Namley, that they may rather want to let people define
   *another* tries option as parameter within the third field
   (as e.g. proposed in 826122) than using tries.
   Why?
   Conisder a keyscript that e.g. reads an openpgp encrypted
   key from some device, decrypts that via passphrase and feeds
   the output back into cryptsetup.
   That would e.g. involve mounting the device with the keyfile
   reading a passphrase (e.g. askpass invoked by the keyscript
   itself), trying to decrypt, giving exit status.

   Now:
   If tries>1, it would do the whole procedure n times, while it
   would make possibly more sense to just do the askpass within
   the keyscript more times, cause doing the mount/read-file/
   unmount over again doesn't change the results,... it's the
   wrongly entered passphrase (within the keyscript) that matters.


Cheers,
Chris.