[pkg-cryptsetup-devel] Bug#866786: unlock all crypto devices in cryptroot-unlock (remote SSH-based unlocking)
Guilhem Moulin
guilhem at debian.org
Mon Jul 3 21:21:25 UTC 2017
On Sun, 02 Jul 2017 at 23:16:22 +0200, Guilhem Moulin wrote:
> On Sun, 02 Jul 2017 at 17:03:53 -0400, Antoine Beaupré wrote:
>> Maybe what is needed then is simply a patch to the motd to warn the user
>> the command may need to be called multiple times? Or just loop over the
>> devices as you suggested before?
>
> I have implemented the later already :-) Not super happy about it as it
> relies on dropbear to clean up the session properly (also implemented,
> should be in dropbear-initramfs 2017.75-2), but it does the job.
Actually I came up with a better solution that doesn't rely on the
behavior of dropbear. It passes my tests, but perhaps you could try it
as well? Then we won't have to go through this again after the Buster
release ;-)
To test the new script [0] you need to copy it (with mode +x) to
/usr/share/cryptsetup/initramfs/bin/cryptroot-unlock, update the
initramfs afterwards, and reboot (or hibernate + resume).
When its standard input is a TTY, the script should now wait until all
configured devices are unlocked, and prompt for passphrases when
required. Since it exits on its own once it has detected that there is
nothing more to to, SSH sessions should be terminated cleanly (ie, no
hang), at least when there no shell involved. (Well hang might still
occur as polling is racy, but it's merely convenience at stake and it
seems to work fine here with boot and resume.)
When its standard input is not a TTY the behavior is unchanged: the
whole standard input is dumped to the askpass FIFO, regardless of NUL
bytes or newlines (the TTY prompt above doesn't work with binary
passphrases), then the script exits. Hence one needs to invoke it as
many times as there are devices to unlock.
--
Guilhem.
[0] https://anonscm.debian.org/cgit/pkg-cryptsetup/cryptsetup.git/tree/debian/initramfs/cryptroot-unlock
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20170703/0ae93bcb/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list