[pkg-cryptsetup-devel] Bug#866786: unlock all crypto devices in cryptroot-unlock (remote SSH-based unlocking)
Antoine Beaupré
anarcat at debian.org
Mon Jul 3 23:08:52 UTC 2017
On 2017-07-03 23:21:25, Guilhem Moulin wrote:
> On Sun, 02 Jul 2017 at 23:16:22 +0200, Guilhem Moulin wrote:
>> On Sun, 02 Jul 2017 at 17:03:53 -0400, Antoine Beaupré wrote:
>>> Maybe what is needed then is simply a patch to the motd to warn the user
>>> the command may need to be called multiple times? Or just loop over the
>>> devices as you suggested before?
>>
>> I have implemented the later already :-) Not super happy about it as it
>> relies on dropbear to clean up the session properly (also implemented,
>> should be in dropbear-initramfs 2017.75-2), but it does the job.
>
> Actually I came up with a better solution that doesn't rely on the
> behavior of dropbear. It passes my tests, but perhaps you could try it
> as well? Then we won't have to go through this again after the Buster
> release ;-)
Hehe.. That's a great idea! Any chance this could hit stretch as well?
Or would that be... stretching it? *rimshot*
> To test the new script [0] you need to copy it (with mode +x) to
> /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock, update the
> initramfs afterwards, and reboot (or hibernate + resume).
hibernate doesn't seem to work here for some reason, but rebooting works
perfectly. excellent job, thanks!
> When its standard input is a TTY, the script should now wait until all
> configured devices are unlocked, and prompt for passphrases when
> required. Since it exits on its own once it has detected that there is
> nothing more to to, SSH sessions should be terminated cleanly (ie, no
> hang), at least when there no shell involved. (Well hang might still
> occur as polling is racy, but it's merely convenience at stake and it
> seems to work fine here with boot and resume.)
>
> When its standard input is not a TTY the behavior is unchanged: the
> whole standard input is dumped to the askpass FIFO, regardless of NUL
> bytes or newlines (the TTY prompt above doesn't work with binary
> passphrases), then the script exits. Hence one needs to invoke it as
> many times as there are devices to unlock.
from my perspective, I ssh into the box and call the script. it asks me
for the passwords one after the other without any noticable delay, than
the scripts exits and shortly after the ssh session is killed.
good job. :)
thanks, i guess this is done? or do we need to document the "initramfs"
tag in crypttab better?
a.
--
Soyons réalistes, faisons l'impossible.
- Ernesto "Che" Guevara
More information about the pkg-cryptsetup-devel
mailing list