[pkg-cryptsetup-devel] Scripting hooks for entering a password
Guilhem Moulin
guilhem at debian.org
Thu Jun 22 23:49:43 UTC 2017
Hi Shawn,
On Wed, 21 Jun 2017 at 17:13:45 -0230, Shawn Rose wrote:
> In short, there isn't really a 'good' way to wait for the password request
> from the cryptroot script and act upon it: right now, I have been using a
> subshell with a loop and sleep calls to check to see if the
> ask-for-password/askpass processes are running, and if they are to scrape
> and find which disk they are attempting to unlock, before piping the
> correct password to /lib/cryptsetup/passfifo.
I tried to write something like this for remote cryptroot unlocking
using the dropbear SSH server:
https://anonscm.debian.org/cgit/pkg-cryptsetup/cryptsetup.git/tree/debian/initramfs/cryptroot-unlock
https://anonscm.debian.org/cgit/collab-maint/dropbear.git/tree/debian/initramfs/premount-dropbear
https://anonscm.debian.org/cgit/collab-maint/dropbear.git/tree/debian/README.initramfs
Basically, the premout script forks dropbear sshd in the background as
soon as possible; by using command="/bin/cryptroot-unlock" as
authorized_keys(5) option, users can either enter the password at the
initramfs shell or through ssh.
I couldn't avoid either searching for askpass through the process list,
though :-/
> One problem with the way it works now (Of course discarding the whole
> subshell business and how I have to grep ps and then /proc/pid/cmdline to
> get the disk path)
The disk name and source are respectively found in the askpass process'
CRYPTTAB_NAME and CRYPTTAB_SOURCE environment variables.
> is that if clevis fails to get the password and the user enters a
> password manually, then after a while the script will close out the
> subshell saying that sleep can't be found.
Do you have busybox installed? It provides sleep, we'll soon split the
cryptsetup package so the initramfs integration can require busybox.
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20170623/fcb59fa1/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list