[Pkg-systemd-maintainers] Bug#618862: Bug#618862: systemd: ignores keyscript in crypttab - possibilities to solve this issue

David Härdeman david at hardeman.nu
Thu Jul 4 21:09:36 BST 2013 

On Tue, Jun 25, 2013 at 05:47:19PM +0200, Michael Biebl wrote:
>Am 25.06.2013 13:13, schrieb Harald Jenny:
>> Dear Michael Biebl,
>> 
>> following the systemd survey and discussion I think these mails might be
>> of interest to you concerning possible ways to solve the current issue
>> (not only in Debian but also SuSE/upstream interest).
>> 
>> http://lists.freedesktop.org/archives/systemd-devel/2012-June/thread.html#5693
>> http://lists.freedesktop.org/archives/systemd-devel/2012-July/thread.html#5835
>
>I personally don't own such hardware, and I never have userd
>cryptsetup's keyscript support. So I'm probably not the most qualified
>to evaluate the situation.

You don't actually need any hardware though. A keyscript (for a testing
environment) could simply echo a fixed password and be used to decrypt a
loopback device.

>That said, reading the upstream discussion, I guess we have 3 options
>a/ do nothing about it
>b/ apply the patch from David Härdeman downstream and maintaining it as
>a downstream patch forever
>c/ try to implement keyscript support based on the PasswordAgent interface
>
>a/ is obviously not very compelling. As for b/, we try to avoid
>downstream patches as much as possible.
>Regarding c/, I dunno how much effort that would be.
>
>Bringing David into the loop here. Maybe he has some further insight on
>this matter.

I still think it's too early to rule out option c). Contrary to what
some other people seem to think, I don't find Lennart difficult to work
with (not more so than any other average upstream).

It would probably be a lot of work though since a good solution would
probably need further additions to the PasswordAgent API (to name but
one problem, imagine a keyscript that would in turn fetch a key from a
smartcard and which needed to get the PIN from the user...it would in
effect require two calls through the PasswordAgent stack but only one
prompt - the one for the PIN - should be displayed to the user).

I don't believe that I will have the time to implement and drive a
change of that scope in the foreseeable future...

-- 
David Härdeman

More information about the Pkg-systemd-maintainers mailing list