Your message dated Fri, 24 Oct 2014 10:40:40 +0000 with message-id <e1xhcis-0001kb...@franck.debian.org> and subject line Bug#656710: fixed in partman-crypto 77 has caused the Debian Bug report #656710, regarding partman-crypto: Preseeding the passphrase to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 656710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656710 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: partman-crypto Version: 49 Severity: wishlist Tags: d-i patch The passphrase should be preseedable for unattended installations. This is possible in the Ubuntu-version of this package since at least the end of March 2010 (40ubuntu2). The attached patch is an independent implementation of the same functionality. Thoughts on security: The preseeded passphrase should be considered insecure, depending on the source of the preseed file. But if the administrator ensures that the user changes the passphrase after the first login, this should still be secure enough (Maybe put a note about security into the preseed template file?). Currently tested on http://ftp.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/mini.iso . -- System Information: Debian Release: 6.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-486 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Olaf Mandel <o...@mandel.name> <http://www.olaf.mandel.name/> PGP key: 1024D/33398848 2002-09-19 Fingerprint: 0E33 BEA6 1A71 9C5E 62BD FC0E 99A7 D2C6 3339 8848--- partman-crypto-49/blockdev-keygen.orig 2012-01-20 20:11:31.603528151 +0100 +++ partman-crypto-49/blockdev-keygen 2012-01-20 20:33:55.293528151 +0100 @@ -31,25 +31,24 @@ } get_passphrase () { - local pass_ok + local templ last_RET pass pass_ok pass_ok=0 while [ $pass_ok -eq 0 ]; do templ="partman-crypto/passphrase" - db_set $templ "" - db_fset $templ seen false db_subst $templ DEVICE "$description" db_input critical $templ templ="partman-crypto/passphrase-again" - db_set $templ "" - db_fset $templ seen false db_input critical $templ db_go || return 1 - db_get partman-crypto/passphrase || RET='' + templ="partman-crypto/passphrase" + db_get $templ || RET='' pass=$RET + db_set $templ "" + db_fset $templ seen false if [ -z "$pass" ]; then templ="partman-crypto/passphrase-empty" db_fset $templ seen false @@ -57,8 +56,12 @@ continue fi - db_get partman-crypto/passphrase-again || RET='' - if [ "$pass" != "$RET" ]; then + templ="partman-crypto/passphrase-again" + db_get $templ || RET='' + last_RET=$RET + db_set $templ "" + db_fset $templ seen false + if [ "$pass" != "$last_RET" ]; then templ="partman-crypto/passphrase-mismatch" db_fset $templ seen false db_input critical $templ @@ -67,14 +70,15 @@ if passphrase_is_weak "$pass"; then templ="partman-crypto/weak_passphrase" - db_set $templ false - db_fset $templ seen false db_subst $templ MINIMUM $minlen db_input critical $templ || true db_go || true db_get $templ || RET='' + last_RET=$RET + db_set $templ false + db_fset $templ seen false - if [ "$RET" != true ]; then + if [ "$last_RET" != true ]; then # user doesn't want to force weak passphrase continue fi @@ -83,9 +87,6 @@ pass_ok=1 done - db_set partman-crypto/passphrase "" - db_set partman-crypto/passphrase-again "" - if [ $pass_ok -eq 1 ]; then echo "$pass" fi
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: partman-crypto Source-Version: 77 We believe that the bug you reported is fixed in the latest version of partman-crypto, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 656...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cyril Brulebois <k...@debian.org> (supplier of updated partman-crypto package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 24 Oct 2014 12:00:46 +0200 Source: partman-crypto Binary: partman-crypto partman-crypto-dm Architecture: source amd64 all Version: 77 Distribution: unstable Urgency: medium Maintainer: Debian Install System Team <debian-boot@lists.debian.org> Changed-By: Cyril Brulebois <k...@debian.org> Description: partman-crypto - Add to partman support for block device encryption (udeb) partman-crypto-dm - Add to partman support for dm-crypt encryption (udeb) Closes: 656710 Changes: partman-crypto (77) unstable; urgency=medium . * Cherry-pick bzr r693 from Ubuntu (partman-crypto/40ubuntu2), thanks to Colin Watson: - Allow preseeding the first passphrase prompt (LP: #546405). (Preseeding passphrases for multiple different physical volumes is a whole different kettle of fish ...) * Cherry-pick bzr r695 from Ubuntu (partman-crypto/40ubuntu3), thanks to Colin Watson: - Allow preseeding partman-crypto/weak_passphrase too (LP: #546405). * Add a security note in debian/partman-crypto.templates, documenting the preseedability of the three extra items listed below, warning against possible eavesdropping, and suggesting a proper key escrow system (Closes: #656710): - partman-crypto/passphrase - partman-crypto/passphrase-again - partman-crypto/weak_passphrase Checksums-Sha1: 8e4021b5b258621795c51216c18e7795812c93c7 1804 partman-crypto_77.dsc af45584b44c5391deae268033fd96bb853261ab8 260932 partman-crypto_77.tar.xz 9d07f8c2d06ae281a4fbe80dbf560f6dd812ab0d 360244 partman-crypto_77_amd64.udeb 50e1012b4f5117184bc785ec92dfa6d04cb309cc 1372 partman-crypto-dm_77_all.udeb Checksums-Sha256: 8eef3ac7ccfc96937a9c1de9dc0954966b5658da56636c41a79b4986de241ae3 1804 partman-crypto_77.dsc 3395d805fbd6e3bb1a2492a7eb74a6d95f1b1c81d16bbc7165976c0e718ee66d 260932 partman-crypto_77.tar.xz 9c8fed61521904d370c269a926fd19e40437e43c3ab2bed69b500faee39621d0 360244 partman-crypto_77_amd64.udeb f1305ea8f961a5176598b673fabcac9e031b94910b84455c97682d4827df48e6 1372 partman-crypto-dm_77_all.udeb Files: fa54b6e4bfed88f5391a8ed2e12c5528 1804 debian-installer optional partman-crypto_77.dsc e8fbe9c6a1a3e191cae50fe347eab631 260932 debian-installer optional partman-crypto_77.tar.xz 8d8cbe0ba55441f70cb8d34db17de209 360244 debian-installer optional partman-crypto_77_amd64.udeb d8aea9550d561fbbecd5a4aefcf29390 1372 debian-installer optional partman-crypto-dm_77_all.udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJUSiWqAAoJEP+RSvDCs1UgodIP/iKus7EafkPqalRHwQvQKSnD 6AdGv/5sz/sJYbSUSmNhpJ0cfTDlW73c4pBzCjnXPYzNACAMdmd2nyXp43V04glv ca9PJAAwCBRUIEsVgQ6pB2e8uQhZDnqwy8Z4Mt9944gl0wCIfbUfciSFmP3+LHGY rZ1FMSg3ELTSIU8X0PSuVDH4UoVax+QxRmHikr63U1d6DgVgNAcL6wmxOtvsRk62 9k+3BWjknlzJ0Mv808wrsc/U5SW2KCLjKYFo2YkWEASuD3Ksmh8mG9TL9e793i7P r4XlMTKKDtV73UxmD+0ZAorxiZfHRnWXKk4nchS//vfgaD+FggyFWra/eq2Jtfbw yzcdrJvOStalxLsbzIGSkw5QP+n7hOzYRvhQBU0V2vtp46YobhbylQoYKCbVToef ZjmGeyjC2ucVjqOZswNkO+Fgyyq5aQWOQ/Tguv/5cSYDEknjaKVIyuQBgHHZroTU EGePdphrg1333IwtCOXxJRvEleVf4f5Y7xvpLO7FCNTgp0Wiv4rNuIOHU2kZ9aSV xpArG1NIzJHoeLM124fds1/++t7JRhHeZGP64zIeeQhfOCMfi5lx1EVKJC3M272+ LeH8uJm0Yg7eXCBVsCmpwll+98MnA5VGM1Oy02snLK7spmNwbtn9U+uzc0ivPGYJ UOBTdhpSHXrrI5FlZNSN =WPqt -----END PGP SIGNATURE-----
--- End Message ---
