hi!
jonas wrote:
The cryptunlock script will be recreated for every dm-crypt target that
uses a passphrase. In other words, cryptunlock has to be invoked for
every required passphrase. Am I correct here?
yes you are, and that made me realize that i totally ignored the
multiple crypt targets scenario...
the cryptunlock script ofc has to go through all targets, too. actually
it would in the end have to do more or less the full cryptroot-script
run plus killing the console cryptroot-script after it completed. so
that means it's most straightforward to simply call the cryptroot-script
(and change this to work with random ttys).
as the current rationale is to continue with the boot process after all
targets were handled (and not necessarily successfully unlocked, which
can make sense if some of them are not vital for booting), a check that
all targets are unlocked is not needed.
i guess simply killing all cryptsetups is ok. so adding that killall to
the cryptroot-script should make another script superfluous.
so, now the command to unlock the crypttargets after logging in via
dropbear, is simply /scripts/local-top/cryptroot itself.
david wrote:
If you want both, it could still be done as a keyscript. Let the
keyscript do the prompt and wait for user input, meanwhile the script
this means in this case the non-keyscript cryptsetup part from
cryptroot-script should consequently be removed?
could also create a fifo and wait for input of a passphrase via that
fifo in parallel.
It might be harder to implement as a shell script...but it should be
doable...something like "echo some_prompt > /dev/stdout; mkfifo
/tmp/cryptpass; cat /dev/stdin /tmp/cryptpass | read REPLY" (haven't
tested it so I can't be sure it works).
i don't think that will work...
i don't have any idea right now how this could be achieved in a simple
.sh way... (see 'console in screen or similar'...)
The advantage is that there is no need to kill cryptsetup processes
not having to kill a cryptsetup process would certainly be an advantage.
but after all i'd still say extending the non-keyscript functionality is
more straightforward.
and no need to change cryptsetup initramfs scripts. The keyscript
i think the non-keyscript cryptsetup part had to be removed (plus
probably a non-keyscript cryptsetup script had to be added).
could also write the name of the device it is currently waiting for a
passphrase for to some file which the cryptunlock util could read so
that it can provide a more user friendly prompt.
well that touches the point which jonas pointed out earlier, i totally
missed the multiple-crypttargets scenario...
i think that's fixed nicely.
above the (1st try's) prompt-line, the info about the target to be
unlocked should be printed.
Chris
diff -pruN cryptsetup-1.0.6~pre1.orig/debian/control cryptsetup-1.0.6~pre1/debian/control
--- cryptsetup-1.0.6~pre1.orig/debian/control 2008-02-18 16:30:14.000000000 +0100
+++ cryptsetup-1.0.6~pre1/debian/control 2008-02-18 13:56:29.000000000 +0100
@@ -12,7 +12,7 @@ Vcs-Svn: svn://svn.debian.org/svn/pkg-cr
Package: cryptsetup
Architecture: any
Depends: ${shlibs:Depends}, dmsetup
-Suggests: udev, initramfs-tools (>= 0.91) | linux-initramfs-tool, dosfstools
+Suggests: udev, initramfs-tools (>= 0.91) | linux-initramfs-tool, dropbear, dosfstools
Conflicts: cryptsetup-luks (<= 1.0.1-8), hashalot (<= 0.3-1)
Replaces: cryptsetup-luks (<= 1.0.1-8)
Description: configures encrypted block devices
diff -pruN cryptsetup-1.0.6~pre1.orig/debian/initramfs/cryptroot-script cryptsetup-1.0.6~pre1/debian/initramfs/cryptroot-script
--- cryptsetup-1.0.6~pre1.orig/debian/initramfs/cryptroot-script 2008-02-18 16:30:14.000000000 +0100
+++ cryptsetup-1.0.6~pre1/debian/initramfs/cryptroot-script 2008-02-18 16:25:06.000000000 +0100
@@ -188,20 +188,23 @@ setup_mapping()
return 1
fi
crypttarget="$crypttarget" cryptsource="$cryptsource" \
- $cryptkeyscript $cryptkey < /dev/console 2> /dev/console | \
- $cryptcreate --key-file=- > /dev/console 2>&1
+ $cryptkeyscript $cryptkey | $cryptcreate --key-file=-
elif [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then
usplash_write "INPUTQUIET Enter password for $crypttarget: "
PASS="$(cat /dev/.initramfs/usplash_outfifo)"
echo -n "$PASS" | $cryptcreate > /dev/null 2>&1
else
- $cryptcreate < /dev/console > /dev/console 2>&1
+ $cryptcreate
fi
if [ $? -ne 0 ]; then
- echo "cryptsetup: cryptsetup failed, bad password or options?"
- sleep 3
- continue
+ if [ -e "/dev/mapper/$crypttarget" ]; then
+ echo "cryptsetup: cryptsetup killed, target unlocked in the background, continuing."
+ else
+ echo "cryptsetup: cryptsetup failed, bad password or options?"
+ sleep 3
+ continue
+ fi
elif [ ! -e "$NEWROOT" ]; then
echo "cryptsetup: unknown error setting up device mapping"
return 1
@@ -270,9 +273,13 @@ fi
# Do we have any settings from the /conf/conf.d/cryptroot file?
if [ -r /conf/conf.d/cryptroot ]; then
- while read mapping; do
+ while read mapping <&3; do
setup_mapping "$mapping"
- done < /conf/conf.d/cryptroot
+ done 3< /conf/conf.d/cryptroot
fi
+# We might be called manually from the shell. In this case we have to kill
+# cryptsetups waiting for input at the console.
+killall cryptsetup
+
exit 0
