Subject: cryptsetup: non-working timeout option can render remote
systems unbootable
Followup-For: Bug #495509
Package: cryptsetup
Version: 2:1.0.6-6
severity 495509 important # system unbootable when restarted remotely
thanks
On a remote server where one relies on the timeout feature to skip over
the passphrase prompt when the system is started remotely, this pauses
the entire boot process, requiring manual intervention.
Note that for me the timeout feature of cryptsetup works, but the boot
sequence doesn't work.
bounty:/etc# time cryptsetup -t 1 luksOpen /dev/sda7 sda7_crytpo
Enter LUKS passphrase: Command failed: Error reading passphrase
real 0m1.003s
user 0m0.000s
sys 0m0.008s
The problem seems to originate from this code (cryptdisks.functions:316)
elif [ -z "$key" ]; then
# no keyscript, no key => password
keyscriptarg="Enter passphrase to unlock the disk $src ($dst): "
key="-"
KEYSCRIPT="/lib/cryptsetup/askpass"
[..]
if [ -n "$KEYSCRIPT" ]; then
if "$KEYSCRIPT" "$keyscriptarg" | cryptsetup $PARAMS
luksOpen
"$src" "$dst"; then
break
fi
In the case of the boot process, $KEYSCRIPT is /lib/cryptsetup/askpass,
and although the cryptsetup process timeouts, the askpass process isn't
killed nor doesn't have a timeout.
One workaround would be to have the code written as:
elif [ -z "$key" ]; then
# no keyscript, no key => password
keyscriptarg="Unlocking the disk $src ($dst): "
key="-"
KEYSCRIPT="INTERACTIVE"
[..]
if [ -n "$KEYSCRIPT" ]; then
if [ "$KEYSCRIPT" = "INTERACTIVE" ] ; then
echo "$keyscriptarg"
if cryptsetup $PARAMS luksOpen "$src" "$dst";
then
break
fi
elif "$KEYSCRIPT" "$keyscriptarg" | cryptsetup $PARAMS
luksOpen
"$src" "$dst"; then
break
fi
Another (cleaner) option would be for cryptsetup to accept a -p|--prompt
argument that would print that sctring instead of the default prompt.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'stable'), (10, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=ro_RO.UTF-8, LC_CTYPE=ro_RO.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.27-4 The Linux Kernel Device Mapper use
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libdevmapper1.02.1 2:1.02.27-4 The Linux Kernel Device Mapper use
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libuuid1 1.41.2-1 universally unique id library
cryptsetup recommends no packages.
Versions of packages cryptsetup suggests:
ii dosfstools 2.11-6 utilities for making and checking
ii initramfs-tools [linux-initra 0.92j tools for generating an initramfs
ii udev 0.125-7 /dev/ and hotplug management daemo
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
