On 10.01.2007 12:43:40, Mathieu Desnoyers wrote: > Hi, Hello Mathiou. > [ remote passphrase entering ] > > If you ever think of distributing this, I suggest to implement this as an > initrd (which I haven't done). Some scripts should be made to update the > content of the initrd (ssh, root password, ssh keys) easily. I have thought about that for a while, actually, since I also developed the initrd code for a distribution and its filesystem encryption code. Currently I'm working on a new installer and reworking a few bits to move from calling dmsetup directly to calling cryptsetup-luks. What I've been thinking about is this: Start up in the initrd/initramfs and setup the network. Then start a sshd process. Then start a screen session and in that screen session start a script handling the passphrase entering for cryptsetup. Then attach to that screen from /dev/console. If you now connect to the machine with ssh, it would automatically create a shared connection to the running screen session. This way, it is possible to both enter the passphrase locally AND over the network. If you're extra paranoid, have two people know half the passphrase :-) After the passphrase was correctly entered, the screen session would terminate and allow the 'init' script (/sbin/init replacement) to continue setting up the system, do the pivot_root/chroot/exec dance and get the system up running. Greetings, Benjamin -- #!/bin/sh #!/bin/bash #!/bin/tcsh #!/bin/csh #!/bin/kiss #!/bin/ksh #!/bin/pdksh #!/usr/bin/perl #!/usr/bin/python #!/bin/zsh #!/bin/ash Feel at home? Got some of them? Want to show some magic? http://shellscripts.org
Attachment:
pgpWBqA6Ou3s9.pgp
Description: PGP signature
