Bryan Kadzban <cryptsetup@xxxxxxxxxxxxxxxxxxx> wrote:
> Hmm. Indeed, askpass listens on several file descriptors, including
> /dev/console and a specific named pipe. (Also on some sort of pipe or
> socket or something to splashy, whatever that is, and another pipe or
> socket or something to usplash, whatever *that* is. Presumably those
> things are "infrastructure in Debian initramfs or boot scripts".) It
> wouldn't be terribly difficult to make askpass listen on a socket
> directly as well (although again, you'd really want to build in some
> kind of encryption; sshd is probably easier).
It listens on /lib/cryptsetup/passfifo. This one you are able to reach
via ssh (dropbear in initramfs) and piping some passphrase into it in a
more or less secure manner (i.e. network traffic crypted via ssh).
I'm not aware of any generic socket it listens on. I personally wouldn't
feel well with a generic network socket for generic use (independent on
how far you personally would trust your local network) unless you'd use
some sort of public/private key authentication over it (smartcard
interaction or whatever).
> Looks like the way to get this all to fit together is to pipe askpass
> into cryptsetup, and move the select() multiplexing out of cryptsetup
> itself. I suppose that works.
This is what Debian's initramfs does.
cryptcreate="/sbin/cryptsetup -T 1 ...
cryptkeyscript="/lib/cryptsetup/askpass"
$cryptkeyscript "$cryptkey" | $cryptcreate --key-file=-
> Would it be possible to drop askpass into the cryptsetup package here?
IMHO, the best way would be to provide askpass as cryptsetup/contrib
content.
regards
Mario
--
Oh Du mein Koenig ... Eine Netzgroesse schrieb mal sinngemaess:
Du musst es so lesen wie ich es meine, nicht so wie ich es schreibe.
Ich meine es natuerlich so, wie Du es schreibst 8--)
O.G. Schwenk - de.comm.chatsystems
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
