Mario 'BitKoenig' Holbe wrote: > Bryan Kadzban <cryptsetup@xxxxxxxxxxxxxxxxxxx> wrote: >> It >> wouldn't be terribly difficult to make askpass listen on a socket >> directly as well (although again, you'd really want to build in some >> kind of encryption; sshd is probably easier). > > I'm not aware of any generic socket it listens on. >From the code (assuming I read the debian patch correctly), there isn't one. It's doing lots of stuff with pipes, but I never saw it call socket (except with PF_UNIX, to talk to splashy, and that was a client socket, not a server). > I personally wouldn't > feel well with a generic network socket for generic use (independent on > how far you personally would trust your local network) unless you'd use > some sort of public/private key authentication over it (smartcard > interaction or whatever). Probably a good point. Even listening on localhost only (on an ipv4 socket) could be too much, I suppose. Well, either way. :-) > This is what Debian's initramfs does. > cryptcreate="/sbin/cryptsetup -T 1 ... > cryptkeyscript="/lib/cryptsetup/askpass" > $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- Yeah; --key-file=- is the important bit there. (Though I'm not sure what $cryptkey is. Maybe it comes from crypttab? Actually, never mind; it doesn't matter all that much.) >> Would it be possible to drop askpass into the cryptsetup package here? > > IMHO, the best way would be to provide askpass as cryptsetup/contrib > content. Yeah, stuffing it into a contrib/ directory would work for me. What do the cryptsetup maintainers say? (If you aren't one of them, that is.) _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
