Re: Empty key files vs empty passwords in plain mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 23/11/2014 14:16, Milan Broz wrote :

On 11/23/2014 01:44 PM, Quentin Lefebvre wrote:


I experienced some troubles recently with Debian's cryptsetup package
(testing version), which version is 1.6.6.
I found out that empty key files get refused by cryptsetup, for example:
cat empty_file | cryptsetup --debug --key-file=- open --type plain
/test1.loop test1
gets rejected.
The debug output directly leads to a test in utils_crypt.c that, I
think, should be removed.

Indeed, empty passwords are accepted, so it make sense to accept also
empty inputs.
Especially in Debian, where cryptdisks_start script calls:
/lib/cryptsetup/askpass | cryptsetup --key-file=- open --type [type]
[src] [dst]

What do you think about this issue?
Shall I send a patch for that?


Well, logically it should be the same. But reading empty keyfile never worked AFAIK
Right, and this is just because of a test that returns an error code in case the key file is empty. 


and IMHO the case that you encrypt device by empty keyfile by mistake
is more common...


I agree and I think there should be at least a warning.


I am tempting to say it is a safety feature than bug :-)

Anyway, please create issue on project page, https://code.google.com/p/cryptsetup/issues/list
If you have a patch, attach it there as well.
Sure, I'll do that. But which tool is preferred to write a patch for cryptsetup? 


I will get to it but this is not really urgent issue to solve.
In my opinion, the problem is, for example, when a user enters a blank password (not secured, sure) and then reboot and can't mount his file system because of a script piped to cryptsetup. 


BTW I would better suggest that Debian uses pwquality library with some sane
defaults and will not allow users to enter so weak passwords in the first place...

(There is always --force-password switch so your issue is still kind of problem
for testing though.)


OK.
Thanks for this answer.

Cheers,
Quentin

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux