Fwd: Detect successful passphrase entry for dmcrypt +LUKS from initramfs busybox prompt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 21 April 2017 at 20:16, Jonas Meurer <jonas@xxxxxxxxxxxxxxx> wrote:
Hi Dominic,

Am 19.04.2017 um 08:39 schrieb Dominic Raferd:
> Sorry if this is off-topic for this mailing list. I am setting up a
> (Ubuntu 16.04) machine with dmcrypt+LUKS encrypted root system (standard
> Debian/Ubuntu recipe) but with added capability for remote entry of the
> passphrase (using dropbear via busybox shell). After the user has
> entered the passphrase (and it is piped into /lib/cryptsetup/passfifo) I
> would like an easy and preferably fast way for a local script (i.e.
> running under busybox ash shell) to detect whether the passphrase entry
> has been successful or not - without requiring local access or a second
> remote login. Thanks for any help.

Indeed it's slightly off-topic as initscripts and initramfs integration
are specific to the distributions that ship/package cryptsetup.

One quick idea is that you could test for existance of the
/dev/mapper/<target> device file. If it exists, then the unlocking was
successful.

I usually logout of the system after remotely unlocking it via initramfs
ssh session and monitor the ping in another terminal. If the ping stops
being answered and continues a few seconds afterwards, that indicates
that the unlock attempt was successful and I login to the booted system.

​Thanks Jonas for your suggestion. In the end, I came up with the script below, partly from an idea at https://github.com/rhansen/unlock-cryptroot (kudos).

I needed a solution that could be run from any external fs e.g. connecting to the initramfs using plink under Windows - i.e. that could run entirely on the initramfs; and I needed it to be simple for a non-tech person. This is what I now have, it is placed in the initramfs by 'update-initramfs -u -k all' and can be run from there as /scripts/pass:

# cat /etc/initramfs-tools/scripts/pass
#!/bin/sh
# by Dominic v0.2 [22 Apr 2017]
for i in 1 2 3; do
        [ $i -gt 1 ] && echo " Failed"
        read -sp"Enter passphrase, then press ENTER/RETURN: "
        printf "$REPLY" >/lib/cryptsetup/passfifo
        for j in 1 2 3 4 5 6 7 8 9; do
                ps >/tmp/ps.txt 2>/dev/null || { DONE="y"; break; }
                grep -q "cryptroo[t]" /tmp/ps.txt || { DONE="y"; break; }
                sleep 1s; printf "."
        done
        [ "$DONE" = "y" ] && break
done
[ -z "$DONE" ] && echo " Failed, sorry." || echo " Success! Boot is proceeding"

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux