On 21 April 2017 at 20:16, Jonas Meurer <jonas@xxxxxxxxxxxxxxx> wrote:
Hi Dominic,
Am 19.04.2017 um 08:39 schrieb Dominic Raferd:
> Sorry if this is off-topic for this mailing list. I am setting up a
> (Ubuntu 16.04) machine with dmcrypt+LUKS encrypted root system (standard
> Debian/Ubuntu recipe) but with added capability for remote entry of the
> passphrase (using dropbear via busybox shell). After the user has
> entered the passphrase (and it is piped into /lib/cryptsetup/passfifo) I
> would like an easy and preferably fast way for a local script (i.e.
> running under busybox ash shell) to detect whether the passphrase entry
> has been successful or not - without requiring local access or a second
> remote login. Thanks for any help.
Indeed it's slightly off-topic as initscripts and initramfs integration
are specific to the distributions that ship/package cryptsetup.
One quick idea is that you could test for existance of the
/dev/mapper/<target> device file. If it exists, then the unlocking was
successful.
I usually logout of the system after remotely unlocking it via initramfs
ssh session and monitor the ping in another terminal. If the ping stops
being answered and continues a few seconds afterwards, that indicates
that the unlock attempt was successful and I login to the booted system.
Thanks Jonas for your suggestion. In the end, I came up with the script below, partly from an idea at https://github.com/rhansen/unlock-cryptroot (kudos).
I needed a solution that could be run from any external fs e.g. connecting to the initramfs using plink under Windows - i.e. that could run entirely on the initramfs; and I needed it to be simple for a non-tech person. This is what I now have, it is placed in the initramfs by 'update-initramfs -u -k all' and can be run from there as /scripts/pass:
# cat /etc/initramfs-tools/scripts/pass
#!/bin/sh
# by Dominic v0.2 [22 Apr 2017]
for i in 1 2 3; do
[ $i -gt 1 ] && echo " Failed"
read -sp"Enter passphrase, then press ENTER/RETURN: "
printf "$REPLY" >/lib/cryptsetup/passfifo
for j in 1 2 3 4 5 6 7 8 9; do
ps >/tmp/ps.txt 2>/dev/null || { DONE="y"; break; }
grep -q "cryptroo[t]" /tmp/ps.txt || { DONE="y"; break; }
sleep 1s; printf "."
done
[ "$DONE" = "y" ] && break
done
[ -z "$DONE" ] && echo " Failed, sorry." || echo " Success! Boot is proceeding"
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
