On Mon, 21.03.11 13:17, Nathanael D. Noblet (nathanael@xxxxxxx) wrote: > > On 03/21/2011 12:43 PM, Richard W.M. Jones wrote: > > Off the same topic, I'd love a way to have a "key server" on my > > network that machines can grab their keys from at boot. Obviously I > > would then work on physically securing / hiding the key server so that > > no one could steal it ... > > I think there are many possible improvements. I filed a bug with um F14 > with a patch for the initscripts that would fallback to a password when > the configured key wasn't around. I added this to the systemd TODO list now. > I thought it would also be nice to have other options such as 'run X > to get the key' etc. Ultimately the initscript change was rejected as > F15 is going to systemd making it somewhat moot. Though I haven't > looked at how systemd handles encrypted partitions You can easily write your own password agent. Just watch /var/run/systemd/ask-password with inotify and parse a simple .ini-style file which is placed there for each password that is asked. Then send the password back via a single AF_UNIX/SOCK_DGRAM to the right socket mentioned in the file. For more details: http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents Right now we have such agents installed by default to ask passwords via plymouth, directly on the console, grahically on GNOME, via wall or manually on a tty. You are welcome to add you own to fetch the password from somewhere else, and it is trivial to do so: inotify is relatively easy to use, .ini file parsers exist readily for most programming languages (glib has one for example), and sending a single AF_UNIX datagram is really easy too. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
