[systemd-devel] [PATCH] add keyscript support to cryptsetup

Alexander E. Patrakov patrakov at gmail.com
Wed Jul 11 01:32:26 PDT 2012


2012/7/10 Lennart Poettering <lennart at poettering.net>:
> Well, but if this is all dependent on some other hw then the synchronous
> nature of keyscript= doesn't work anyway... (see other mail about that)
>
>> >From a user point of view it is of course additional flexibility which
>> is the usecase. I've seen keyscripts to use Yubikeys, keyscripts to get
>> keys off a smartcard (and the PIN for the smartcard could be requested
>> via systemd passwordagents or any other scheme), scripts which mount
>> different filesystems and grab the key off them, etc.
>
> Both yubikeys and most smartcard readers are USB devices, so you always
> have the enumeration issues, which means a synchronous solution wouldn't
> work wihtout races anyway and the async agent stuff is much preferable.
>
>> >http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents
>>
>> I also dislike additional complexity and realize that systemd is an
>> excellent oppurtinity of providing some much needed spring cleaning in
>> distribution-specific boot scripts - but there are a few problems with
>> using password agents:
>
> Well, the complexity comes for a reason: correctness.

I understand your position about the racy code, but want to point you
to http://thecodelesscode.com/case/9 . In the spec, there is indeed no
way to wait until all USB devices show up. In practice, if the key
does not show up in, say, 10 seconds (of course this timeout value
should not be in the kernel), it is not there, period, from all sane
user viewpoints. IMHO a theoretical race that is never triggered in
user-relevant cases is preferrable to the complexity required to get
everything mathematically right and to the lack of a well-defined
policy for getting the "key is not there, panic" error message.

The new asynchronous password agent interface does not help against
races without an easy way to say "this password agent (or even: this
encrypted volume) needs yubikey" and "fail with an error message
explicitly mentioning yubikey if yubikey didn't show up for 10
seconds".

-- 
Alexander E. Patrakov


More information about the systemd-devel mailing list