[systemd-devel] Thoughts about /etc/crypttab keyscript options

[Marc Haber]

Hi,

did I reach the wrong mailing list? Is there better forum to get
systemd working with something resembling my current setup?

Greetings
Marc


On Mon, Jul 21, 2014 at 10:46:21AM +0200, Marc Haber wrote:
> From: Marc Haber <mh+systemd-devel at zugschlus.de>
> Subject: Thoughts about /etc/crypttab keyscript options
> To: systemd-devel at lists.freedesktop.org
> Date: Mon, 21 Jul 2014 10:46:21 +0200
> User-Agent: Mutt/1.5.21 (2010-09-15)
> 
> Hi,
> 
> I was recently bitten by the issue that systemd does not support the
> keyscript= option in /etc/crypttab. I don't know whether keyscript= is
> a Debian extension, but the migration to systemd (which was pulled in
> by some new version of - I think - Network Manager) broke my system's
> boot process, leaving me with all my filesystems locked since already
> the root fs used to be unlocked by a keyscript.
> 
> I have read the thread (from 2012?) where those things were discussed
> here and I understand that I should replace my keyscript with a
> passwort agent. Things would then work like this:
> 
> (1)
> systemd would try to unlock the root file system and place a ask.xxx
> file in /run/systemd/ask-password
> 
> (2)
> All running PasswordAgents (including my, non-interactive one and
> all interactive ones) would act on that ask.xxx file.
> 
> (3)
> The interactive password agents would present an interactive password
> request.
> 
> (4)
> My PasswordAgent indicates taking responsibility by unlinking the
> ask.xxx file from /run/systemd/ask-password. The interactive password
> agents will remove their interactive requests then. The user will
> therefore see the password request popping up for a very short period
> of time, if at all.
> 
> (5)
> Should my PasswordAgent need a password to act itself (like a PIN for
> a hardware device, for example), it would place its own ask.xxx file
> in /run/systemd/ask-password. The interactive PasswordAgents would
> act on that, obtain the password/PIN interactively from the user and
> return it to my PasswordAgent.
> 
> (6)
> My PasswordAgent would then obtain the password for the file system
> itself and return it to systemd which can now proceed to unlock the
> file system.
> 
> 
> Am I understanding things correctly so far?
> 
> 
> If so, this leaves the task to write "my" PasswordAgent. I have found
> some example code in python for a password agent.
> 
> To use this to unlock the root fs, an entire python installation would
> need to go in my initramfs, right? And if I want to keep things
> simple, the best idea would be to write my PasswordAgent in a compiled
> language which would only need the binary and its libs in the
> initramfs, right?
> 
> Is there code for an example PasswordAgent in C++ which I can use as a
> template? I am quite reluctant to write a program which needs to to
> complex string processing and is bound to run as root in C because my
> C experience is somewhat lacking.
> 
> Can you please recommend a way to allow me to migrate to systemd?
> Without keyscript= being supported in /etc/crypttab, I need to replace
> my 50 line key script written in POSIX shell and would like to keep
> things simple.
> 
> Thank you very much for your consideration.
> 
> Greetings
> Marc
> 
> -- 
> -----------------------------------------------------------------------------
> Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
> Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 621 31958061
> Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600420