[systemd-devel] Thoughts about /etc/crypttab keyscript options

Marc Haber mh+systemd-devel at zugschlus.de
Thu Aug 14 11:10:48 PDT 2014

Hi Lennart,

thanks for your thoughts.

On Thu, Aug 14, 2014 at 07:44:59PM +0200, Lennart Poettering wrote:
> On Mon, 21.07.14 10:46, Marc Haber (mh+systemd-devel at zugschlus.de) wrote:
> > (4)
> > My PasswordAgent indicates taking responsibility by unlinking the
> > ask.xxx file from /run/systemd/ask-password. The interactive password
> Well, so far it is the querier that removes the file, not the agent...

I see. What would happen if I remove the file myself?

> > To use this to unlock the root fs, an entire python installation would
> > need to go in my initramfs, right? And if I want to keep things
> > simple, the best idea would be to write my PasswordAgent in a compiled
> > language which would only need the binary and its libs in the
> > initramfs, right?
> Yes. Correct. If you want to stick something into the initrd, I'd always
> do things in C (or shell if you must), but nothing else.
> > Is there code for an example PasswordAgent in C++ which I can use as a
> > template? I am quite reluctant to write a program which needs to to
> > complex string processing and is bound to run as root in C because my
> > C experience is somewhat lacking.
> Not aware of an C++ code. There's a vala one, and of course the one we
> ship in systemd itself in C, but c++ i cannot help you with, sorry.

Is it possible to write a PasswordAgent in shell? Example code please ;)

> > Can you please recommend a way to allow me to migrate to systemd?
> > Without keyscript= being supported in /etc/crypttab, I need to replace
> > my 50 line key script written in POSIX shell and would like to keep
> > things simple.
> > 
> > Thank you very much for your consideration.
> I fear I don#t have an easy suggestion. What kind of device do you
> actually want to make work here? some smartcard or so?

That's the vision, yes. At the moment, my keyscript unlocks a small
LUKS partition on the disk and takes the key for the root fs from
there. That's just a placeholder for a future more complicated setup.

With Debian's initramfs, unlocking the small LUKS partition works
transparently even with plymouth. This is real functionality being
lost in the systemd migration.

> I think in the long run we should somehow work towards the direction to
> make things like that just work, for common devices like smartcards and
> other auth tokens...

First step to do that would be to implement support for the keyscript=
option in /etc/crypttab as this is the canonical place to hook into on
non-system systems. At least it's the case on Debian, I don't know
about Red Hat, Fedora and other distributions.

The PasswordAgent stuff is really neat, but complicated due to the
socket communication, and it's far from being a drop-in replacement.


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600420

More information about the systemd-devel mailing list