[systemd-devel] Thoughts about /etc/crypttab keyscript options

Fri Aug 15 04:51:04 PDT 2014

On Fri, Aug 15, 2014 at 01:30:32PM +0200, Lennart Poettering wrote:
> On Fri, 15.08.14 12:56, Marc Haber (mh+systemd-devel at zugschlus.de) wrote:
> > > > Is it possible to write a PasswordAgent in shell? Example code please
> > > > ;)
> > > 
> > > Probably possible, after all bash allows you to talk to unix sockets and
> > > stuff. And you could probably put the protocol together with carefully
> > > crafted echo lines, but I know of nobody who has done that so far...
> > 
> > There is also the daemonizing and inotify part...
> > 
> > > > > I fear I don#t have an easy suggestion. What kind of device do you
> > > > > actually want to make work here? some smartcard or so?
> > > > 
> > > > That's the vision, yes. At the moment, my keyscript unlocks a small
> > > > LUKS partition on the disk and takes the key for the root fs from
> > > > there. That's just a placeholder for a future more complicated setup.
> > > 
> > > Not following. You place a key for a LUKS partition on another LUKS
> > > partition? What's the benefit of that? Inception? ;-)
> > 
> > It's actually part of a two-factor-authentification for the poor. The
> > part to know is the key to the LUKS parition, the part to have is an
> > USB key.
> 
> The part to have is trivially easy to copy, so why do the excercise
> at all? Sounds more like theatre to me...

Because I still hope to have that in a more secure way in the near
future.

> > But I also know of people who use a keyscript to unlock LUKS file
> > systems with the key stored in the system's TPM or on a crypto card. I
> > have never looked into the details of those implementations (having
> > that saved for a long winter night), but I guess that those people
> > will also be pretty hosed on a systemd-based Debian.
> 
> I think supporting TPM or smartcards out of the box is very desirable to
> have upstream.

Yes, and that should be done in a modular way so that even exotic (or
broken) schemes can be plugged in.

>  I am not convinced though that Debian's keyscript= logic is really
>  that well designed that I want to update it upstream.

You don't need to. I falsely thought that this was general
functionality and not a Debianism.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600420