[systemd-devel] [PATCH 1/3] Add more password agent information

David Härdeman david at hardeman.nu
Tue Mar 25 03:01:22 PDT 2014


On Tue, Mar 25, 2014 at 09:50:10AM +0100, Benjamin SANS wrote:
>* On Tuesday, 25 March 2014 01:46, David Härdeman <david at hardeman.nu> wrote:
>> Bejamin's approach does not seem to solve the binary key part of the
>> puzzle either...(passing binary keys from the keyscript, as opposed to
>> passphrases).
>
>Actually it does, but I'm not very proud of the fix...
>Here is an explanation:
>
>- When using a keyscript, the agent creates a temporary file like so:
>
>char temp[] = "/run/systemd/ask-password/tmp.XXXXXX";
>int fd = mkostemp(temp, O_WRONLY|O_CLOEXEC);
>
>- It then forks, redirect the standard output of the child to this temporary
>  file, and execv the keyscript.
>
>- Finally, it returns via the socket the path of this temporary file.
>
>But all of this is based on the assumption that /run is a tmpfs and that it is
>safe enough to temporary store the key.
>

Ah, mea culpa. I missed that you proposed changes to systemd's own
agent as well. Myopia, since my approach was to use an additional (new)
agent which only handles the keyscript= case, I just assumed you did as
well :)

BTW, it should be noted that since the agent API allows for concurrent
agents, it's still possible to use e.g. both a keyscript and keyboard
input as a backup with my approach...the systemd agent is smart enough
to remove the TTY passphrase prompt once an answer has been provided via
the other agent.

-- 
David Härdeman


More information about the systemd-devel mailing list