[pkg-cryptsetup-devel] Bug#931710: Bug#931710: Cryptroot-unlock Timeout on askpass
Guilhem Moulin
guilhem at debian.org
Mon Jul 15 17:46:03 BST 2019
Control: retitle -1 `cryptroot-unlock` timeouts when Kali's cryptsetup-nuke-password package is installed
On Mon, 15 Jul 2019 at 07:05:46 +0000, Luke Flinders wrote:
> This is the package;
> https://gitlab.com/kalilinux/packages/cryptsetup-nuke-keys
Oh, didn't you mean
https://gitlab.com/kalilinux/packages/cryptsetup-nuke-password ?
AFAICT that package replaces /lib/cryptsetup/askpass with a script that calls
the original ‘askpass’ binary (renamed to /lib/cryptsetup/askpass.cryptsetup),
and erases the LUKS header if its digest value matches a special “nuke” hash;
otherwise the passphrase is forwarded to the ‘cryptsetup’ binary.
https://gitlab.com/kalilinux/packages/cryptsetup-nuke-password/blob/kali/master/askpass
(FWIW the script won't work with binary keyfiles dumped to the passfifo,
because the passphrase is held by a shell variable. It'll also break if
the value ends with a linefeed ‘\n’ character.)
‘cryptroot-unlock’ timeouts waiting for a running /lib/cryptsetup/askpass
process with a file descriptor opened to the passfifo, because our
askpass binary was renamed to /lib/cryptsetup/askpass.cryptsetup. I
don't see how that could have ever worked with ‘cryptroot-unlock’ (but
the diversion might have been new in Kali's ‘cryptsetup-nuke-password’).
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20190715/3990be16/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list