On Fri, Aug 15, 2014 at 01:30:32PM +0200, Lennart Poettering wrote: > On Fri, 15.08.14 12:56, Marc Haber (mh+systemd-de...@zugschlus.de) wrote: > > > > Is it possible to write a PasswordAgent in shell? Example code please > > > > ;) > > > > > > Probably possible, after all bash allows you to talk to unix sockets and > > > stuff. And you could probably put the protocol together with carefully > > > crafted echo lines, but I know of nobody who has done that so far... > > > > There is also the daemonizing and inotify part... > > > > > > > I fear I don#t have an easy suggestion. What kind of device do you > > > > > actually want to make work here? some smartcard or so? > > > > > > > > That's the vision, yes. At the moment, my keyscript unlocks a small > > > > LUKS partition on the disk and takes the key for the root fs from > > > > there. That's just a placeholder for a future more complicated setup. > > > > > > Not following. You place a key for a LUKS partition on another LUKS > > > partition? What's the benefit of that? Inception? ;-) > > > > It's actually part of a two-factor-authentification for the poor. The > > part to know is the key to the LUKS parition, the part to have is an > > USB key. > > The part to have is trivially easy to copy, so why do the excercise > at all? Sounds more like theatre to me...
Because I still hope to have that in a more secure way in the near future. > > But I also know of people who use a keyscript to unlock LUKS file > > systems with the key stored in the system's TPM or on a crypto card. I > > have never looked into the details of those implementations (having > > that saved for a long winter night), but I guess that those people > > will also be pretty hosed on a systemd-based Debian. > > I think supporting TPM or smartcards out of the box is very desirable to > have upstream. Yes, and that should be done in a modular way so that even exotic (or broken) schemes can be plugged in. > I am not convinced though that Debian's keyscript= logic is really > that well designed that I want to update it upstream. You don't need to. I falsely thought that this was general functionality and not a Debianism. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600420 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel