Your message dated Sat, 24 Nov 2018 18:34:40 +0000 with message-id <[email protected]> and subject line Bug#914458: fixed in cryptsetup 2:2.0.5-2 has caused the Debian Bug report #914458, regarding cryptsetup-initramfs: user is prompted for password even when the detached header is missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 914458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914458 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: cryptsetup-initramfs Version: 2:2.0.5-1 Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Maintainer, I have the whole /boot/ partition on an external USB drive. I also have LUKSv2 header detached from the system container and also placed inside of that external USB drive. So, to open my laptop, I have to connect the USB device (my phone) first. In order to make this work, I had to write some script and put it in the /etc/initramfs-tools/scripts/local-block/mount-boot file. Here's the file. =========================================== #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac # source for log_*_msg() functions, see LP: #272301 . /scripts/functions # Default PATH differs between shells, and is not automatically exported # by klibc dash. Make it consistent. export PATH=/sbin:/usr/sbin:/bin:/usr/bin [ -d /boot ] || mkdir -m 0755 /boot mount -t ext4 -o ro /dev/disk/by-uuid/6f3b0020-0491-4a12-98ca-c97a7a80f5b7 /boot exit 0 =========================================== This setup was working well for some time, but it's not working as well as before, and I don't really know when it exactly sopped working. I thought the situation was temporary, but it looks like it's not. When I boot my system, I get prompt for password, so I type it correctly, and my system is unable to open the encrypted system container. No matter what I do, first 6 tries always fail -- I can type whatever, or even left it empty and just press enter. The 7th time works, and everything backs to normal. For some time I thought it's a really nice security feature, but I'm getting tired of it. :D Looking for some answers, I found this: 1. When the system with detached LUKS header boots, it looks for the external USB device. The device isn't available when the first password prompt shows. In the earlier version (when everything was working well), some errors were printed on the screen when the system was probing for the external USB device (because of the /etc/initramfs-tools/scripts/local-block/mount-boot file). It was saying something about "Error LUKS header missing" several times, one after another till I got the password prompt. Now, only the first error is printed, but after that, it stops, and it doesn't probe for the USB device till I type some password. 2. When I type 3x the password, I can see "Running /script/local-premount". Some messages also are written to the screen, and then I see "Running /scripts/local-block", and boot hangs again waiting for another password. 3. Also after those 3 bad passwords, I get the message "maximum numbers of tries exceeded". Usually this should lock the user from typing another password for 60s or something, but in this case it doesn't do that. 4. After another 3 tries, I can see another "Running /scripts/local-block" and some other messages are displayed, including also another "maximum numbers of tries exceeded" also without preventing the user from typing another password. 5. So, after those 6 tries, when I try for the 7th time, it finally works, and my system is able to decrypt the encrypted system container. So where's the problem? Why it's not working well now, and it was working in the past? - -- Package-specific info: - -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (990, 'unstable'), (130, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cryptsetup-initramfs depends on: ii busybox 1:1.27.2-3 ii cryptsetup-run 2:2.0.5-1 ii initramfs-tools [linux-initramfs-tool] 0.132 Versions of packages cryptsetup-initramfs recommends: ii console-setup 1.187 ii kbd 2.0.4-4 cryptsetup-initramfs suggests no packages. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5JPPWm5C7TFDUMqpzQRoEHcbZSAFAlv4JTkACgkQzQRoEHcb ZSBcQhAAzQYz4+h6a8MLX9yUoFJipoYq/PStms8goCiUI09e1HUDVpvt9dknJRBs eZrijfd08VfSiMqz7CrHyIArvDwAtLCajW8k/TWKDH9wTSA+27GZXSJPPOUUnk9H zXCeAuJAX4LUasyOrTHTMDrM9w842xyfKEs6TwZf/lxi+9EuIRFTLuJQnlpTT3bv t5oKC5j+rFgOxsp7XKuZnxi82blb8EAsFNYTJb5f4ZKnP5qamUU1yaHV/o1tzisF LgtFCRkP03NUh1M4lzGD70Tp6A+Bc8O9H/kMrBx2yWVg5AN/439uWsDIBk++4kTC I4FuzPcWnChtZMjO5HlFME59k0ET4hEh53Vf9So3PSbcWEFxCcG9IKymOx7IWO64 v9Yb3CHDBB98UcdRw9Rbr9VexVi+EqsoywP2eUPjBExEjh9jDcdCYjac9rplZUOT qS2vHfy93kWl7TOo//o5qvVjjYpIrOBQWItFR3UrQuZHdQbx0zoNL/GHXO0l2e81 yL7RZRwXlVk0A+XJODnZz4b+qsdfkCR3LKwfqdlhbLmpul9CwKlA3bhV3c55BqXL oADUWk9ve5uzsu+9RLZ05hdmz361aXsIthky0D9S1PnohqpnvyvaAMYCyZR/DGa7 zsUQnqzEaYNqXxSqTWyFHaLGZV7DF3P/bwp6t0M1smHbWoOH+tU= =szAv -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: cryptsetup Source-Version: 2:2.0.5-2 We believe that the bug you reported is fixed in the latest version of cryptsetup, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <[email protected]> (supplier of updated cryptsetup package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 24 Nov 2018 18:34:42 +0100 Source: cryptsetup Binary: cryptsetup-run cryptsetup-bin cryptsetup-initramfs cryptsetup libcryptsetup12 libcryptsetup-dev cryptsetup-udeb libcryptsetup12-udeb Architecture: source amd64 all Version: 2:2.0.5-2 Distribution: unstable Urgency: medium Maintainer: Debian Cryptsetup Team <[email protected]> Changed-By: Guilhem Moulin <[email protected]> Description: cryptsetup - transitional dummy package for cryptsetup-{run,initramfs} cryptsetup-bin - disk encryption support - command line tools cryptsetup-initramfs - disk encryption support - initramfs integration cryptsetup-run - disk encryption support - startup scripts cryptsetup-udeb - disk encryption support - commandline tools (udeb) (udeb) libcryptsetup-dev - disk encryption support - development files libcryptsetup12 - disk encryption support - shared library libcryptsetup12-udeb - disk encryption support - shared library (udeb) (udeb) Closes: 888916 903163 914458 Changes: cryptsetup (2:2.0.5-2) unstable; urgency=medium . * debian/initramfs/hooks/*: Skip call to copy_file() when the target already exists (as the function return value 1 in the case). * OpenPGP Smartcard support, based on work by Peter Lebbing and Erik Nellessen. (Closes: #888916, #903163.) * Move header presence check to crypttab_parse_options() from unlock_mapping(). Having the presence checks in unlock_mapping() caused dummy password prompts in interactive mode when the LUKS header file was missing. Regression since 2:2.0.3-2. (Closes: #914458.) Checksums-Sha1: f2390a098176ef867b78ec7a0f53ad0bde5f10cb 2817 cryptsetup_2.0.5-2.dsc 7ae84e223837765852782c7626ee745f1d66a086 100160 cryptsetup_2.0.5-2.debian.tar.xz 53cea53b012d95fa0845d7e36e3f1e343fb8b84b 237120 cryptsetup-bin-dbgsym_2.0.5-2_amd64.deb c6037832b0bc6d1866a29d06b333065e7bb83564 273784 cryptsetup-bin_2.0.5-2_amd64.deb 4ab5ed3a11c1c12f62ff3e0ab86eb48e413dd02f 66964 cryptsetup-initramfs_2.0.5-2_all.deb 48961fae189efca15940e02580d2a7c07f1a6d31 19388 cryptsetup-run-dbgsym_2.0.5-2_amd64.deb e8b50b6924040374b1b323f4d77d4162318c991d 186604 cryptsetup-run_2.0.5-2_amd64.deb eed9b99e19c1d408a810d989444c61c8d527f32e 53152 cryptsetup-udeb_2.0.5-2_amd64.udeb acfb71c312e6faac6ae5f808731ba4a895b3c565 49068 cryptsetup_2.0.5-2_all.deb da24a2526c4e0b3a397abb8ec1f63e308c36a82d 9154 cryptsetup_2.0.5-2_amd64.buildinfo 306892d22200295161a272b2f42c309e0acf83de 64644 libcryptsetup-dev_2.0.5-2_amd64.deb f5628d4aeeb481dea213de462a82581c19f2f8a5 415868 libcryptsetup12-dbgsym_2.0.5-2_amd64.deb 09bc71aa3ce50f92473faf62865ca79bb6d941e8 133264 libcryptsetup12-udeb_2.0.5-2_amd64.udeb df57768f76cfa02c20172efac89ed5c16b91ea26 181488 libcryptsetup12_2.0.5-2_amd64.deb Checksums-Sha256: 2525e697551f0a539e289b80e325bc4dfb44c5a9ec8e24c96d6d4e75fadba0ef 2817 cryptsetup_2.0.5-2.dsc 6ffe3b517818ae101bc7aa5ee4b50b1db5be27ffbdef62eda78aa3b190a3c3c4 100160 cryptsetup_2.0.5-2.debian.tar.xz 9c77996cb7e4e52344adf37e2a51f5197443267262dc10a4e4c5868e35888021 237120 cryptsetup-bin-dbgsym_2.0.5-2_amd64.deb cef074f1c43c7246104781185ebd53aeed0453aa9c5ea83b2f4ab1dddbfd1b43 273784 cryptsetup-bin_2.0.5-2_amd64.deb 6f0a4c07ac484c82050ebc8fcfb53e39153851be617aad62c53bc7035b221834 66964 cryptsetup-initramfs_2.0.5-2_all.deb f0e1b49ae47cd12f25d05dceff7b617ac3a222a58873c35e9c85832bff62cb20 19388 cryptsetup-run-dbgsym_2.0.5-2_amd64.deb 1678f5a9fe662dac1cfd632718ddc22dccb29b3673ac1647071d156a9697c181 186604 cryptsetup-run_2.0.5-2_amd64.deb ca1f9aa1c91348a80b7ef7944aac0a697d2073e28bcd4d9527126eca891ab6fe 53152 cryptsetup-udeb_2.0.5-2_amd64.udeb c5653196984cc82bc4926696b41ef33083b6cdd665e1bd13aca13e586a4ce603 49068 cryptsetup_2.0.5-2_all.deb 1657d50fe5329b22a6e0e0481dcf1bb8e3c453b3b3eede01766de5a8c55c2b5c 9154 cryptsetup_2.0.5-2_amd64.buildinfo 0190daeb8a1268883052307ac97850424f26c5990712797ef00f9efc1d831bf0 64644 libcryptsetup-dev_2.0.5-2_amd64.deb 900b83c463c133134cccba1d46962ff7af5465cb575f72975bc6a051e41779da 415868 libcryptsetup12-dbgsym_2.0.5-2_amd64.deb 2d5ae1800848713fb1067408345b4c7ae093aba544ef48716abb388a378a5115 133264 libcryptsetup12-udeb_2.0.5-2_amd64.udeb 0132ef009c82436689ce222f21726a4a8a7bef0a9ba3a145575780f50951775d 181488 libcryptsetup12_2.0.5-2_amd64.deb Files: 784ecdfd43e300532139dc63d7778842 2817 admin optional cryptsetup_2.0.5-2.dsc f76a0323c93abbbba60aa1c362435b0d 100160 admin optional cryptsetup_2.0.5-2.debian.tar.xz 6873a82312f46da988743a241b6a5c23 237120 debug optional cryptsetup-bin-dbgsym_2.0.5-2_amd64.deb 15c7b332b7817455a000a31f2834650f 273784 admin optional cryptsetup-bin_2.0.5-2_amd64.deb 750d98ab655755758249b6b50e212269 66964 admin optional cryptsetup-initramfs_2.0.5-2_all.deb c9205a649a0ea213db3bf2fa852085b5 19388 debug optional cryptsetup-run-dbgsym_2.0.5-2_amd64.deb 3dd483fc77d833cdea8bcb9135c0defc 186604 admin optional cryptsetup-run_2.0.5-2_amd64.deb e2ba2593b1fdf7afef2e21aa8ab1ad38 53152 debian-installer optional cryptsetup-udeb_2.0.5-2_amd64.udeb a233e7f552dd5e41fb3a04d3e2e6f9d0 49068 oldlibs optional cryptsetup_2.0.5-2_all.deb 5857fda5c9c22aab6d4050fea6db34e1 9154 admin optional cryptsetup_2.0.5-2_amd64.buildinfo 5ee8315da9bcfa9de84aeeaa17f57038 64644 libdevel optional libcryptsetup-dev_2.0.5-2_amd64.deb d34ff47a7745ec6779835d846344ae1c 415868 debug optional libcryptsetup12-dbgsym_2.0.5-2_amd64.deb 6ca175a293194c2581a94dc77abae96b 133264 debian-installer optional libcryptsetup12-udeb_2.0.5-2_amd64.udeb 8b91a8b3b01057df57c4dd9d70c53dfe 181488 libs optional libcryptsetup12_2.0.5-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlv5knUACgkQ05pJnDwh pVK+iw//XGIhIZVnBe527azqbtTo8hGmECgvgrW9M6mn/tnPY9OCHaXHuJmHHTGJ pJG+ps9l/nqnAgawGkw6pBcGoJ9Pqgcvkj4IqZbrFvoVzdakb+aHNjftGvMbJKvJ vIAwQKKm/PNBtxpvRG1HXpxnfEviGmYCO589T78+gxPbbvZZfsCJBUM6YN/NwUIh AIcIPD7dDQpxhvw3NXauIzo+qXkd5ksaOMLdRvpIXvrKOqV28svD0+aJih56+yY/ RG8oiKoJtXbPEssVIyMUpNgNdPlYLwDGZDgs1hrsHIEMZK0MwPwdoYHtzqqleQu9 7SZ/ASauj0UIEuC/BUfgrWYj1qSu5gK1f1LOc/cconNBLz48D5O8zmrdkerOQjhk hogbNBgF4w3zScF+qnDR28yg4WkyjIq1VusA8cTWcIQruVzaN8yGf79sBTSYuL8s cRtl+sYcQAhsnWtQpq28F4h8fZsgU7/c/fmfzyJCPGh6RlGQe4dlyWeTxSC7PC9e eOo0HxYHR04zjTzNfRJjEmjoQ5XrUqELe7rgO82CjC3UjSg/HjRzgRlKrZIMT8rC YZlA9XBRmKGQlEQQlMJ8P2fcD0e9Xklsux7TUxgLuOv93Zr3JUYhGQA668KlpR6h SC/yq5GU7y1ahTcDFtSkhrgqA9YZTPn4hvT0HVUUrjvbgr7M8BA= =BA/s -----END PGP SIGNATURE-----
--- End Message ---

