Your message dated Sat, 24 Nov 2018 18:34:40 +0000
with message-id <[email protected]>
and subject line Bug#914458: fixed in cryptsetup 2:2.0.5-2
has caused the Debian Bug report #914458,
regarding cryptsetup-initramfs: user is prompted for password even when the 
detached header is missing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
914458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914458
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cryptsetup-initramfs
Version: 2:2.0.5-1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

I have the whole /boot/ partition on an external USB drive. I also have LUKSv2
header detached from the system container and also placed inside of that
external
USB drive. So, to open my laptop, I have to connect the USB device (my phone)
first. In order to make this work, I had to write some script and put it in the
/etc/initramfs-tools/scripts/local-block/mount-boot file. Here's the file.

===========================================
#!/bin/sh
PREREQ=""
prereqs()
{
   echo "$PREREQ"
}

case $1 in
prereqs)
   prereqs
   exit 0
   ;;
esac

# source for log_*_msg() functions, see LP: #272301
. /scripts/functions

# Default PATH differs between shells, and is not automatically exported
# by klibc dash.  Make it consistent.
export PATH=/sbin:/usr/sbin:/bin:/usr/bin

[ -d /boot ] || mkdir -m 0755 /boot

mount -t ext4 -o ro /dev/disk/by-uuid/6f3b0020-0491-4a12-98ca-c97a7a80f5b7
/boot

exit 0
===========================================

This setup was working well for some time, but it's not working as well as
before, and I don't really know when it exactly sopped working. I thought the
situation was temporary, but it looks like it's not.

When I boot my system, I get prompt for password, so I type it correctly, and
my system is unable to open the encrypted system container. No matter what I
do, first 6 tries always fail -- I can type whatever, or even left it empty and
just press enter. The 7th time works, and everything backs to normal. For
some time I thought it's a really nice security feature, but I'm getting tired
of it. :D

Looking for some answers, I found this:
1. When the system with detached LUKS header boots, it looks for the external
USB device. The device isn't available when the first password prompt shows. In
the earlier version (when everything was working well), some errors were
printed on the screen when the system was probing for the external USB device
(because of the /etc/initramfs-tools/scripts/local-block/mount-boot file). It
was saying something about "Error LUKS header missing" several times, one after
another till I got the password prompt. Now, only the first error is printed,
but after that, it stops, and it doesn't probe for the USB device till I type
some password.
2. When I type 3x the password, I can see "Running /script/local-premount".
Some messages also are written to the screen, and then I see "Running
/scripts/local-block", and boot hangs again waiting for another password.
3. Also after those 3 bad passwords, I get the message "maximum numbers of
tries exceeded". Usually this should lock the user from typing another password
for 60s or something, but in this case it doesn't do that.
4. After another 3 tries, I can see another "Running /scripts/local-block" and
some other messages are displayed, including also another "maximum numbers of
tries exceeded" also without preventing the user from typing another password.
5. So, after those 6 tries, when I try for the 7th time, it finally works, and
my system is able to decrypt the encrypted system container.

So where's the problem? Why it's not working well now, and it was working in
the past?



- -- Package-specific info:

- -- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (130, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-initramfs depends on:
ii  busybox                                 1:1.27.2-3
ii  cryptsetup-run                          2:2.0.5-1
ii  initramfs-tools [linux-initramfs-tool]  0.132

Versions of packages cryptsetup-initramfs recommends:
ii  console-setup  1.187
ii  kbd            2.0.4-4

cryptsetup-initramfs suggests no packages.




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5JPPWm5C7TFDUMqpzQRoEHcbZSAFAlv4JTkACgkQzQRoEHcb
ZSBcQhAAzQYz4+h6a8MLX9yUoFJipoYq/PStms8goCiUI09e1HUDVpvt9dknJRBs
eZrijfd08VfSiMqz7CrHyIArvDwAtLCajW8k/TWKDH9wTSA+27GZXSJPPOUUnk9H
zXCeAuJAX4LUasyOrTHTMDrM9w842xyfKEs6TwZf/lxi+9EuIRFTLuJQnlpTT3bv
t5oKC5j+rFgOxsp7XKuZnxi82blb8EAsFNYTJb5f4ZKnP5qamUU1yaHV/o1tzisF
LgtFCRkP03NUh1M4lzGD70Tp6A+Bc8O9H/kMrBx2yWVg5AN/439uWsDIBk++4kTC
I4FuzPcWnChtZMjO5HlFME59k0ET4hEh53Vf9So3PSbcWEFxCcG9IKymOx7IWO64
v9Yb3CHDBB98UcdRw9Rbr9VexVi+EqsoywP2eUPjBExEjh9jDcdCYjac9rplZUOT
qS2vHfy93kWl7TOo//o5qvVjjYpIrOBQWItFR3UrQuZHdQbx0zoNL/GHXO0l2e81
yL7RZRwXlVk0A+XJODnZz4b+qsdfkCR3LKwfqdlhbLmpul9CwKlA3bhV3c55BqXL
oADUWk9ve5uzsu+9RLZ05hdmz361aXsIthky0D9S1PnohqpnvyvaAMYCyZR/DGa7
zsUQnqzEaYNqXxSqTWyFHaLGZV7DF3P/bwp6t0M1smHbWoOH+tU=
=szAv
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message ---
Source: cryptsetup
Source-Version: 2:2.0.5-2

We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated cryptsetup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Nov 2018 18:34:42 +0100
Source: cryptsetup
Binary: cryptsetup-run cryptsetup-bin cryptsetup-initramfs cryptsetup 
libcryptsetup12 libcryptsetup-dev cryptsetup-udeb libcryptsetup12-udeb
Architecture: source amd64 all
Version: 2:2.0.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Cryptsetup Team 
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Description:
 cryptsetup - transitional dummy package for cryptsetup-{run,initramfs}
 cryptsetup-bin - disk encryption support - command line tools
 cryptsetup-initramfs - disk encryption support - initramfs integration
 cryptsetup-run - disk encryption support - startup scripts
 cryptsetup-udeb - disk encryption support - commandline tools (udeb) (udeb)
 libcryptsetup-dev - disk encryption support - development files
 libcryptsetup12 - disk encryption support - shared library
 libcryptsetup12-udeb - disk encryption support - shared library (udeb) (udeb)
Closes: 888916 903163 914458
Changes:
 cryptsetup (2:2.0.5-2) unstable; urgency=medium
 .
   * debian/initramfs/hooks/*: Skip call to copy_file() when the target already
     exists (as the function return value 1 in the case).
   * OpenPGP Smartcard support, based on work by Peter Lebbing and Erik
     Nellessen. (Closes: #888916, #903163.)
   * Move header presence check to crypttab_parse_options() from
     unlock_mapping().  Having the presence checks in unlock_mapping() caused
     dummy password prompts in interactive mode when the LUKS header file was
     missing.  Regression since 2:2.0.3-2.  (Closes: #914458.)
Checksums-Sha1:
 f2390a098176ef867b78ec7a0f53ad0bde5f10cb 2817 cryptsetup_2.0.5-2.dsc
 7ae84e223837765852782c7626ee745f1d66a086 100160 
cryptsetup_2.0.5-2.debian.tar.xz
 53cea53b012d95fa0845d7e36e3f1e343fb8b84b 237120 
cryptsetup-bin-dbgsym_2.0.5-2_amd64.deb
 c6037832b0bc6d1866a29d06b333065e7bb83564 273784 
cryptsetup-bin_2.0.5-2_amd64.deb
 4ab5ed3a11c1c12f62ff3e0ab86eb48e413dd02f 66964 
cryptsetup-initramfs_2.0.5-2_all.deb
 48961fae189efca15940e02580d2a7c07f1a6d31 19388 
cryptsetup-run-dbgsym_2.0.5-2_amd64.deb
 e8b50b6924040374b1b323f4d77d4162318c991d 186604 
cryptsetup-run_2.0.5-2_amd64.deb
 eed9b99e19c1d408a810d989444c61c8d527f32e 53152 
cryptsetup-udeb_2.0.5-2_amd64.udeb
 acfb71c312e6faac6ae5f808731ba4a895b3c565 49068 cryptsetup_2.0.5-2_all.deb
 da24a2526c4e0b3a397abb8ec1f63e308c36a82d 9154 
cryptsetup_2.0.5-2_amd64.buildinfo
 306892d22200295161a272b2f42c309e0acf83de 64644 
libcryptsetup-dev_2.0.5-2_amd64.deb
 f5628d4aeeb481dea213de462a82581c19f2f8a5 415868 
libcryptsetup12-dbgsym_2.0.5-2_amd64.deb
 09bc71aa3ce50f92473faf62865ca79bb6d941e8 133264 
libcryptsetup12-udeb_2.0.5-2_amd64.udeb
 df57768f76cfa02c20172efac89ed5c16b91ea26 181488 
libcryptsetup12_2.0.5-2_amd64.deb
Checksums-Sha256:
 2525e697551f0a539e289b80e325bc4dfb44c5a9ec8e24c96d6d4e75fadba0ef 2817 
cryptsetup_2.0.5-2.dsc
 6ffe3b517818ae101bc7aa5ee4b50b1db5be27ffbdef62eda78aa3b190a3c3c4 100160 
cryptsetup_2.0.5-2.debian.tar.xz
 9c77996cb7e4e52344adf37e2a51f5197443267262dc10a4e4c5868e35888021 237120 
cryptsetup-bin-dbgsym_2.0.5-2_amd64.deb
 cef074f1c43c7246104781185ebd53aeed0453aa9c5ea83b2f4ab1dddbfd1b43 273784 
cryptsetup-bin_2.0.5-2_amd64.deb
 6f0a4c07ac484c82050ebc8fcfb53e39153851be617aad62c53bc7035b221834 66964 
cryptsetup-initramfs_2.0.5-2_all.deb
 f0e1b49ae47cd12f25d05dceff7b617ac3a222a58873c35e9c85832bff62cb20 19388 
cryptsetup-run-dbgsym_2.0.5-2_amd64.deb
 1678f5a9fe662dac1cfd632718ddc22dccb29b3673ac1647071d156a9697c181 186604 
cryptsetup-run_2.0.5-2_amd64.deb
 ca1f9aa1c91348a80b7ef7944aac0a697d2073e28bcd4d9527126eca891ab6fe 53152 
cryptsetup-udeb_2.0.5-2_amd64.udeb
 c5653196984cc82bc4926696b41ef33083b6cdd665e1bd13aca13e586a4ce603 49068 
cryptsetup_2.0.5-2_all.deb
 1657d50fe5329b22a6e0e0481dcf1bb8e3c453b3b3eede01766de5a8c55c2b5c 9154 
cryptsetup_2.0.5-2_amd64.buildinfo
 0190daeb8a1268883052307ac97850424f26c5990712797ef00f9efc1d831bf0 64644 
libcryptsetup-dev_2.0.5-2_amd64.deb
 900b83c463c133134cccba1d46962ff7af5465cb575f72975bc6a051e41779da 415868 
libcryptsetup12-dbgsym_2.0.5-2_amd64.deb
 2d5ae1800848713fb1067408345b4c7ae093aba544ef48716abb388a378a5115 133264 
libcryptsetup12-udeb_2.0.5-2_amd64.udeb
 0132ef009c82436689ce222f21726a4a8a7bef0a9ba3a145575780f50951775d 181488 
libcryptsetup12_2.0.5-2_amd64.deb
Files:
 784ecdfd43e300532139dc63d7778842 2817 admin optional cryptsetup_2.0.5-2.dsc
 f76a0323c93abbbba60aa1c362435b0d 100160 admin optional 
cryptsetup_2.0.5-2.debian.tar.xz
 6873a82312f46da988743a241b6a5c23 237120 debug optional 
cryptsetup-bin-dbgsym_2.0.5-2_amd64.deb
 15c7b332b7817455a000a31f2834650f 273784 admin optional 
cryptsetup-bin_2.0.5-2_amd64.deb
 750d98ab655755758249b6b50e212269 66964 admin optional 
cryptsetup-initramfs_2.0.5-2_all.deb
 c9205a649a0ea213db3bf2fa852085b5 19388 debug optional 
cryptsetup-run-dbgsym_2.0.5-2_amd64.deb
 3dd483fc77d833cdea8bcb9135c0defc 186604 admin optional 
cryptsetup-run_2.0.5-2_amd64.deb
 e2ba2593b1fdf7afef2e21aa8ab1ad38 53152 debian-installer optional 
cryptsetup-udeb_2.0.5-2_amd64.udeb
 a233e7f552dd5e41fb3a04d3e2e6f9d0 49068 oldlibs optional 
cryptsetup_2.0.5-2_all.deb
 5857fda5c9c22aab6d4050fea6db34e1 9154 admin optional 
cryptsetup_2.0.5-2_amd64.buildinfo
 5ee8315da9bcfa9de84aeeaa17f57038 64644 libdevel optional 
libcryptsetup-dev_2.0.5-2_amd64.deb
 d34ff47a7745ec6779835d846344ae1c 415868 debug optional 
libcryptsetup12-dbgsym_2.0.5-2_amd64.deb
 6ca175a293194c2581a94dc77abae96b 133264 debian-installer optional 
libcryptsetup12-udeb_2.0.5-2_amd64.udeb
 8b91a8b3b01057df57c4dd9d70c53dfe 181488 libs optional 
libcryptsetup12_2.0.5-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlv5knUACgkQ05pJnDwh
pVK+iw//XGIhIZVnBe527azqbtTo8hGmECgvgrW9M6mn/tnPY9OCHaXHuJmHHTGJ
pJG+ps9l/nqnAgawGkw6pBcGoJ9Pqgcvkj4IqZbrFvoVzdakb+aHNjftGvMbJKvJ
vIAwQKKm/PNBtxpvRG1HXpxnfEviGmYCO589T78+gxPbbvZZfsCJBUM6YN/NwUIh
AIcIPD7dDQpxhvw3NXauIzo+qXkd5ksaOMLdRvpIXvrKOqV28svD0+aJih56+yY/
RG8oiKoJtXbPEssVIyMUpNgNdPlYLwDGZDgs1hrsHIEMZK0MwPwdoYHtzqqleQu9
7SZ/ASauj0UIEuC/BUfgrWYj1qSu5gK1f1LOc/cconNBLz48D5O8zmrdkerOQjhk
hogbNBgF4w3zScF+qnDR28yg4WkyjIq1VusA8cTWcIQruVzaN8yGf79sBTSYuL8s
cRtl+sYcQAhsnWtQpq28F4h8fZsgU7/c/fmfzyJCPGh6RlGQe4dlyWeTxSC7PC9e
eOo0HxYHR04zjTzNfRJjEmjoQ5XrUqELe7rgO82CjC3UjSg/HjRzgRlKrZIMT8rC
YZlA9XBRmKGQlEQQlMJ8P2fcD0e9Xklsux7TUxgLuOv93Zr3JUYhGQA668KlpR6h
SC/yq5GU7y1ahTcDFtSkhrgqA9YZTPn4hvT0HVUUrjvbgr7M8BA=
=BA/s
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to