Package: cryptsetup Version: 2:1.7.0-2 Severity: wishlist
Hey. The crypttab's tries option is currently documented as this. >tries=<num> >The input of the passphrase is tried <num> times in case of >failure. If you want to disable retries, pass “tries=1”. >Default is 3. Setting “tries=0” will ask for the passphrase >until a correct one has been submitted (infinitive retries). However, AFAIU, it's not really the number of passphrase retries but the number of keyscript retries (which happens to be passphrase retries if no keyscript is given, keyfile=none (see #826124) or keyscript=askpass). a) I think it would be better if this is documented more like that, i.e. saying that it's the number of tries to set up a mapping, after executing the keyscript (+whatever that does) OR asking for a passphrase. b) Further, I think it would be a good idea, to add an encouragement to the documentation for keyscript developers: Namley, that they may rather want to let people define *another* tries option as parameter within the third field (as e.g. proposed in 826122) than using tries. Why? Conisder a keyscript that e.g. reads an openpgp encrypted key from some device, decrypts that via passphrase and feeds the output back into cryptsetup. That would e.g. involve mounting the device with the keyfile reading a passphrase (e.g. askpass invoked by the keyscript itself), trying to decrypt, giving exit status. Now: If tries>1, it would do the whole procedure n times, while it would make possibly more sense to just do the askpass within the keyscript more times, cause doing the mount/read-file/ unmount over again doesn't change the results,... it's the wrongly entered passphrase (within the keyscript) that matters. Cheers, Chris.
