Package: cryptsetup
Version: 2:1.7.3-3
Severity: normal
Dear Maintainer,
At /usr/share/initramfs-tools/scripts/local-top/cryptroot there is the
following piece of code:
failsleep=60 # make configurable later?
if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge
$crypttries ]; then
message "cryptsetup ($crypttarget): maximum number of tries exceeded"
message "cryptsetup: going to sleep for $failsleep seconds..."
sleep $failsleep
exit 1
fi
Cryptsetup is designed to resist a multimillion brute force attack, having the
whole hard disk and a lot of time, thus I can't see how limiting user input at
3 tries/minute would improve the security, rather than annoy users.
If one has a weak password that that limit would save it from being cracked, he
does not use disk encryption correctly, and probably simply needs a GRUB
password or something like that.
Mistakenly I have reported this bug to upstream first:
https://gitlab.com/cryptsetup/cryptsetup/issues/311
Sincerely,
Semion
