[Bug 1451032] Re: keyscript option in crypttab not implemented
Update: Lennart's AF_SOCKET solution was added to systemd v248 in: commit e2c2f868b28f1445e061bf7eb475b0c49efe3ac2 Author: Lennart Poettering Date: Wed Nov 4 17:24:53 2020 +0100 cryptsetup: port cryptsetup's main key file logic over to read_full_file_full() Previously, we'd load the file with libcryptsetup's calls. Let's do that in our own, so that we can make use of READ_FULL_FILE_CONNECT_SOCKET, i.e. read in keys via AF_UNIX sockets, so that people can plug key providers into our logic. This provides functionality similar to Debian's keyscript= crypttab option (see → #3007), as it allows key scripts to be run as socket activated services, that have stdout connected to the activated socket. In contrast to traditional keyscript= support this logic runs stuff out of process however, which is beneficial, since it allows sandboxing and similar. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
This really should not be marked Invalid since it represents a very real regression on recommended and documented functionality that many installs using LUKS rely upon. Workarounds of varying security quality abound as a result instead of a single, well designed and integrated solution. Indeed, in December 2020 Lennart Poettering created a simple patch for this by extending the cryptsetup code to read an AF_SOCKET [1] and recommended linking that with a system-service that sets StandardOutput=socket [2][3] where the key data can be read from. [1] hasn't been merged into systemd as yet but with some additional push upstream that could likely happen. [1] https://github.com/poettering/systemd/commit/e2c2f868b28f1445e061bf7eb475b0c49efe3ac2 [2] https://github.com/systemd/systemd/pull/3007#issuecomment-710212323 [3] https://github.com/systemd/systemd/pull/3007#issuecomment-713860129 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
** Changed in: systemd (Debian) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
please reopen if this is still an issue ** Changed in: systemd (Ubuntu) Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
The latest discussion about this on the systemd mailing-list: http://lists.freedesktop.org/archives/systemd- devel/2014-August/022014.html "Also note that we really should redesign the entire scheme around the kernel keyring as only transport for the keys (and the bus for signalling). I am a bit conservative in changing here too much for now, because we really should figure out that bit first." -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
This really needs to be solved. Unlocking secure systems that use some external key device that requires a specific helper script to access is a significant use case. According to the Debian bug report discussion it seems that upstream systemd aren't prepared to finish their replacement implementation of cryptsetup init scripts without some kind of major new generic functionality. Ccan we workaround that by disabling systemd-cryptsetup and use the existing cryptsetup functionality? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
*** This bug is a duplicate of bug 1432265 *** https://bugs.launchpad.net/bugs/1432265 I have three luks partitions in /etc/crypttab ( /, /home/, /var) all of them with a keyscript definition. Systemd doesn't unlock /var and /home, whereas the root partition gets unlocked without problems, so it doesn't seem that the keyscript definition is not implemented. I set up a workaround by enabling a second key slot for /var and /home filled with a standard passphrase. Actually systemd asks for the passphrase only once and uses the same entered passphrase for both partitions. Results: / is normally unlocked by calling its associated keyscript. /var and /home are unloked with a standard passphrase (the same for both partitions). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1451032] Re: keyscript option in crypttab not implemented
*** This bug is a duplicate of bug 1432265 *** https://bugs.launchpad.net/bugs/1432265 GOo [2015-05-04 16:18 -]: I have three luks partitions in /etc/crypttab ( /, /home/, /var) all of them with a keyscript definition. Systemd doesn't unlock /var and /home, whereas the root partition gets unlocked without problems, so it doesn't seem that the keyscript definition is not implemented. Explanation: The root partition is unlocked in initramfs with cryptsetup's own scripts. The others are unlocked in the running system, with systemd's implementation which is lacking support for keyscript. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
** This bug is no longer a duplicate of bug 1432265 does not ask for multiple LUKS passphrases without plymouth -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
*** This bug is a duplicate of bug 1432265 *** https://bugs.launchpad.net/bugs/1432265 Thank you for the explanation. I forgot about the root partition being unlocked from within initramfs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1451032] Re: keyscript option in crypttab not implemented
*** This bug is a duplicate of bug 1432265 *** https://bugs.launchpad.net/bugs/1432265 @ Martin Pitt Triaged doesn't only mean that we think the bug is genuine, but also that we have performed all these checks: https://wiki.ubuntu.com/One%20Hundred%20Papercuts/Triage ** Changed in: systemd (Ubuntu) Importance: Undecided = Medium ** This bug has been marked a duplicate of bug 1432265 does not ask for multiple LUKS passphrases without plymouth -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1451032 Title: keyscript option in crypttab not implemented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs