Hi David * On Tuesday, 25 March 2014 01:46, David Härdeman <da...@hardeman.nu> wrote: > > I think Benjamin and I have basically both come up with the same > solution (though I haven't changed the option from "keyscript=" to > "keyhandler=" since that would break backwards compatibility...which is > partly the point of the whole exercise)...
I agree here, the keyscript option would be much better. > > Bejamin's approach does not seem to solve the binary key part of the > puzzle either...(passing binary keys from the keyscript, as opposed to > passphrases). Actually it does, but I'm not very proud of the fix... Here is an explanation: - When using a keyscript, the agent creates a temporary file like so: char temp[] = "/run/systemd/ask-password/tmp.XXXXXX"; int fd = mkostemp(temp, O_WRONLY|O_CLOEXEC); - It then forks, redirect the standard output of the child to this temporary file, and execv the keyscript. - Finally, it returns via the socket the path of this temporary file. But all of this is based on the assumption that /run is a tmpfs and that it is safe enough to temporary store the key. > My proposed approach is provided in more detail in the corresponding > Debian bug report, see: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618862#44 > > So yes, I think they're related...as in they are independent > implementations of the same thing :) > > > > >http://lists.freedesktop.org/archives/systemd-devel/2014-March/017869.html > > > >Benjamin, can you comment? > > A more detailed comment is available here: http://lists.freedesktop.org/archives/systemd-devel/2014-March/017955.html -- Benjamin SANS
signature.asc
Description: Digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
