On Tue, Mar 25, 2014 at 09:50:10AM +0100, Benjamin SANS wrote: >* On Tuesday, 25 March 2014 01:46, David Härdeman <da...@hardeman.nu> wrote: >> Bejamin's approach does not seem to solve the binary key part of the >> puzzle either...(passing binary keys from the keyscript, as opposed to >> passphrases). > >Actually it does, but I'm not very proud of the fix... >Here is an explanation: > >- When using a keyscript, the agent creates a temporary file like so: > >char temp[] = "/run/systemd/ask-password/tmp.XXXXXX"; >int fd = mkostemp(temp, O_WRONLY|O_CLOEXEC); > >- It then forks, redirect the standard output of the child to this temporary > file, and execv the keyscript. > >- Finally, it returns via the socket the path of this temporary file. > >But all of this is based on the assumption that /run is a tmpfs and that it is >safe enough to temporary store the key. >
Ah, mea culpa. I missed that you proposed changes to systemd's own agent as well. Myopia, since my approach was to use an additional (new) agent which only handles the keyscript= case, I just assumed you did as well :) BTW, it should be noted that since the agent API allows for concurrent agents, it's still possible to use e.g. both a keyscript and keyboard input as a backup with my approach...the systemd agent is smart enough to remove the TTY passphrase prompt once an answer has been provided via the other agent. -- David Härdeman _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
