Hi Lennart, thanks for your thoughts.
On Thu, Aug 14, 2014 at 07:44:59PM +0200, Lennart Poettering wrote: > On Mon, 21.07.14 10:46, Marc Haber (mh+systemd-de...@zugschlus.de) wrote: > > (4) > > My PasswordAgent indicates taking responsibility by unlinking the > > ask.xxx file from /run/systemd/ask-password. The interactive password > > Well, so far it is the querier that removes the file, not the agent... I see. What would happen if I remove the file myself? > > To use this to unlock the root fs, an entire python installation would > > need to go in my initramfs, right? And if I want to keep things > > simple, the best idea would be to write my PasswordAgent in a compiled > > language which would only need the binary and its libs in the > > initramfs, right? > > Yes. Correct. If you want to stick something into the initrd, I'd always > do things in C (or shell if you must), but nothing else. > > > Is there code for an example PasswordAgent in C++ which I can use as a > > template? I am quite reluctant to write a program which needs to to > > complex string processing and is bound to run as root in C because my > > C experience is somewhat lacking. > > Not aware of an C++ code. There's a vala one, and of course the one we > ship in systemd itself in C, but c++ i cannot help you with, sorry. Is it possible to write a PasswordAgent in shell? Example code please ;) > > Can you please recommend a way to allow me to migrate to systemd? > > Without keyscript= being supported in /etc/crypttab, I need to replace > > my 50 line key script written in POSIX shell and would like to keep > > things simple. > > > > Thank you very much for your consideration. > > I fear I don#t have an easy suggestion. What kind of device do you > actually want to make work here? some smartcard or so? That's the vision, yes. At the moment, my keyscript unlocks a small LUKS partition on the disk and takes the key for the root fs from there. That's just a placeholder for a future more complicated setup. With Debian's initramfs, unlocking the small LUKS partition works transparently even with plymouth. This is real functionality being lost in the systemd migration. > I think in the long run we should somehow work towards the direction to > make things like that just work, for common devices like smartcards and > other auth tokens... First step to do that would be to implement support for the keyscript= option in /etc/crypttab as this is the canonical place to hook into on non-system systems. At least it's the case on Debian, I don't know about Red Hat, Fedora and other distributions. The PasswordAgent stuff is really neat, but complicated due to the socket communication, and it's far from being a drop-in replacement. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600420 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
