| 1 |
Am 18.05.2010 22:06, schrieb Jan Engelhardt: |
| 2 |
> |
| 3 |
> On Tuesday 2010-05-18 21:33, Stefan G. Weichinger wrote: |
| 4 |
>> Am 18.05.2010 20:57, schrieb Stefan G. Weichinger: |
| 5 |
>> |
| 6 |
>>> On the other hand I would like to get that done right, sure. |
| 7 |
>>> |
| 8 |
>>> Any howto without pmt-ehd that would keep me safe from newlines |
| 9 |
>>> etc (btw. there were NO newlines in that hexdump-output)? |
| 10 |
>> |
| 11 |
>> Created a new encrypted LV and used "--key-file=-" as mentioned |
| 12 |
>> in: |
| 13 |
>> |
| 14 |
>> http://pam-mount.git.sourceforge.net/git/gitweb.cgi?p=pam-mount/pam-mount;a=blob;hb=master;f=doc/bugs.txt |
| 15 |
>> |
| 16 |
>> |
| 17 |
>> |
| 18 |
Still no success with 2.x ... |
| 19 |
> |
| 20 |
> Debugging preexisting containers is hard (because people usually |
| 21 |
> don't share that.) |
| 22 |
> |
| 23 |
> Since you are starting with a blank one, I would love to see your |
| 24 |
> failing testcase -- i.e. sequence of shell commands to trigger the |
| 25 |
> unanticipated behavior, such as the existing testcases in |
| 26 |
> src/t-crypt: |
| 27 |
> |
| 28 |
> echo that | openssl whatever cryptsetup luksFoo,Format,Open that. |
| 29 |
> mkfs cryptsetup luksClose mount.crypt -o [...] |
| 30 |
> |
| 31 |
> It does not need to follow t-crypt's style, just the sequence alone |
| 32 |
> is good. |
| 33 |
|
| 34 |
|
| 35 |
I saved my history, unfortunately only the last steps were kept, but I |
| 36 |
am able to reconstruct: |
| 37 |
|
| 38 |
The block-device is /dev/VG01/sgwcrypt ... |
| 39 |
|
| 40 |
#I tried a more complicated KEY |
| 41 |
KEY=`head -c 79 /dev/urandom` |
| 42 |
|
| 43 |
# avoid newline here |
| 44 |
echo -n $KEY | openssl aes-256-cbc > /etc/security/super.key |
| 45 |
|
| 46 |
# format it, using "--keyfile=-" as mentioned in bugs ... |
| 47 |
openssl aes-256-cbc -d -in /etc/security/super.key | cryptsetup -v |
| 48 |
--key-file=- --cipher aes-cbc-plain --key-size 256 luksFormat |
| 49 |
/dev/VG01/sgwcrypt |
| 50 |
|
| 51 |
# open it |
| 52 |
openssl aes-256-cbc -d -in /etc/security/super.key | cryptsetup -v |
| 53 |
--key-file=- luksOpen /dev/VG01/sgwcrypt newhome |
| 54 |
|
| 55 |
# create fs on the open luks-volume |
| 56 |
mkfs.ext3 /dev/mapper/newhome |
| 57 |
|
| 58 |
# mount the new fs |
| 59 |
mount /dev/mapper/newhome /mnt/gschwind |
| 60 |
|
| 61 |
all this worked OK so far, but not with pam_mount. |
| 62 |
|
| 63 |
OK? |
| 64 |
|
| 65 |
Stefan |
Archives