1 |
Am 16.05.2010 14:36, schrieb Jan Engelhardt: |
2 |
> [Replying to |
3 |
> http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 |
4 |
> ] |
5 |
> |
6 |
> In my personal opinion, both the quality of shell commands and key |
7 |
> generation is suboptimal. What makes it bad is that people follow |
8 |
> it. |
9 |
> |
10 |
> First, it generates a key which does not exploit the entire space. |
11 |
> People claim it's because they want an ASCII readout, but frankly, |
12 |
> you get the same with `hexdump -C`. |
13 |
> |
14 |
> Second, it's using echo without the -n parameter, thus implicitly |
15 |
> inserting a newline into the key -- which is the cause for yoru |
16 |
> observed mounting problems. |
17 |
> |
18 |
> Third, because you are passing the key via stdin into cryptsetup, it |
19 |
> only uses the first line of whatever you pipe into it; whereas |
20 |
> pam_mount uses the entire keyfile as it is supposed to be. |
21 |
> |
22 |
> (Fourth, the howto suggests ECB, which, well, looks rather weak |
23 |
> considering the ECB's Tux picture on Wikipedia.) |
24 |
> |
25 |
> All of that should be in doc/bugs.txt, and mount.crypt even warns |
26 |
> about ECB. You really cannot ignore seeing that. |
27 |
> |
28 |
> Phew! |
29 |
|
30 |
Jan, thanks for your suggestions. |
31 |
|
32 |
I created a new LUKS-volume and tried to avoid all the mentioned |
33 |
pitfalls (I used "echo -n", avoided stdin etc.), but this didn't help here. |
34 |
|
35 |
The new volume is not mounted with pam_mount-2.1, but mounted OK with |
36 |
pam_mount-1.33. |
37 |
|
38 |
And, btw, as mentioned in the original thread, I use CBC, not ECB ;-) |
39 |
|
40 |
-- Your CCing Daniel didn't work maybe, wrong address, I corrected it |
41 |
for this reply) |
42 |
|
43 |
-- I CC: hanno@g.o to link to the gentoo bug |
44 |
|
45 |
http://bugs.gentoo.org/show_bug.cgi?id=318865 |
46 |
|
47 |
Thanks, regards, Stefan |