| 1 |
Am 16.05.2010 14:36, schrieb Jan Engelhardt: |
| 2 |
> [Replying to |
| 3 |
> http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 |
| 4 |
> ] |
| 5 |
> |
| 6 |
> In my personal opinion, both the quality of shell commands and key |
| 7 |
> generation is suboptimal. What makes it bad is that people follow |
| 8 |
> it. |
| 9 |
> |
| 10 |
> First, it generates a key which does not exploit the entire space. |
| 11 |
> People claim it's because they want an ASCII readout, but frankly, |
| 12 |
> you get the same with `hexdump -C`. |
| 13 |
> |
| 14 |
> Second, it's using echo without the -n parameter, thus implicitly |
| 15 |
> inserting a newline into the key -- which is the cause for yoru |
| 16 |
> observed mounting problems. |
| 17 |
> |
| 18 |
> Third, because you are passing the key via stdin into cryptsetup, it |
| 19 |
> only uses the first line of whatever you pipe into it; whereas |
| 20 |
> pam_mount uses the entire keyfile as it is supposed to be. |
| 21 |
> |
| 22 |
> (Fourth, the howto suggests ECB, which, well, looks rather weak |
| 23 |
> considering the ECB's Tux picture on Wikipedia.) |
| 24 |
> |
| 25 |
> All of that should be in doc/bugs.txt, and mount.crypt even warns |
| 26 |
> about ECB. You really cannot ignore seeing that. |
| 27 |
> |
| 28 |
> Phew! |
| 29 |
|
| 30 |
Jan, thanks for your suggestions. |
| 31 |
|
| 32 |
I created a new LUKS-volume and tried to avoid all the mentioned |
| 33 |
pitfalls (I used "echo -n", avoided stdin etc.), but this didn't help here. |
| 34 |
|
| 35 |
The new volume is not mounted with pam_mount-2.1, but mounted OK with |
| 36 |
pam_mount-1.33. |
| 37 |
|
| 38 |
And, btw, as mentioned in the original thread, I use CBC, not ECB ;-) |
| 39 |
|
| 40 |
-- Your CCing Daniel didn't work maybe, wrong address, I corrected it |
| 41 |
for this reply) |
| 42 |
|
| 43 |
-- I CC: hanno@g.o to link to the gentoo bug |
| 44 |
|
| 45 |
http://bugs.gentoo.org/show_bug.cgi?id=318865 |
| 46 |
|
| 47 |
Thanks, regards, Stefan |
Archives