| 1 |
Am 18.05.2010 18:04, schrieb Jan Engelhardt: |
| 2 |
> |
| 3 |
> On Tuesday 2010-05-18 15:44, Stefan G. Weichinger wrote: |
| 4 |
>>> |
| 5 |
>>> To be sure, use |
| 6 |
>>> |
| 7 |
>>> openssl -d ... | hexdump -C |
| 8 |
>>> |
| 9 |
>>> to detect newlines in the key. The shell has far too many occasions |
| 10 |
>>> where \n gets stripped or added. |
| 11 |
>> |
| 12 |
>> Thanks for the hint. |
| 13 |
>> |
| 14 |
>> Could you please show me an example how it should look like and what to |
| 15 |
>> look for? |
| 16 |
> |
| 17 |
> In case the key is a suboptimal ascii-only key, it looks like this. |
| 18 |
> |
| 19 |
> offset bytes broken up visual represent. |
| 20 |
> 00000000 35 34 28 5e 52 69 4c 22 3c 72 4c 35 35 27 70 32 |54(^RiL"<rL55'p2| |
| 21 |
> 00000010 39 59 48 21 3b 50 2e 25 52 6e 27 4f 4d 51 42 6b |9YH!;P.%Rn'OMQBk| |
| 22 |
> 00000020 34 43 38 76 4e 49 51 24 3f 5e 42 63 2f 6c 2d 76 |4C8vNIQ$?^Bc/l-v| |
| 23 |
> 00000030 34 7d 4d 6a 50 5c 41 3c 3f 70 76 67 22 57 21 6b |4}MjP\A<?pvg"W!k| |
| 24 |
> 00000040 77 78 5c 24 23 5e 2e 56 7a 56 24 5a 4f 7e 6a |wx\$#^.VzV$ZO~j| |
| 25 |
> 0000004f |
| 26 |
> |
| 27 |
> If there were a newline, one of the bytes would be 0a. |
| 28 |
|
| 29 |
Will check ... |
| 30 |
|
| 31 |
>> Do you know any howto where it is done "the right way"? |
| 32 |
> |
| 33 |
> The right and easy way is to just use the supplied pmt-ehd(8) tool, |
| 34 |
> which works both interactively and non-interactively, depending on |
| 35 |
> whether it's called with enough arguments or not, so there's something |
| 36 |
> for everybody's flavor. |
| 37 |
> It does not do LUKS yet as of pam_mount 2.2, though. Guess my |
| 38 |
> todo list gets longer.. |
| 39 |
|
| 40 |
:-) |
| 41 |
|
| 42 |
But given the fact that I store the key on the same hard-disk with the |
| 43 |
shadowed user-pw I could also leave that openssl-part straight away, |
| 44 |
correct?? seems the same level of (in)security to me ... |
| 45 |
|
| 46 |
thank you, Stefan |
Archives