Debian Bug report logs - #495509
cryptsetup: timeout option does not work anymore

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexander Heinlein <alexander.heinlein@web.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cryptsetup: timeout option does not work anymore

Date: Sun, 17 Aug 2008 11:23:03 +0200

Package: cryptsetup
Version: 2:1.0.6-6
Severity: normal

Hi.

cryptsetup ignores the timout option specified in /etc/crypttab, and also
the one from /etc/default/cryptdisks.

My /etc/crypttab:
sda6      /dev/sda6      none      luks,timeout=6,tries=2,checkargs=xfs

Also calling cryptsetup directly with the -t option ignores the timeout.
cryptsetup from stable takes care of this option.


Regards,
Alex


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (950, 'unstable'), (850, 'testing'), (750, 'stable'), (600, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25.10
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cryptsetup depends on:
ii  dmsetup                      2:1.02.27-3 The Linux Kernel Device Mapper use
ii  libc6                        2.7-13      GNU C Library: Shared libraries
ii  libdevmapper1.02.1           2:1.02.27-3 The Linux Kernel Device Mapper use
ii  libpopt0                     1.14-4      lib for parsing cmdline parameters
ii  libuuid1                     1.41.0-3    universally unique id library

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
ii  dosfstools                    2.11-6     utilities for making and checking 
ii  initramfs-tools [linux-initra 0.92f      tools for generating an initramfs
ii  udev                          0.125-5    /dev/ and hotplug management daemo

-- debconf-show failed

Message #10 received at 495509@bugs.debian.org (full text, mbox, reply):

From: David Härdeman <david@hardeman.nu>

To: "Alexander Heinlein" <alexander.heinlein@web.de>

Cc: 495509@bugs.debian.org

Subject: Re: [pkg-cryptsetup-devel] Bug#495509: cryptsetup: timeout option does not work anymore

Date: Mon, 18 Aug 2008 10:11:54 +0200 (CEST)

On Sun, August 17, 2008 11:23, Alexander Heinlein wrote:
> cryptsetup ignores the timout option specified in /etc/crypttab, and also
> the one from /etc/default/cryptdisks.
>
> My /etc/crypttab:
> sda6      /dev/sda6      none      luks,timeout=6,tries=2,checkargs=xfs

Right,

the problem is that some of the changes we've committed during the last
couple of weeks in order to support usplash/splashy/remote shells/etc make
it very hard to support timeouts. I'm not sure if we'll be able to readd
support for it... :(

-- 
David Härdeman

Message #15 received at 495509@bugs.debian.org (full text, mbox, reply):

From: Alexander Heinlein <alexander.heinlein@web.de>

To: 495509@bugs.debian.org

Cc: David Härdeman <david@hardeman.nu>

Subject: Re: [pkg-cryptsetup-devel] Bug#495509: cryptsetup: timeout option does not work anymore

Date: Mon, 18 Aug 2008 11:10:41 +0200

On Mon, Aug 18, 2008 at 10:11:54AM +0200, David Härdeman wrote:
> the problem is that some of the changes we've committed during the last
> couple of weeks in order to support usplash/splashy/remote shells/etc make
> it very hard to support timeouts. I'm not sure if we'll be able to readd
> support for it... :(

Oh, too bad :(

Disabling timeouts per default through config and placing a hint about
occuring issues when reenabling it isn't an option?

Would be nice if my system will boot even if there is nobody who enters the
password for auto mounted, non essential partitions.


Regards,
Alex

Message #20 received at 495509@bugs.debian.org (full text, mbox, reply):

From: David Härdeman <david@hardeman.nu>

To: "Alexander Heinlein" <alexander.heinlein@web.de>

Cc: 495509@bugs.debian.org

Subject: Re: [pkg-cryptsetup-devel] Bug#495509: cryptsetup: timeout option does not work anymore

Date: Mon, 18 Aug 2008 13:01:43 +0200 (CEST)

On Mon, August 18, 2008 11:10, Alexander Heinlein wrote:
> On Mon, Aug 18, 2008 at 10:11:54AM +0200, David Härdeman wrote:
>> the problem is that some of the changes we've committed during the last
>> couple of weeks in order to support usplash/splashy/remote shells/etc
>> make
>> it very hard to support timeouts. I'm not sure if we'll be able to readd
>> support for it... :(
>
> Oh, too bad :(
>
> Disabling timeouts per default through config and placing a hint about
> occuring issues when reenabling it isn't an option?

Well, the problem is that the "issue" is most of the time that there is no
timeout at all...

> Would be nice if my system will boot even if there is nobody who enters
> the password for auto mounted, non essential partitions.

If they aren't essential, then a workaround for now would be to mark them
"noauto" and use the opposite approach compared to what you're used to
doing (i.e. when someone is present, he/she can manually mount the extra
volumes).

-- 
David Härdeman

Message #25 received at 495509@bugs.debian.org (full text, mbox, reply):

From: Erwan David <erwan@rail.eu.org>

To: Debian Bug Tracking System <495509@bugs.debian.org>

Subject: cryptsetup: timeout most useful for servers

Date: Tue, 04 Nov 2008 11:41:52 +0100

Package: cryptsetup
Version: 2:1.0.6-6
Followup-For: Bug #495509

I should add that I use timeout on all my servers which may boot
either attended (in this case I can enter the passphrase) or
unattended (because theyare not in someone's office) in which case the
least I want is to get the network in order to mount the encrypted
partition.

Thus I wanted to signal that the timeout feature is useful for my kind
of setup.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cryptsetup depends on:
ii  dmsetup                      2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libc6                        2.7-15      GNU C Library: Shared libraries
ii  libdevmapper1.02.1           2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libpopt0                     1.14-4      lib for parsing cmdline parameters
ii  libuuid1                     1.41.2-1    universally unique id library

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
pn  dosfstools                    <none>     (no description available)
ii  initramfs-tools [linux-initra 0.92j      tools for generating an initramfs
ii  udev                          0.125-7    /dev/ and hotplug management daemo

-- no debconf information

Message #30 received at 495509@bugs.debian.org (full text, mbox, reply):

From: "Eddy Petrișor" <eddy.petrisor@gmail.com>

To: 495509@bugs.debian.org, 495509-submitter@bugs.debian.org

Cc: "Debian Bug Tracking System" <control@bugs.debian.org>

Subject: cryptsetup: non-working timeout option can render remote systems unbootable

Date: Sat, 8 Nov 2008 14:26:53 +0200

Subject: cryptsetup: non-working timeout option can render remote
systems unbootable
Followup-For: Bug #495509
Package: cryptsetup
Version: 2:1.0.6-6
severity 495509 important # system unbootable when restarted remotely
thanks

On a remote server where one relies on the timeout feature to skip over
the passphrase prompt when the system is started remotely, this pauses
the entire boot process, requiring manual intervention.


Note that for me the timeout feature of cryptsetup works, but the boot
sequence doesn't work.


bounty:/etc# time cryptsetup -t 1 luksOpen /dev/sda7 sda7_crytpo
Enter LUKS passphrase: Command failed: Error reading passphrase

real	0m1.003s
user	0m0.000s
sys	0m0.008s


The problem seems to originate from this code (cryptdisks.functions:316)


	elif [ -z "$key" ]; then
		# no keyscript, no key => password
		keyscriptarg="Enter passphrase to unlock the disk $src ($dst): "
		key="-"
		KEYSCRIPT="/lib/cryptsetup/askpass"
[..]
		if [ -n "$KEYSCRIPT" ]; then
			if "$KEYSCRIPT" "$keyscriptarg" | cryptsetup $PARAMS luksOpen
"$src" "$dst"; then
				break
			fi


In the case of the boot process, $KEYSCRIPT is /lib/cryptsetup/askpass,
and although the cryptsetup process timeouts, the askpass process isn't
killed nor doesn't have a timeout.

One workaround would be to have the code written as:

	elif [ -z "$key" ]; then
		# no keyscript, no key => password
		keyscriptarg="Unlocking the disk $src ($dst): "
		key="-"
		KEYSCRIPT="INTERACTIVE"
[..]
		if [ -n "$KEYSCRIPT" ]; then
			if [ "$KEYSCRIPT" = "INTERACTIVE" ] ; then
				echo "$keyscriptarg"
				if cryptsetup $PARAMS luksOpen "$src" "$dst"; then
					break
				fi
			elif "$KEYSCRIPT" "$keyscriptarg" | cryptsetup $PARAMS luksOpen
"$src" "$dst"; then
				break
			fi



Another (cleaner) option would be for cryptsetup to accept a -p|--prompt
argument that would print that sctring instead of the default prompt.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'stable'), (10, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=ro_RO.UTF-8, LC_CTYPE=ro_RO.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cryptsetup depends on:
ii  dmsetup                      2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libc6                        2.7-15      GNU C Library: Shared libraries
ii  libdevmapper1.02.1           2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libpopt0                     1.14-4      lib for parsing cmdline parameters
ii  libuuid1                     1.41.2-1    universally unique id library

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
ii  dosfstools                    2.11-6     utilities for making and checking
ii  initramfs-tools [linux-initra 0.92j      tools for generating an initramfs
ii  udev                          0.125-7    /dev/ and hotplug management daemo

-- no debconf information

Message #40 received at 495509@bugs.debian.org (full text, mbox, reply):

From: Filippo Giunchedi <filippo@debian.org>

To: Eddy Petriiior <eddy.petrisor@gmail.com>

Cc: 495509@bugs.debian.org, 495509-submitter@bugs.debian.org

Subject: Re: cryptsetup: non-working timeout option can render remote systems unbootable

Date: Sat, 6 Dec 2008 11:53:52 +0100

On Sat, Nov 08, 2008 at 02:26:53PM +0200, Eddy Petriiior wrote:
> Subject: cryptsetup: non-working timeout option can render remote
> systems unbootable
> Followup-For: Bug #495509
> Package: cryptsetup
> Version: 2:1.0.6-6
> severity 495509 important # system unbootable when restarted remotely
> thanks
> 
> On a remote server where one relies on the timeout feature to skip over
> the passphrase prompt when the system is started remotely, this pauses
> the entire boot process, requiring manual intervention.

I agree with the severity, if timeout really can't work anymore please put a
NEWS.Debian entry giving hints on how to fix the problem as things will break
for setups expecting a boot timeout.
FWIW I'm using the same setup as Eddy.

thanks,
filippo
--
Filippo Giunchedi - http://esaurito.net
PGP key: 0x6B79D401
random quote follows:

A child of five would understand this. Send someone to fetch a child of five.
-- Groucho Marx

Message #48 received at 495509@bugs.debian.org (full text, mbox, reply):

From: Filippo Giunchedi <filippo@debian.org>

To: Eddy Petriiior <eddy.petrisor@gmail.com>

Cc: 495509@bugs.debian.org, 495509-submitter@bugs.debian.org

Subject: Re: cryptsetup: non-working timeout option can render remote systems unbootable

Date: Sat, 6 Dec 2008 13:51:08 +0100

[Message part 1 (text/plain, inline)]

On Sat, Dec 06, 2008 at 11:53:52AM +0100, Filippo Giunchedi wrote:
> On Sat, Nov 08, 2008 at 02:26:53PM +0200, Eddy Petriiior wrote:
> > Subject: cryptsetup: non-working timeout option can render remote
> > systems unbootable
> > Followup-For: Bug #495509
> > Package: cryptsetup
> > Version: 2:1.0.6-6
> > severity 495509 important # system unbootable when restarted remotely
> > thanks
> > 
> > On a remote server where one relies on the timeout feature to skip over
> > the passphrase prompt when the system is started remotely, this pauses
> > the entire boot process, requiring manual intervention.
> 
> I agree with the severity, if timeout really can't work anymore please put a
> NEWS.Debian entry giving hints on how to fix the problem as things will break
> for setups expecting a boot timeout.
> FWIW I'm using the same setup as Eddy.

attached there's a patch which fixes the timeout also for non-luks devices

filippo
--
Filippo Giunchedi - http://esaurito.net
PGP key: 0x6B79D401
random quote follows:

Either this man is dead or my watch has stopped.
-- Groucho Marx

[cryptsetup-timeout.patch (text/x-diff, attachment)]

Message #58 received at 495509-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <mejo@debian.org>

To: 495509-close@bugs.debian.org

Subject: Bug#495509: fixed in cryptsetup 2:1.0.6-7

Date: Thu, 18 Dec 2008 00:02:05 +0000

Source: cryptsetup
Source-Version: 2:1.0.6-7

We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive:

cryptsetup-udeb_1.0.6-7_amd64.udeb
  to pool/main/c/cryptsetup/cryptsetup-udeb_1.0.6-7_amd64.udeb
cryptsetup_1.0.6-7.diff.gz
  to pool/main/c/cryptsetup/cryptsetup_1.0.6-7.diff.gz
cryptsetup_1.0.6-7.dsc
  to pool/main/c/cryptsetup/cryptsetup_1.0.6-7.dsc
cryptsetup_1.0.6-7_amd64.deb
  to pool/main/c/cryptsetup/cryptsetup_1.0.6-7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 495509@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <mejo@debian.org> (supplier of updated cryptsetup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 17 Dec 2008 21:25:45 +0100
Source: cryptsetup
Binary: cryptsetup cryptsetup-udeb
Architecture: source amd64
Version: 2:1.0.6-7
Distribution: unstable
Urgency: medium
Maintainer: Jonas Meurer <mejo@debian.org>
Changed-By: Jonas Meurer <mejo@debian.org>
Description: 
 cryptsetup - configures encrypted block devices
 cryptsetup-udeb - configures encrypted block devices (udeb)
Closes: 465902 474120 491867 495509 495832 499704 499936 505779 506536 506643 507721
Changes: 
 cryptsetup (2:1.0.6-7) unstable; urgency=medium
 .
   * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE
     in configure.in.
   * Support keyfiles option in bash completion. Thanks to Stefan Goebel for
     the patch. (closes: #499936)
   * Update patches/02_manpage.patch: Fix the documnetation of default cipher
     for LUKS mappings. (closes: #495832)
   * Update debian/watch file to reflect the move of project home to
     code.google.com.
   * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of
     cryptdisks.functions. This way, cryptdisks_start/stop work even with
     $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643)
   * Add force-start to cryptdisks(-early).init in order to support starting
     noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779)
   * Document how to enable remote device unlocking via dropbear ssh server
     in the initramfs during boot process. Thanks to Chris <debian@x.ray.net>
     for the great work. (closes: #465902)
   * Completely remove support and documentation of the timeout option,
     document this in NEWS.Debian. (closes: #495509, #474120)
   * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner.
     (closes: #499704)
   * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev.
     Thanks to Christoph Anton Mitterer.
   * cryptdisks.functions:
     - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs
       script already supports keyscripts without path as argument. Thanks to
       Christoph Anton Mitterer.
   * README.initramfs:
     - Remove the mention of bug #398302 from the section about suspend/resume,
       as this bug has been fixes for some time now.
     - Remove step 6 (mkswap) from the section about decrypt_derived, as it was
       superfluous. Thanks to Helmut Grohe. (closes: #491867)
   * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange.
     Thanks to Marc Haber. (closes: #506536)
   * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required
     to detect the dm-crypt device in setups with more than one level of device
     mapper mappings. For example if LVM is used with snapshots on top of the
     dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben
     Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721)
   * urgency=medium due to several important fixes.
Checksums-Sha1: 
 140ec985def5c976553aa7e593e7a5e1385c6742 1445 cryptsetup_1.0.6-7.dsc
 e1a4d97fff230e2312bb54784ce27daf7502ff87 59467 cryptsetup_1.0.6-7.diff.gz
 74a786e96f7339a5b495cbeba8510f0e5b447b44 308568 cryptsetup_1.0.6-7_amd64.deb
 7288414619ccb977ab130e31617919dd9a4d484e 247508 cryptsetup-udeb_1.0.6-7_amd64.udeb
Checksums-Sha256: 
 b495ab0b916bc37bf45f864b4e06417b0c8c965cca8b82dabeb1d856fd239c60 1445 cryptsetup_1.0.6-7.dsc
 6235f4db703a608da032b2689eee44bca7dba57efcec16470df0f707591f314c 59467 cryptsetup_1.0.6-7.diff.gz
 4862eaf89e036a0b705d174dd75b62ecc8cca9a0e3aa10bebd42c3d921a2316e 308568 cryptsetup_1.0.6-7_amd64.deb
 d6ce9cabe0bbaf3a5eef2beb59019c055d829658b56465fc1f49e9be4ca06d4f 247508 cryptsetup-udeb_1.0.6-7_amd64.udeb
Files: 
 f958c529cf57b351b58927fb59dc3eb1 1445 admin optional cryptsetup_1.0.6-7.dsc
 9b91e81e4fb42d7922ad85fd680bf0de 59467 admin optional cryptsetup_1.0.6-7.diff.gz
 bdbf923e842ec47481b12962e023fc8e 308568 admin optional cryptsetup_1.0.6-7_amd64.deb
 c45e3c473ed5eede2f8ec816b9f24a68 247508 debian-installer optional cryptsetup-udeb_1.0.6-7_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklJkAcACgkQd6lUs+JfIQLSZACeKd0LTL5vD7FO2FeGWARhcFCW
MbcAn2EkC1RYRLpmfvWZ6NiXR8/2Zgzj
=MGkx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.