system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-22 02:34:54 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

Rename crypttab opt silent to password-echo

Browse source 
Use the option name 'password-echo' instead of the generic term
'silent'.

Make the option take an argument for better control over echoing
behavior.

Related discussion in https://github.com/systemd/systemd/pull/19619
This commit is contained in:
Sebastian Blunt 2021-06-03 00:10:38 -07:00 committed by Lennart Poettering
parent 3745355764
commit 2cbca51a71
4 changed files with 36 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
man/crypttab.xml
View file

@ -529,11 +529,19 @@
</varlistentry>
<varlistentry>
<term><option>silent</option></term>
<term><option>password-echo=yes|no|masked</option></term>
<listitem><para>If an encryption password or security token PIN is
read from console, no asterisks will be shown while typing the pin or
password.</para></listitem>
<listitem><para>Controls whether to echo passwords or security token PINs
that are read from console. Takes a boolean or the special string <literal>masked</literal>.
The default is <option>password-echo=masked</option>.</para>
<para>If enabled, the typed characters are echoed literally. If disabled,
the typed characters are not echoed in any form, the user will not get
feedback on their input. If set to <literal>masked</literal>, an asterisk
(<literal>*</literal>) is echoed for each character typed. Regardless of
which mode is chosen, if the user hits the tabulator key (<literal></literal>)
at any time, or the backspace key (<literal></literal>) before any other
data has been entered, then echo is turned off.</para></listitem>
</varlistentry>
<varlistentry>

9
src/cryptsetup/cryptsetup-fido2.c
View file

@ -27,9 +27,8 @@ int acquire_fido2_key(
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size,
bool silent) {
AskPasswordFlags ask_password_flags) {
AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED | (silent*ASK_PASSWORD_SILENT);
_cleanup_strv_free_erase_ char **pins = NULL;
_cleanup_free_ void *loaded_salt = NULL;
const char *salt;
@ -37,6 +36,8 @@ int acquire_fido2_key(
char *e;
int r;
ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
assert(cid);
assert(key_file || key_data);
@ -96,11 +97,11 @@ int acquire_fido2_key(
if (headless)
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, flags, &pins);
r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, ask_password_flags, &pins);
if (r < 0)
return log_error_errno(r, "Failed to ask for user password: %m");
flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
}
}

4
src/cryptsetup/cryptsetup-fido2.h
View file

@ -27,7 +27,7 @@ int acquire_fido2_key(
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size,
bool silent);
AskPasswordFlags ask_password_flags);
int find_fido2_auto_data(
struct crypt_device *cd,
@ -58,7 +58,7 @@ static inline int acquire_fido2_key(
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size,
bool silent) {
AskPasswordFlags ask_password_flags) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 token support not available.");

23
src/cryptsetup/cryptsetup.c
View file

@ -58,7 +58,7 @@ static char *arg_header = NULL;
static unsigned arg_tries = 3;
static bool arg_readonly = false;
static bool arg_verify = false;
static bool arg_silent = false;
static AskPasswordFlags arg_ask_password_flags = 0;
static bool arg_discards = false;
static bool arg_same_cpu_crypt = false;
static bool arg_submit_from_crypt_cpus = false;
@ -235,9 +235,20 @@ static int parse_one_option(const char *option) {
arg_readonly = true;
else if (streq(option, "verify"))
arg_verify = true;
else if (streq(option, "silent"))
arg_silent = true;
else if (STR_IN_SET(option, "allow-discards", "discard"))
else if ((val = startswith(option, "password-echo="))) {
if (streq(val, "masked"))
arg_ask_password_flags &= ~(ASK_PASSWORD_ECHO|ASK_PASSWORD_SILENT);
else {
r = parse_boolean(val);
if (r < 0) {
log_warning_errno(r, "Invalid password-echo= option \"%s\", ignoring.", val);
return 0;
}
SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_ECHO, r);
SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_SILENT, !r);
}
} else if (STR_IN_SET(option, "allow-discards", "discard"))
arg_discards = true;
else if (streq(option, "same-cpu-crypt"))
arg_same_cpu_crypt = true;
@ -543,7 +554,7 @@ static int get_password(
_cleanup_strv_free_erase_ char **passwords = NULL;
char **p, *id;
int r = 0;
AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | (arg_silent*ASK_PASSWORD_SILENT);
AskPasswordFlags flags = arg_ask_password_flags | ASK_PASSWORD_PUSH_CACHE;
assert(vol);
assert(src);
@ -811,7 +822,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
arg_headless,
required,
&decrypted_key, &decrypted_key_size,
arg_silent);
arg_ask_password_flags);
if (r >= 0)
break;
if (r != -EAGAIN) /* EAGAIN means: token not found */