mirror of
https://github.com/systemd/systemd
synced 2024-10-15 12:34:37 +00:00
Rename crypttab opt silent to password-echo
Use the option name 'password-echo' instead of the generic term 'silent'. Make the option take an argument for better control over echoing behavior. Related discussion in https://github.com/systemd/systemd/pull/19619
This commit is contained in:
parent
3745355764
commit
2cbca51a71
|
@ -529,11 +529,19 @@
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>silent</option></term>
|
<term><option>password-echo=yes|no|masked</option></term>
|
||||||
|
|
||||||
<listitem><para>If an encryption password or security token PIN is
|
<listitem><para>Controls whether to echo passwords or security token PINs
|
||||||
read from console, no asterisks will be shown while typing the pin or
|
that are read from console. Takes a boolean or the special string <literal>masked</literal>.
|
||||||
password.</para></listitem>
|
The default is <option>password-echo=masked</option>.</para>
|
||||||
|
|
||||||
|
<para>If enabled, the typed characters are echoed literally. If disabled,
|
||||||
|
the typed characters are not echoed in any form, the user will not get
|
||||||
|
feedback on their input. If set to <literal>masked</literal>, an asterisk
|
||||||
|
(<literal>*</literal>) is echoed for each character typed. Regardless of
|
||||||
|
which mode is chosen, if the user hits the tabulator key (<literal>↹</literal>)
|
||||||
|
at any time, or the backspace key (<literal>⌫</literal>) before any other
|
||||||
|
data has been entered, then echo is turned off.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
@ -27,9 +27,8 @@ int acquire_fido2_key(
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
size_t *ret_decrypted_key_size,
|
size_t *ret_decrypted_key_size,
|
||||||
bool silent) {
|
AskPasswordFlags ask_password_flags) {
|
||||||
|
|
||||||
AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED | (silent*ASK_PASSWORD_SILENT);
|
|
||||||
_cleanup_strv_free_erase_ char **pins = NULL;
|
_cleanup_strv_free_erase_ char **pins = NULL;
|
||||||
_cleanup_free_ void *loaded_salt = NULL;
|
_cleanup_free_ void *loaded_salt = NULL;
|
||||||
const char *salt;
|
const char *salt;
|
||||||
|
@ -37,6 +36,8 @@ int acquire_fido2_key(
|
||||||
char *e;
|
char *e;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
|
||||||
|
|
||||||
assert(cid);
|
assert(cid);
|
||||||
assert(key_file || key_data);
|
assert(key_file || key_data);
|
||||||
|
|
||||||
|
@ -96,11 +97,11 @@ int acquire_fido2_key(
|
||||||
if (headless)
|
if (headless)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
|
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
|
||||||
|
|
||||||
r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, flags, &pins);
|
r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, ask_password_flags, &pins);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to ask for user password: %m");
|
return log_error_errno(r, "Failed to ask for user password: %m");
|
||||||
|
|
||||||
flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
|
ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ int acquire_fido2_key(
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
size_t *ret_decrypted_key_size,
|
size_t *ret_decrypted_key_size,
|
||||||
bool silent);
|
AskPasswordFlags ask_password_flags);
|
||||||
|
|
||||||
int find_fido2_auto_data(
|
int find_fido2_auto_data(
|
||||||
struct crypt_device *cd,
|
struct crypt_device *cd,
|
||||||
|
@ -58,7 +58,7 @@ static inline int acquire_fido2_key(
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
size_t *ret_decrypted_key_size,
|
size_t *ret_decrypted_key_size,
|
||||||
bool silent) {
|
AskPasswordFlags ask_password_flags) {
|
||||||
|
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
"FIDO2 token support not available.");
|
"FIDO2 token support not available.");
|
||||||
|
|
|
@ -58,7 +58,7 @@ static char *arg_header = NULL;
|
||||||
static unsigned arg_tries = 3;
|
static unsigned arg_tries = 3;
|
||||||
static bool arg_readonly = false;
|
static bool arg_readonly = false;
|
||||||
static bool arg_verify = false;
|
static bool arg_verify = false;
|
||||||
static bool arg_silent = false;
|
static AskPasswordFlags arg_ask_password_flags = 0;
|
||||||
static bool arg_discards = false;
|
static bool arg_discards = false;
|
||||||
static bool arg_same_cpu_crypt = false;
|
static bool arg_same_cpu_crypt = false;
|
||||||
static bool arg_submit_from_crypt_cpus = false;
|
static bool arg_submit_from_crypt_cpus = false;
|
||||||
|
@ -235,9 +235,20 @@ static int parse_one_option(const char *option) {
|
||||||
arg_readonly = true;
|
arg_readonly = true;
|
||||||
else if (streq(option, "verify"))
|
else if (streq(option, "verify"))
|
||||||
arg_verify = true;
|
arg_verify = true;
|
||||||
else if (streq(option, "silent"))
|
else if ((val = startswith(option, "password-echo="))) {
|
||||||
arg_silent = true;
|
if (streq(val, "masked"))
|
||||||
else if (STR_IN_SET(option, "allow-discards", "discard"))
|
arg_ask_password_flags &= ~(ASK_PASSWORD_ECHO|ASK_PASSWORD_SILENT);
|
||||||
|
else {
|
||||||
|
r = parse_boolean(val);
|
||||||
|
if (r < 0) {
|
||||||
|
log_warning_errno(r, "Invalid password-echo= option \"%s\", ignoring.", val);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_ECHO, r);
|
||||||
|
SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_SILENT, !r);
|
||||||
|
}
|
||||||
|
} else if (STR_IN_SET(option, "allow-discards", "discard"))
|
||||||
arg_discards = true;
|
arg_discards = true;
|
||||||
else if (streq(option, "same-cpu-crypt"))
|
else if (streq(option, "same-cpu-crypt"))
|
||||||
arg_same_cpu_crypt = true;
|
arg_same_cpu_crypt = true;
|
||||||
|
@ -543,7 +554,7 @@ static int get_password(
|
||||||
_cleanup_strv_free_erase_ char **passwords = NULL;
|
_cleanup_strv_free_erase_ char **passwords = NULL;
|
||||||
char **p, *id;
|
char **p, *id;
|
||||||
int r = 0;
|
int r = 0;
|
||||||
AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | (arg_silent*ASK_PASSWORD_SILENT);
|
AskPasswordFlags flags = arg_ask_password_flags | ASK_PASSWORD_PUSH_CACHE;
|
||||||
|
|
||||||
assert(vol);
|
assert(vol);
|
||||||
assert(src);
|
assert(src);
|
||||||
|
@ -811,7 +822,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
||||||
arg_headless,
|
arg_headless,
|
||||||
required,
|
required,
|
||||||
&decrypted_key, &decrypted_key_size,
|
&decrypted_key, &decrypted_key_size,
|
||||||
arg_silent);
|
arg_ask_password_flags);
|
||||||
if (r >= 0)
|
if (r >= 0)
|
||||||
break;
|
break;
|
||||||
if (r != -EAGAIN) /* EAGAIN means: token not found */
|
if (r != -EAGAIN) /* EAGAIN means: token not found */
|
||||||
|
|
Loading…
Reference in a new issue