[dm-crypt] Shared library for cryptsetup

Teddy Hogeborn teddy+dm-crypt at fukt.bsnet.se
Fri Sep 25 19:50:44 CEST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jürgen Pabel <jpabel at akkaya.de> writes:

> My project "tokentube" is an integration component between LUKS and
> credential verification via PAM on Linux. It allows for users to use
> their Linux username and password to unlock LUKS during system
> startup (instead of a dedicated encryption passphrase). There's a
> presenation online in case you want to know more about tokentube:
>
> http://programm.froscon.org/2009/attachments/93_From%20PBA%20To%
> 20Login.pdf

Interesting.  Have you seen our project, Mandos?  It also concerns
unlocking LUKS root partitions and treads on askpass' domain, and by
extension, TokenTube and Mandos cannot currently coexist.  Unlike
TokenTube, we do not replace "askpass" outright; instead we edit
"/conf/conf.d/cryptroot" at boot time to use our keyscript instead of
"askpass", if no custom keyscript is configured.

Our keyscript then runs a number of plugins in parallel - there is one
plugin reading from the console and one for communicating with a
Mandos server on the network, which is our main goal.  The keyscript
running the plugins then takes a password from whichever plugin
completes first and sends that password to stdout, as a keyscript
should.

(A diagram of the plugin architecture is available on the project's
web page, <http://www.fukt.bsnet.se/mandos#Plugin_System>.)

My current idea for coexisting with TokenTube is for us to provide a
plugin which hooks into TokenTube.  This would require some adjusting
of the other plugins, however, and I'm not sure about what the ideal
solution would be.  I also see that "ssod" checks the name of the
connecting binary, so any Mandos plugin would have to fake being
"/lib/cryptsetup/askpass" in order to be accepted.

I'd like to hear you thoughts about this - together we might come up
with a plan to coexist peacefully?  :)  (I've sent this to the
mandos-dev mailing list, as I didn't find one for TokenTube.)

/Teddy Hogeborn, Mandos co-author and -maintainer.

- -- 
The Mandos Project
http://www.fukt.bsnet.se/mandos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFKvQL3OWBmT5XqI90RAkL8AKCnvauicyoGXPVijV36400dHdsENgCguYVE
tctZdYi8bsSt6DdPed7YC2o=
=bhqg
-----END PGP SIGNATURE-----

More information about the Mandos-Dev mailing list