Re: [solved] encrypted fs, ensure pw correct to continue boot?
On Thu, Nov 27, 2008 at 12:25:02AM -0500, Douglas A. Tutty wrote:
> I have encrypted partitions on my new box (/home, swap, (tmp on tmpfs),
> /var/local, /var/tmp). The cryptsetup initscripts prompt for the
> passphrase during boot. If you type the wrong passphrase, it says that
> it didn't work but the boot continues anyway.
>
> I'd like the boot to stop (perhaps doing an immediate reboot) rather
> than continuing. The cryptdisks set up happens at
> /etc/rcS.d/S26cryptdisks-early and S28cryptdisks, inbetween
> S25libdevmapper1.02 and S30checkfs.sh.
I've heard that if you have an encrypted / then of course you can't boot
with the wrong password.
I added the following script to /etc/init.d/cryptcheck with the symlink
to /etc/rcS.d/S29cryptcheck.
I figure that there are only two reasons why the script should find that
things aren't set up correctly: 1) I mistyped, or 2) an attacker is
trying to break in. If 1), I want a reboot and am expecting it. If 2),
I don't want the attacker to know what's going on, just have the box
reboot with no further prompting. There are enough messages printed
that it could be captured with a serial console if reqired.
#! /bin/sh
# Author: Doug Tutty <dtutty@vianet.ca>
#
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/bin:
DESC="Will reboot if cryptdisks were not opened correctly."
NAME=cryptcheck
SCRIPTNAME=/etc/init.d/$NAME
# Function that starts the daemon/service
#
do_start()
{
echo -n " What is in dev/mapper? "
test -b /dev/mapper/sda2_crypt || reboot
test -b /dev/mapper/sda6_crypt || reboot
test -b /dev/mapper/sdb1_crypt || reboot
test -b /dev/mapper/sdb2_crypt || reboot
echo "All crypt partitions exist."
return 0
}
case "$1" in
start)
echo "$DESC" "$NAME"
do_start
;;
*)
echo "Usage: $SCRIPTNAME {start [there is not stop]}" >&2
exit 3
;;
esac
:
Reply to: