Re: luks, crypttab: why 3 partition only 2 passphrases entered

To: debian-user@lists.debian.org
Subject: Re: luks, crypttab: why 3 partition only 2 passphrases entered
From: Carles Pina i Estany <carles@pina.cat>
Date: Tue, 7 Aug 2018 23:10:39 +0100
Message-id: <[🔎] 20180807221039.uvsjwsi4tzvi5tov@pina.cat>
In-reply-to: <[🔎] 20180807111810.GD32027@chew.redmars.org>
References: <[🔎] 20180801224728.qf6dfytz5j7ma5mj@pina.cat> <[🔎] 98bce5a8-4f1c-715e-7db3-9361cb09cea7@holgerdanske.com> <[🔎] 20180802224555.3jhhajrv7briecmb@pina.cat> <[🔎] 20180804215459.7qyqv2dnymfm7r2w@pina.cat> <[🔎] 20180807111810.GD32027@chew.redmars.org>

Hi,

On Aug/07/2018, Jonathan Dowland wrote:
> On Sat, Aug 04, 2018 at 10:54:59PM +0100, Carles Pina i Estany wrote:
> > 
> > And I'm now 99% sure that the culprit of all this confusion is...
> > plymouth! It has a password caching facility and systemd seems to use it
> > to get the cached password.
> 
> Almost certainly, yes, although, if plymouth is passing the password
> through to systemd, then it need not be caching it itself, as systemd
> caches disk passwords for a short while (I think 5 minutes if I recall
> correctly). See systemd-ask-password(1) for an introduction to the
> architecture of systemd's password stuff.

I did some further digging after sending my last message.

The Debian initrd scripts use Plymouth (if installed, of course, else
other methods... I had it installed) to ask the user for passwords and
try to mount the root partition and minimum partitions.

When Debian initrd scripts are finished they execute systemd which will
request from plymouthd the cached passwords (using a local socket I
think). They can be seen if adding: ply_trace("Carles password: %s",
password); in the while (node != NULL) after 'ply_trace ("There are %d
cached passwords",' (I should have had git for these changes :-) ) (in
ply_boot_connection_on_request function).

(also passing "debug" to the kernel, then journalct to see the plymouth
debug messages).

All the passwords are cached, even invalid ones: Plymouth doesn't know
if they were valid or not and the Debian scripts doesn't invalidate
them, not even sure if Plymouth supports invalidation of passwords :)

Systemd requests all the cached passwords from plymouthd.

Then systemd tries to mount the other partitions with the requested
passwords, if it works it will add the passwords in the Kernel keyring
and can it can be seen with:
root@pinux:~# keyctl show
Session Keyring
 696839878 --alswrv      0 65534  keyring: _uid_ses.0
 373345068 --alswrv      0 65534   \_ keyring: _uid.0
 600178798 --alswrv      0     0       \_ user: cryptsetup
root@pinux:~# 

(this can be tested in my system at any time with:
systemctl stop systemd-cryptsetup@ssd_dades_crypt.service
systemctl start systemd-cryptsetup@ssd_dades_crypt.service
keyctl show

or just stop, start (enter password), stop, start (password not needed
because already in the keyring, I thnk that 5 minutes by default)

That was quite lot of fun!

Cheers,

-- 
Carles Pina i Estany
	Web: http://pinux.info || Blog: http://pintant.cat
	GPG Key 0x8CD5C157

Reply to:

Follow-Ups:
- Re: luks, crypttab: why 3 partition only 2 passphrases entered
  - From: Jonathan Dowland <jmtd@debian.org>

References:
- luks, crypttab: why 3 partition only 2 passphrases entered
  - From: Carles Pina i Estany <carles@pina.cat>
- Re: luks, crypttab: why 3 partition only 2 passphrases entered
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: luks, crypttab: why 3 partition only 2 passphrases entered
  - From: Carles Pina i Estany <carles@pina.cat>
- Re: luks, crypttab: why 3 partition only 2 passphrases entered
  - From: Carles Pina i Estany <carles@pina.cat>
- Re: luks, crypttab: why 3 partition only 2 passphrases entered
  - From: Jonathan Dowland <jmtd@debian.org>

Prev by Date: Re: Please help with error message
Next by Date: Re: New `no sound' problems
Previous by thread: Re: luks, crypttab: why 3 partition only 2 passphrases entered
Next by thread: Re: luks, crypttab: why 3 partition only 2 passphrases entered
Index(es):
- Date
- Thread