Your message dated Sun, 26 Mar 2017 12:57:42 +0200
with message-id <[email protected]>
and subject line Re: [pkg-cryptsetup-devel] Bug#857780: cryptsetup: After 3
wrong tries user forced to wait 60 seconds
has caused the Debian Bug report #857780,
regarding cryptsetup: After 3 wrong tries user forced to wait 60 seconds
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
857780: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857780
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cryptsetup
Version: 2:1.7.3-3
Severity: normal
Dear Maintainer,
At /usr/share/initramfs-tools/scripts/local-top/cryptroot there is the
following piece of code:
failsleep=60 # make configurable later?
if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge
$crypttries ]; then
message "cryptsetup ($crypttarget): maximum number of tries exceeded"
message "cryptsetup: going to sleep for $failsleep seconds..."
sleep $failsleep
exit 1
fi
Cryptsetup is designed to resist a multimillion brute force attack, having the
whole hard disk and a lot of time, thus I can't see how limiting user input at
3 tries/minute would improve the security, rather than annoy users.
If one has a weak password that that limit would save it from being cracked, he
does not use disk encryption correctly, and probably simply needs a GRUB
password or something like that.
Mistakenly I have reported this bug to upstream first:
https://gitlab.com/cryptsetup/cryptsetup/issues/311
Sincerely,
Semion
--- End Message ---
--- Begin Message ---
Hi Igor,
thanks for your bugreport.
Am 14.03.2017 um 21:56 schrieb Igor:
> At /usr/share/initramfs-tools/scripts/local-top/cryptroot there is the
> following piece of code:
>
> failsleep=60 # make configurable later?
>
> if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge
> $crypttries ]; then
> message "cryptsetup ($crypttarget): maximum number of tries exceeded"
> message "cryptsetup: going to sleep for $failsleep seconds..."
> sleep $failsleep
> exit 1
> fi
>
> Cryptsetup is designed to resist a multimillion brute force attack, having
> the whole hard disk and a lot of time, thus I can't see how limiting user
> input at 3 tries/minute would improve the security, rather than annoy users.
>
> If one has a weak password that that limit would save it from being cracked,
> he does not use disk encryption correctly, and probably simply needs a GRUB
> password or something like that.
>
> Mistakenly I have reported this bug to upstream first:
> https://gitlab.com/cryptsetup/cryptsetup/issues/311
See the 'tries' option for crypttab(5). the number of allowed retries
before the forced sleep of cryptsetup in the initramfs is configurable.
In general I agree that the limit of tries doesn't count as a secure
protection mechanism. Still it's a very low-level protection against
simple brute-force attacks against people who have time-limited access
to the device, e.g. when you're on the toilet for a few minutes.
Kind regards,
jonas
signature.asc
Description: OpenPGP digital signature
--- End Message ---
