Control: retitle -1 `cryptroot-unlock` timeouts when Kali's cryptsetup-nuke-password package is installed
On Mon, 15 Jul 2019 at 07:05:46 +0000, Luke Flinders wrote: > This is the package; > https://gitlab.com/kalilinux/packages/cryptsetup-nuke-keys Oh, didn't you mean https://gitlab.com/kalilinux/packages/cryptsetup-nuke-password ? AFAICT that package replaces /lib/cryptsetup/askpass with a script that calls the original ‘askpass’ binary (renamed to /lib/cryptsetup/askpass.cryptsetup), and erases the LUKS header if its digest value matches a special “nuke” hash; otherwise the passphrase is forwarded to the ‘cryptsetup’ binary. https://gitlab.com/kalilinux/packages/cryptsetup-nuke-password/blob/kali/master/askpass (FWIW the script won't work with binary keyfiles dumped to the passfifo, because the passphrase is held by a shell variable. It'll also break if the value ends with a linefeed ‘\n’ character.) ‘cryptroot-unlock’ timeouts waiting for a running /lib/cryptsetup/askpass process with a file descriptor opened to the passfifo, because our askpass binary was renamed to /lib/cryptsetup/askpass.cryptsetup. I don't see how that could have ever worked with ‘cryptroot-unlock’ (but the diversion might have been new in Kali's ‘cryptsetup-nuke-password’). -- Guilhem.
signature.asc
Description: PGP signature