On Fri, 2011-02-04 at 12:30 +0100, Jonas Meurer wrote: > the same as for every login system that locks after X failed retries. > simply the reason, that invaders don't have infinitive retries to guess > the passphrase.
if that's a system booting from an encrypted root,... you likely don't have any network at that point (apart from the fact that networking is typically not supported by the keyscripts anyway. if an attacker has direct access (or serial console) he can reboot the system anyway as often as he wants. > and yes, this is no real security, as anybody with physical access will > just take the harddisk and use his own operating system for attacking > the encryption. but another common szenario (especially for laptops) is, > that someone around tries to guess the passphrase while you're not at > home, on toilet, whatever. That sounds very like security by obscurity... therefore we have the iterations in dm-crypt, that trying takes so long that this isn't useful. > to be honest, neither the arguments for, nor against the change of > default retries (at initramfs) are very strong. it's a matter of taste > to me. if more users will complain, then I'm happy to change the > default. is that ok for you? Well it's also not a big issue for me, I rather considered that just something cosmetic. Cause if a user enters his root-fs-password 3 times wrong he can also easily reboot. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
