| Server IP : 127.0.0.2 / Your IP : 18.116.10.73 Web Server : Apache/2.4.18 (Ubuntu) System : User : www-data ( ) PHP Version : 7.0.33-0ubuntu0.16.04.16 Disable Function : disk_free_space,disk_total_space,diskfreespace,dl,exec,fpaththru,getmyuid,getmypid,highlight_file,ignore_user_abord,leak,listen,link,opcache_get_configuration,opcache_get_status,passthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,php_uname,phpinfo,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,pclose,popen,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,shell_exec,source,show_source,system,virtual MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /lib/cryptsetup/scripts/ |
Upload File : |
#!/bin/sh
# decrypt_keyctl - to use in /etc/crypttab as keyscript
# Allows to cache passwords for cryptdevices for 60s
# The same password is used for for cryptdevices with the same identifier.
# The keyfile parameter, which is the third field from /etc/crypttab, is
# used as identifier in this keyscript.
#
# sample crypttab entries:
# test1 /dev/sda1 test_pw luks,keyscript=decrypt_keyctl
# test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl
# test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl
#
# test1 and test2 have the same identifier thus test2 does not need a password
# typed in manually
die()
{
echo "$@" >&2
exit 1
}
# the keyfile given from crypttab is used as identifier in the keyring
# including the prefix "cryptkey-"
ID_="cryptkey-$1"
TIMEOUT_='60'
ASKPASS_='/lib/cryptsetup/askpass'
STTY_='/bin/stty'
PW_READER_='undefined'
PROMPT_="Caching passphrase for ${CRYPTTAB_SOURCE}: "
test -x "$STTY_" && PW_READER_='stty' # 1. backup method
test -x "$ASKPASS_" && PW_READER_='askpass' # prefered method
KID_=$(keyctl search @u user "$ID_" 2>/dev/null)
if [ $? -ne 0 ] || [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then
# key not found or wrong, ask the user
case "$PW_READER_" in
askpass)
KEY_=$($ASKPASS_ "$PROMPT_") || die "Error executing $ASKPASS_"
;;
stty) # disable echoing with stty
$STTY_ -echo
if ! read -r KEY_; then
$STTY_ echo
die "Error reading key from /dev/stdin"
else
$STTY_ echo
echo >&2
fi
;;
*) # first try to read the posix way, then at least give the user a chance
echo -n "$PROMPT_" >&2
if ! read -res KEY_; then
echo
echo "ERROR: Can not disable echoing, YOUR PASSWORD WILL BE VISIBLE!" >&2
echo "This can be fixed if you add either $ASKPASS_" >&2
echo "or $STTY_ to your initramfs" >&2
echo -n "$PROMPT_" >&2
if ! read -r KEY_; then
die "Error reading key from /dev/stdin"
else
echo >&2
fi
else
echo >&2
fi
;;
esac
if [ -n "$KID_" ]; then
# I have cached wrong password and now i may use either `keyctl update`
# to update $KID_ or just unlink old key, and add new. With `update` i
# may hit "Key has expired", though. So i'll go "unlink and add" way.
keyctl unlink $KID_ @u
KID_=""
fi
KID_=$(echo -n "$KEY_" |keyctl padd user "$ID_" @u)
[ -z "$KID_" ] && die "Error adding passphrase to kernel keyring"
if ! keyctl timeout $KID_ $TIMEOUT_; then
keyctl unlink $KID_ @u
die "Error setting timeout on key ($KID_), removing"
fi
else
echo "Using cached passphrase for ${CRYPTTAB_SOURCE}." >&2
fi
keyctl pipe $KID_