Arch boot:输入 cryptsetup 密码时回显星号

Arch boot:输入 cryptsetup 密码时回显星号

我正在尝试设置我的 initramfs,mkinitcpio -P以便它在启动时解密包含根文件系统的 LUKS/LVM 分区。

我按照以下步骤操作这里。通过添加 HOOKencrypt等,一切都已经运行良好,lvm2请参见mkinitcpio.conf下文。

现在,我希望在输入 LUKS 加密分区的密码时能够回显星号字符。

我找到了一个很好的命令行工具来执行此操作:systemd-ask-password.

所以我进行了/etc/mkinitcpio.conf相应的修改,因此它添加systemd-ask-password为二进制文件,并/usr/lib/initcpio/hooks/encrypt使用 systemd-ask-password 来查询密码并将输出通过管道传输到 cryptsetup 和 ran mkinitcpio -P

但它不会用星号掩盖密码字符!它一一呼应它们,这是不安全的,也不是我的意图。在一个容易启动的系统中,在常规终端和 bash 中,它工作得很好。但启动期间的“终端”似乎表现不同。或者该systemd-ask-password命令在该环境中的行为有所不同。

如何让 systemd-ask-password 在启动终端环境中正常工作?

或者:是否有更好的方法来实现我想要的,将密码字符回显为星号?

/usr/lib/initcpio/hooks/加密:

#!/usr/bin/ash

run_hook() {
    modprobe -a -q dm-crypt >/dev/null 2>&1
    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

    # Get keyfile if specified
    ckeyfile="/crypto_keyfile.bin"
    if [ -n "$cryptkey" ]; then
        IFS=: read ckdev ckarg1 ckarg2 <<EOF
$cryptkey
EOF

        if [ "$ckdev" = "rootfs" ]; then
            ckeyfile=$ckarg1
        elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
            case ${ckarg1} in
                *[!0-9]*)
                    # Use a file on the device
                    # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
                    mkdir /ckey
                    mount -r -t "$ckarg1" "$resolved" /ckey
                    dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
                    umount /ckey
                    ;;
                *)
                    # Read raw data from the block device
                    # ckarg1 is numeric: ckarg1=offset, ckarg2=length
                    dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
                    ;;
            esac
        fi
        [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
    fi

    if [ -n "${cryptdevice}" ]; then
        DEPRECATED_CRYPT=0
        IFS=: read cryptdev cryptname cryptoptions <<EOF
$cryptdevice
EOF
    else
        DEPRECATED_CRYPT=1
        cryptdev="${root}"
        cryptname="root"
    fi

    # This may happen if third party hooks do the crypt setup
    if [ -b "/dev/mapper/${cryptname}" ]; then
        echo "Device ${cryptname} already exists, not doing any crypt setup."
        return 0
    fi

    warn_deprecated() {
        echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
        echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
    }

    set -f
    OLDIFS="$IFS"; IFS=,
    for cryptopt in ${cryptoptions}; do
        case ${cryptopt} in
            allow-discards)
                cryptargs="${cryptargs} --allow-discards"
                ;;
            *)
                echo "Encryption option '${cryptopt}' not known, ignoring." >&2
                ;;
        esac
    done
    set +f
    IFS="$OLDIFS"
    unset OLDIFS

    if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
        if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
            [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
            dopassphrase=1
            # If keyfile exists, try to use that
            if [ -f ${ckeyfile} ]; then
                if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
                    dopassphrase=0
                else
                    echo "Invalid keyfile. Reverting to passphrase."
                fi
            fi
            # Ask for a passphrase
            if [ ${dopassphrase} -gt 0 ]; then
                echo ""
                echo "A password is required to access the ${cryptname} volume:"

                #loop until we get a real password
                while ! eval systemd-ask-password | cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
                    sleep 2;
                done
            fi
            if [ -e "/dev/mapper/${cryptname}" ]; then
                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                    export root="/dev/mapper/root"
                fi
            else
                err "Password succeeded, but ${cryptname} creation failed, aborting..."
                return 1
            fi
        elif [ -n "${crypto}" ]; then
            [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
            msg "Non-LUKS encrypted device found..."
            if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
                err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
                err "Non-LUKS decryption not attempted..."
                return 1
            fi
            exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
            IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
$crypto
EOF
            [ -n "$c_hash" ]    && exe="$exe --hash '$c_hash'"
            [ -n "$c_cipher" ]  && exe="$exe --cipher '$c_cipher'"
            [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
            [ -n "$c_offset" ]  && exe="$exe --offset '$c_offset'"
            [ -n "$c_skip" ]    && exe="$exe --skip '$c_skip'"
            if [ -f "$ckeyfile" ]; then
                exe="$exe --key-file $ckeyfile"
            else
                echo ""
                echo "A password is required to access the ${cryptname} volume:"
            fi
            eval "$exe $CSQUIET"

            if [ $? -ne 0 ]; then
                err "Non-LUKS device decryption failed. verify format: "
                err "      crypto=hash:cipher:keysize:offset:skip"
                return 1
            fi
            if [ -e "/dev/mapper/${cryptname}" ]; then
                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                    export root="/dev/mapper/root"
                fi
            else
                err "Password succeeded, but ${cryptname} creation failed, aborting..."
                return 1
            fi
        else
            err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
        fi
    fi
    rm -f ${ckeyfile}
}

# vim: set ft=sh ts=4 sw=4 et:

/etc/mkinitcpio.conf:

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=()

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=(systemd-ask-password)

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()

答案1

我仍然没有直接回答我的第一个确切的原始问题(如何systemd-ask-password在 busybox 环境中正常工作),但通过使用 systemd 而不是 busybox 进行引导来实现我想要的。为此,我修改了文件中的以下行:

/etc/mkinitcpio.conf:

[...]
BINARIES=()
[...]
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)
[...]

现在它的行为完全符合我的要求:当我输入 LUKS 密码时,它会回显我作为星号输入的每个字符*,因此我现在得到了我想要的视觉反馈。

非常感谢@fra-san 向我指出这个解决方案!

相关内容