~ubuntu-branches/ubuntu/trusty/libpam-mount/trusty-proposed

Viewing changes to doc/bugs.txt

Committer: Bazaar Package Importer
Author(s): Bastian Kleineidam
Date: 2010-05-19 04:05:25 UTC
mfrom: (1.4.5 upstream)
Revision ID: james.westby@ubuntu.com-20100519040525-yym18fn8k070smfe

Tags: 2.3-1

http://bugs.debian.org/528366

http://bugs.debian.org/581713

* New upstream release.
  + mount.crypt passes keyfile info to open LUKS volumes
    (Closes: #528366)
  + umount.crypt works again (Closes: #581713)

files added:
dvconfigure

files removed:
.pc/check_authtok_retcode

.pc/check_authtok_retcode/src

.pc/check_authtok_retcode/src/pam_mount.c

.pc/warn-fskeyhash-only-when-needed.patch

.pc/warn-fskeyhash-only-when-needed.patch/src

.pc/warn-fskeyhash-only-when-needed.patch/src/rdconf1.c

debian/patches/check_authtok_retcode

debian/patches/warn-fskeyhash-only-when-needed.patch

files modified:
.pc/applied-patches

.pc/kfreebsd_compile_fixes/src/mount-bsd.c

.pc/mnt_fallback/src/mtcrypt.c

Makefile.in

aclocal.m4

compile

config.guess

config.h.in

config.sub

config/Makefile.in

configure

configure.ac

debian/changelog

debian/patches/series

dist/pam_mount.spec

doc/Makefile.in

doc/bugs.txt

doc/changelog.txt

doc/mount.crypt.8

doc/pam_mount.conf.5.in

doc/pam_mount.txt

doc/pmt-ehd.8

ltmain.sh

m4/libtool.m4

m4/ltversion.m4

src/Makefile.in

src/ehd.c

src/mount-bsd.c

src/mtcrypt.c

src/pam_mount.c

src/rdconf1.c

src/spawn.c

src/t-crypt

Show diffs side-by-side

added added

removed removed

doc/bugs.txt

openssl ... | cryptsetup create ...

cryptsetup will strip all data starting from the first newline when

run without the --key-file=- option. pam_mount makes sure cryptsetup

will use the entire key material, by using the --key-file option.

Without any extra arguments, input is processed as if it were

interactive, that is, everything starting from the first newline is

ignored. This is standard behavior for stdin. Other truncations to

binary characters may happen.

pam_mount's mount.crypt makes sure that libcryptsetup uses the entire

key material, including newlines, NUL bytes or other characters.

However, since you created your crypto volume with a truncated key

that is different from the real one, mounting may fail unexpectedly.

to using the key file's length (when decrypted) as the cipher size.

[ shell - key expansion ]

Some HOWTOs suggest manual key generation for encrypted volumes, however

they fail to guard against shell semantics, such as:

KEY=$(head -c79 /dev/urandom)

At least bash strips all \x00 bytes from the input. There might be worse

behavior. Furthermore,

echo $KEY | openssl ...

implicitly adds a newline into the stream, which is unwanted for

key generation. Please use the pmt-ehd tool to create PLAIN-type

encrypted volumes.

[ gksu & kdesu ]

gksu interprets any output on stderr as an error. pam_mount writes

Older »