Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Weird Cryptsetup Behaviour: Cannot Enter Passphrase
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
der bastler
Apprentice
Apprentice


Joined: 13 Apr 2003
Posts: 244

PostPosted: Thu Mar 24, 2011 11:18 pm    Post subject: Weird Cryptsetup Behaviour: Cannot Enter Passphrase Reply with quote

Hello.

I am using a nearly-full encrypted (only /boot being unencrypted) Thinkpad without problems.

Now I have created a system for my new HP Mini netbook, using a similar structure.

The HDD is partitioned into /dev/sda1 holding /boot and /dev/sda2 representing a LUKS/dm-crypt partition with a LVM2 substructure. A custom initial ram disk unlocks /dev/sda2, activates all volumes on it, mounts the root file system and switches root.

Boot process:
1. kernel is loaded -- check
2. my InitRamFS (busybox-based) is loaded --check
3. it's init script is executed -- check
3.1 init script calls "cryptsetup luksOpen /dev/sda2 hdd-crypto"...

Cryptsetup's prompt appears and awaits my input. After the first keystroke the input is immediately processed. And because my passphrases are longer than one character, the input gets rejected and thus I am not able to enter the passphrase!

What I don't understand is that the very same actions work flawlessly on my Thinkpad.

Can anybody help? Any similar experiences? Why does cryptsetup seem to accept only one character?
_________________
Tempus fugit.
Back to top
View user's profile Send private message
avx
Advocate
Advocate


Joined: 21 Jun 2004
Posts: 2152

PostPosted: Fri Mar 25, 2011 12:13 am    Post subject: Reply with quote

Please paste the lines handling your cryptsetup-stuff. On another note, are all (virtual) devices available at the time needed, thinking about /dev/console?
_________________
++++++++++[>+++++++>++++++++++>+++>+<<<<-]>++.>+.+++++++..+++.>++.<<+++++++++++++++.>.+++.------.--------.>+.>.
Back to top
View user's profile Send private message
der bastler
Apprentice
Apprentice


Joined: 13 Apr 2003
Posts: 244

PostPosted: Fri Mar 25, 2011 6:01 am    Post subject: Reply with quote

(If you wonder about the ctimes: I wrote a script to build the initial ram disk. This script gets executed from inside the new system (via chroot) and uses the new system's binaries.)

InitRamFS Structure:
Code:

drwxr-xr-x 2 root root 4096 24. Mär 23:31 bin
drwxr-xr-x 6 root root 4096 24. Mär 23:31 dev
drwxr-xr-x 4 root root 4096 24. Mär 23:31 etc
-rwxr-xr-x 1 root root 1739 24. Mär 23:31 init
drwxr-xr-x 3 root root 4096 24. Mär 23:31 lib
drwxr-xr-x 2 root root 4096 24. Mär 23:31 newroot
drwxr-xr-x 2 root root 4096 24. Mär 23:31 proc
drwxr-xr-x 2 root root 4096 24. Mär 23:31 root
drwxr-xr-x 2 root root 4096 24. Mär 23:31 sbin
drwxr-xr-x 2 root root 4096 24. Mär 23:31 sys


ls -l dev
Code:

crw-r--r-- 1 root root 5, 1 24. Mär 23:31 console
drwxr-xr-x 2 root root 4,0K 24. Mär 23:31 fb
drwxr-xr-x 2 root root 4,0K 24. Mär 23:31 mapper
crw-r--r-- 1 root root 1, 1 24. Mär 23:31 mem
drwxr-xr-x 2 root root 4,0K 24. Mär 23:31 misc
crw-r--r-- 1 root root 1, 3 24. Mär 23:31 null
crw-r--r-- 1 root root 1, 8 24. Mär 23:31 random
brw-r--r-- 1 root root 8, 0 24. Mär 23:31 sda
brw-r--r-- 1 root root 8, 1 24. Mär 23:31 sda1
brw-r--r-- 1 root root 8, 2 24. Mär 23:31 sda2
crw-r--r-- 1 root root 5, 0 24. Mär 23:31 tty
crw-r--r-- 1 root root 4, 0 24. Mär 23:31 tty0
crw-r--r-- 1 root root 4, 1 24. Mär 23:31 tty1
crw-r--r-- 1 root root 1, 9 24. Mär 23:31 urandom
drwxr-xr-x 2 root root 4,0K 24. Mär 23:31 vc
crw-r--r-- 1 root root 1, 5 24. Mär 23:31 zero


ls -l bin
Code:

-rwxr-xr-x 1 root root 1699376 24. Mär 16:51 busybox
lrwxrwxrwx 1 root root       7 24. Mär 23:31 cat -> busybox
lrwxrwxrwx 1 root root       7 24. Mär 23:31 echo -> busybox
lrwxrwxrwx 1 root root       7 24. Mär 23:31 halt -> busybox
lrwxrwxrwx 1 root root       7 24. Mär 23:31 mknod -> busybox
lrwxrwxrwx 1 root root       7 24. Mär 23:31 mount -> busybox
lrwxrwxrwx 1 root root       7 24. Mär 23:31 sed -> busybox
lrwxrwxrwx 1 root root       7 24. Mär 23:31 sh -> busybox
lrwxrwxrwx 1 root root       7 24. Mär 23:31 sleep -> busybox
-rw-r--r-- 1 root root    1899 21. Mär 10:15 splash_functions.sh
lrwxrwxrwx 1 root root       7 24. Mär 23:31 switch_root -> busybox
-rwxr-xr-x 1 root root      17 24. Mär 23:31 udevadm
lrwxrwxrwx 1 root root       7 24. Mär 23:31 umount -> busybox


ldd cryptsetup
Code:

        not a dynamic executable


cryptsetup --version
Code:

cryptsetup 1.1.3


Keyboard layout is created via
Code:

busybox dumpkmap > etc/kmap-de


Head of kmap-de as hexdump:
Code:

00000000  62 6b 65 79 6d 61 70 01  01 01 00 01 01 01 00 01  |bkeymap.........|
00000010  01 01 00 01 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100  00 00 00 00 00 00 00 00  02 1b 00 31 00 32 00 33  |...........1.2.3|
00000110  00 34 00 35 00 36 00 37  00 38 00 39 00 30 00 00  |.4.5.6.7.8.9.0..|
00000120  02 01 04 7f 00 09 00 71  0b 77 0b 65 0b 72 0b 74  |.......q.w.e.r.t|
00000130  0b 7a 0b 75 0b 69 0b 6f  0b 70 0b 00 02 2b 00 01  |.z.u.i.o.p...+..|

(Seems ok, qwertzuiop matches my keyboard layout.)

init
Code:

#!/bin/sh

PATH="/sbin:/bin"

rescue_shell() {
        echo ''
        echo "$1"
        echo 'Falling back to a shell...'
        echo ''
        busybox --install -s
        exec /bin/sh
}

# mount sys and proc filesystem, read kernel parameters and silence kernel
mount -t sysfs sysfs /sys
mount -t proc proc /proc
CMDLINE=$(cat /proc/cmdline)
echo 0 > /proc/sys/kernel/printk

sleep 1
loadkmap < /etc/kmap-de

# try to create mapper control device, specified under
# /sys/class/misc/device-mapper/dev
# if this fails, exit to rescue shell
mknod /dev/mapper/control c $(sed 's/\:/\ /' /sys/class/misc/device-mapper/dev) || rescue_shell "No device mapper available!"

# open encrypted drive
echo ''
echo '====== A U T H E N T I C A T I O N ======'
echo ''
cryptsetup luksOpen /dev/sda2 defiant-crypto || rescue_shell '====== A C C E S S === D E N I E D ======'
echo ''
echo '===== A C C E S S === G R A N T E D ====='
echo ''

# scan devices for volume groups and make swap volume available
# swap should be first mapper device after crypto volume
lvm.static vgscan   --ignorelockingfailure --mknodes    &> /dev/null
lvm.static vgchange --ignorelockingfailure -a y defiant &> /dev/null

# initialise framebuffer splash
. /bin/splash_functions.sh
splash init &> /dev/null

# try to resume on swap device (second mapper device after crypto volume)
echo 254:1 > /sys/power/resume

# mount new root file system (read only for fsck)
mount -o ro /dev/mapper/defiant-slash /newroot || rescue_shell "Mounting root failed!"

# unmount proc and sys filesystems and switch to new root filesystem
umount /sys
umount /proc
exec switch_root /newroot /sbin/init ${CMDLINE}

rescue_shell "Could not switch root filesystem!"

_________________
Tempus fugit.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2971
Location: Germany

PostPosted: Fri Mar 25, 2011 2:59 pm    Post subject: Reply with quote

do you have the single character issue also if you do not load the keymap?

(I usually just add another passphrase to luks that works with the same keys under the US layout, so I don't have to load a keymap in initramfs stage)

also, you shouldn't have to create the control device yourself, cryptsetup takes care of that on its own
Back to top
View user's profile Send private message
der bastler
Apprentice
Apprentice


Joined: 13 Apr 2003
Posts: 244

PostPosted: Fri Mar 25, 2011 4:05 pm    Post subject: Reply with quote

frostschutz wrote:
do you have the single character issue also if you do not load the keymap?

(I usually just add another passphrase to luks that works with the same keys under the US layout, so I don't have to load a keymap in initramfs stage)

also, you shouldn't have to create the control device yourself, cryptsetup takes care of that on its own


I already changed passphrases to simpler ones (less characters, less entropy), but that didn't fix it.

Commenting loadkmap out didn't fix it, too.

Next step in my analysis was to check my kernel config. Perhaps a problem with an input driver. Cross-checked it with the one of my working system, compiled and tried it, but to no avail.

I even inserted sleep commands to avoid race conditions. No success.

It is frustrating that I seem to be the only user with this problem. :roll:

Perhaps I have to double-check the compilation environment of cryptsetup. It relies on the function "read" from unistd.h. Perhaps that one was mixed up during compilation... :?:
_________________
Tempus fugit.
Back to top
View user's profile Send private message
norg
Tux's lil' helper
Tux's lil' helper


Joined: 23 Aug 2010
Posts: 104
Location: Augsburg (Germany)

PostPosted: Fri Mar 25, 2011 4:13 pm    Post subject: Re: Weird Cryptsetup Behaviour: Cannot Enter Passphrase Reply with quote

der bastler wrote:
Cryptsetup's prompt appears and awaits my input. After the first keystroke the input is immediately processed. And because my passphrases are longer than one character, the input gets rejected and thus I am not able to enter the passphrase!

What is displayed then?
Do you have all necessary stuff in your kernel? I forgot once to activate <*> Crypt Target Support and passphrase prompt came but couldn't be handled :)
Back to top
View user's profile Send private message
der bastler
Apprentice
Apprentice


Joined: 13 Apr 2003
Posts: 244

PostPosted: Fri Mar 25, 2011 5:43 pm    Post subject: Re: Weird Cryptsetup Behaviour: Cannot Enter Passphrase Reply with quote

norg wrote:
der bastler wrote:
Cryptsetup's prompt appears and awaits my input. After the first keystroke the input is immediately processed. And because my passphrases are longer than one character, the input gets rejected and thus I am not able to enter the passphrase!

What is displayed then?
Do you have all necessary stuff in your kernel? I forgot once to activate <*> Crypt Target Support and passphrase prompt came but couldn't be handled :)


Cryptsetup is compiled in, of course. It just displays
Quote:
No key available with this passphrase.


As a workaround, I'll try to establish a usb key file infrastructure for my family... ;-)
_________________
Tempus fugit.
Back to top
View user's profile Send private message
norg
Tux's lil' helper
Tux's lil' helper


Joined: 23 Aug 2010
Posts: 104
Location: Augsburg (Germany)

PostPosted: Fri Mar 25, 2011 8:23 pm    Post subject: Reply with quote

Check those two tutorials, maybe you missed something they did:

http://mzanfardino.wordpress.com/2008/10/23/installing-gentoo-with-root-encryption-notes/
http://www.seiichiro0185.org/linux:encryptedsystem

It sounds like you forgot something with the key missing :)
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Fri Mar 25, 2011 8:38 pm    Post subject: Reply with quote

out of curiosity, does it successfully fall back to the rescue_shell?
and from there can you luksOpen and enter your passphrase and all of that?

NB: I was playing with this recently. You can actually omit those block and character devices from your initramfs if you build your kernel with devtmpfs support, and then inside 'init' mount the devtmpfs at /dev

something like this

Code:

/sbin:                     directory
./sbin/cryptsetup:          ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
./bin:                      directory
./bin/busybox:              ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
./mnt:                      directory
./mnt/root:                 directory
./dev:                      directory
./root:                     directory
./etc:                      directory
./lib:                      directory
./init:                     a /bin/busybox sh script text executable
./proc:                     directory
./sys:                      directory


and then this in the init (this is my actual init, with comments stripped - note the third line)

Code:

#!/bin/busybox sh

mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev

cryptsetup -T 5 luksOpen /dev/sda2 root

mount -o ro /dev/mapper/root /mnt/root || rescue_shell

umount /proc
umount /sys
umount /dev

exec switch_root /mnt/root /sbin/init

rescue_shell() {
        echo "Something went wrong. Dropping you to a shell."
                busybox --install -s
        exec /bin/sh
}

_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
der bastler
Apprentice
Apprentice


Joined: 13 Apr 2003
Posts: 244

PostPosted: Sat Mar 26, 2011 7:43 am    Post subject: Reply with quote

norg wrote:
It sounds like you forgot something with the key missing :)


Well, the system is properly installed, using System-Rescue-CD-on-usb. I can luksOpen and mount my root file system when booting from SysRescCD. But in my InitRamFS, when I type the first passphrase character, cryptsetup stops reading the passphrase and of course does not recognize the one character passphrase.

After three tries I am dropped to the rescue shell as intended by my init script. From there I can try another cryptsetup luksOpen -- same result, after one keystroke the passphrase is checked and again it fails.
_________________
Tempus fugit.
Back to top
View user's profile Send private message
norg
Tux's lil' helper
Tux's lil' helper


Joined: 23 Aug 2010
Posts: 104
Location: Augsburg (Germany)

PostPosted: Mon Mar 28, 2011 12:01 am    Post subject: Reply with quote

Can you post your kernel .config? (with pastebin)
How do you create your initramfs?
Back to top
View user's profile Send private message
avx
Advocate
Advocate


Joined: 21 Jun 2004
Posts: 2152

PostPosted: Tue Mar 29, 2011 4:13 pm    Post subject: Reply with quote

Don't really think it'll help, but have you/can you try with an earlier version of cryptsetup?
_________________
++++++++++[>+++++++>++++++++++>+++>+<<<<-]>++.>+.+++++++..+++.>++.<<+++++++++++++++.>.+++.------.--------.>+.>.
Back to top
View user's profile Send private message
der bastler
Apprentice
Apprentice


Joined: 13 Apr 2003
Posts: 244

PostPosted: Thu Mar 31, 2011 9:21 pm    Post subject: Reply with quote

Although I recompiled the whole system the problem persists.

I switched to a keyfile based authentication system as a workaround.
_________________
Tempus fugit.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum