From owner-freebsd-geom@FreeBSD.ORG Wed Sep 5 01:33:56 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 30FD5106564A for ; Wed, 5 Sep 2012 01:33:56 +0000 (UTC) (envelope-from korvemaker@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id F02DA8FC15 for ; Wed, 5 Sep 2012 01:33:55 +0000 (UTC) Received: by iayy25 with SMTP id y25so410600iay.13 for ; Tue, 04 Sep 2012 18:33:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=EJhCT5PCV5Sd3EcrLuZuFVI+eH/CL6XbnVt2z/eOVQ4=; b=Uv3poRqLucdZH7Rb8jorz1lm0vqqq7+bqw70AK37sbHZZGZdmmRUVEsOTlyjThRpAF /s46RT80KRWmEhQuoQ5N3XfyHRndN5ICys0htfqyPUADLgUTQ1mmj6tkz8ZEMyuOuenC cOHSXCTncg1E7Sx49221jbocLBzFP0cPpE1zve4Uaoi4IDbV2FnxC6nhnM8kj7xHUN+k D0VTwhyRDxn3XoteRJrupTPICUBq7k3RHH6zAH+xgjAbnnHHvnx0SUOwTJZE+3R/mjFZ aaiwCTYNE9v8XV8fbj0Fpx9VomkJLGQvUogQ93xjGX6bwOy8F/BEwc5lbgvqSEcomSbA 26Vw== MIME-Version: 1.0 Received: by 10.42.163.135 with SMTP id c7mr6749416icy.45.1346808835317; Tue, 04 Sep 2012 18:33:55 -0700 (PDT) Received: by 10.64.170.139 with HTTP; Tue, 4 Sep 2012 18:33:55 -0700 (PDT) Date: Tue, 4 Sep 2012 21:33:55 -0400 Message-ID: From: Ben Korvemaker To: freebsd-geom@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: geli prompts for password at boot when it shouldn't X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 01:33:56 -0000 Hello, I'm trying to figure out if I'm using the tools wrong, if I'm being protected from something, or if it's a missing feature. This came up because I want to normally have a password enabled, but when performing expected reboots, I can disable the password and avoid the 10 foot trek to the console. Using FreeBSD 8.3, but a quick check of relevant HEAD code looks like it's the same. If I initialize a provider with "geli init -b -P -K keyfile provider", md.md_iterations defaults to -1. If I set a password later with "geli setkey -p -k keyfile -K keyfile provider", md.md_iterations is updated to a new useful value. When I then remove the password with "geli setkey -k keyfile -K keyfile -P provider", md.md_iterations is left as is, and can't be forced to -1. For attaching providers by hand, this isn't a big deal, but it is for the root filesystem. From what I've been able to uncover, g_eli_taste() checks for md.md_iterations=-1 indicate that there's no password to prompt for. This means I can't remove a password and still have a booting system because it prompts for a password, but a blank password isn't the same as no password. The documentation for "geli init -b" suggests that the BOOT flag is for prompting for a password, which does seem cleaner than having a magic value for md.md_iterations. That doesn't match how g_eli_taste() works, from what I can tell. Is it by design that md.md_iterations is not set to -1 after a password is cleared? I've thrown together a quick patch that resets iterations when the password is cleared on a provider that has a single key defined, and it seems to work. I can't help thinking I've missed something obvious here. Thanks, Ben -- Ben Korvemaker korvemaker@gmail.com