Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 21 Aug 2012 09:18:53 -0700
From:      Xin Li <delphij@delphij.net>
To:        freebsd-security@freebsd.org
Cc:        Pawel Jakub Dawidek <pjd@FreeBSD.org>
Subject:   Remotely attaching GELI provider on boot -- is this a useful feature?
Message-ID:  <5033B4ED.20401@delphij.net>
next in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I've been playing around GELI a little bit and come with an idea, have
a prototype and wonders if this would be useful.

The scenario is that a system administrator wants a system be started
with only network access.  In the current startup order 'geli' is
started way earlier than SSH and network configuration, so in my
prototype I have added a new script that runs before 'geli', starts
the network and SSH and keep looking at the geli device, or someone
pressed Enter on console (so 'geli' will takeover and ask for
passphrase).  The administrator is expected to enable root login with
public key authentication and / (for base system) and /root is
encrypted (for public key).

Of course, this is only a prototype and there are a lot of rough edges
like hardcoded geli device name, etc., but will this be useful for
general consumption?

- ----
#!/bin/sh
#

# PROVIDE: geli0
# BEFORE: disks
# REQUIRE: initrandom
# KEYWORD: nojail

. /etc/rc.subr

name="geli0"
start_cmd="geli0_start"
stop_cmd=":"
required_modules="geom_eli:g_eli"

geli0_start()
{
        mount -uw /
        /etc/rc.d/devd start
        /etc/rc.d/hostid start
        /etc/rc.d/hostname start
        /etc/rc.d/netif start
        /etc/rc.d/routing start
        /etc/rc.d/sshd start

        echo -n "Waiting ada0s1d to be available, press enter to
continue..."

        while true; do
                if [ -e /dev/ada0s1d.eli ]; then
                        break
                fi
                read -t 5 dummy && break
        done
        /etc/rc.d/sshd stop
        /etc/rc.d/routing stop
        /etc/rc.d/netif stop
        /etc/rc.d/devd stop
}

load_rc_config $name
run_rc_command "$1"
- ----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

iQEcBAEBCAAGBQJQM7TtAAoJEG80Jeu8UPuzVTwH/Ami0s3CdAtPZzifu6SWhIQU
FjIum2W6+W184jIyKJWgR97TVpWeyVPQBu1RMxnYgdgNroTlZq4QnsaD4GenJswi
CzzOT01EY05nqkDSmMNTvRUXQIxIeRJc0c2yzGay6YviCRfSw2FxAFj/4rKZvMSx
XRdIy6swLJAeWE9jbL3w5pZnhzK6rHo12GFIIGkHpuSnUPL8PJvOKFUWbiF4O0un
li8rnNDR8bq1gy5kzaSwN138CqK6O3rN0MN3li9WC9ukFNZ6MxZ1CTNncC0pK8zD
DoiYw9fAo7YTnYxBCXIiTsBsEsIjdHOAegGbwvIZaVD+2XdIKoo7v9wtjggPiQY=
=aKe4
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5033B4ED.20401>