From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glkdd-dm-crypt@m.gmane.org>
Received: from blaine.gmane.org (unknown [195.159.176.226])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 15 Nov 2016 23:51:50 +0100 (CET)
Received: from list by blaine.gmane.org with local (Exim 4.84_2)
 (envelope-from <glkdd-dm-crypt@m.gmane.org>) id 1c6mZe-0004Np-Sp
 for dm-crypt@saout.de; Tue, 15 Nov 2016 23:51:30 +0100
From: Robert Nichols <rnicholsNOSPAM@comcast.net>
Date: Tue, 15 Nov 2016 16:51:15 -0600
Message-ID: <o0g3h0$8cd$1@blaine.gmane.org>
References: <cb11d447-7fae-f153-b1f4-1872807f5314@gmail.com>
 <ed9a2d2d-c90c-d6ed-9b2d-ac45e5bd5713@whgl.uni-frankfurt.de>
 <o0f90o$h18$1@blaine.gmane.org>
 <d08b0712-76bc-f265-939f-9f920aaedb72@whgl.uni-frankfurt.de>
 <o0fn3r$c6h$1@blaine.gmane.org>
 <2aa32b7a-8aa4-bd7a-c6f0-eaef3794e8e8@whgl.uni-frankfurt.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
In-Reply-To: <2aa32b7a-8aa4-bd7a-c6f0-eaef3794e8e8@whgl.uni-frankfurt.de>
Subject: Re: [dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 11/15/2016 01:42 PM, Sven Eschenberg wrote:
>
>
> Am 15.11.2016 um 20:19 schrieb Robert Nichols:
>> sulogin is going to be hard to do if the root filesystem (where
>> /etc/shadow resides) has not been decrypted. You would have to have some
>> alternative password mechanism, and you can already accomplish that in
>> GRUB with password-protected alternatives.
>>
>
> No, the root filesystem is the initram (initrd) until rootfs is switched
> over - all you have to do is adding a passwd(file) with an entry to it.
> You won't need shadow anyway, since the only login supported is a root
> login, which implies full access to shadow (usually). Of course you
> would probably not want to just grep the root line from the system, but
> generate a single line passwd(file) with an entry for root with some
> seperate password. If you trust on the cryptographic strength of the
> hashing and salting in the passwd/shadow files, you could include them
> aswell and support user and root logins with sulogin (during initrd).
> Using shadow in this particular case makes sense again.

As I said, "some alternative password mechanism."

FWIW in Red Hat systems, at least, there are several values you can pass 
for "rdbreak=" in the boot parameters that will cause the initrd script 
to drop into a debug shell before the decryption password is ever 
requested. It is a long-standing truism that without physical security, 
there is no protection for unencrypted storage on the system.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.