LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Combining Luks and LVM - Error after 3 bad passphrase (https://www.linuxquestions.org/questions/slackware-14/combining-luks-and-lvm-error-after-3-bad-passphrase-4175443538/)

robertolamb 12-30-2012 11:38 PM

Combining Luks and LVM - Error after 3 bad passphrase
 
My hard disk is encrypted by having followed the tutorial Combining LUKS and LVM. When I enter the correct passphrase, my computer starts normally. when I enter consecutively 3 bad passphrases, I get an error message:

Quote:

mount: mounting /dev/cryptvg/root on /mnt failed: No such file or directory
ERROR: No /sbin/init found on rootdev (or not mounted). Trouble ahead.
You can try to fix it. Type 'exit' when things are done.

/bin/sh: can't access tty; job control turned off
#
any advices?

T3slider 12-31-2012 12:28 AM

Quote:

Originally Posted by robertolamb (Post 4859832)
My hard disk is encrypted by having followed the tutorial Combining LUKS and LVM. When I enter the correct passphrase, my computer starts normally. when I enter consecutively 3 bad passphrases, I get an error message:

From `man cryptsetup`:
Code:

      --tries, -T
              How  often  the  input  of the passphrase shall be retried. This
              option is relevant every time a password is asked, like  create,
              luksOpen, luksFormat or luksAddKey. The default is 3 tries.

You could modify the lines in the `init` script in the initrd (and/or /etc/rc.d/rc.S depending on whether you have other non-root LUKS partitions) that open the device (cryptsetup lines with luksOpen) to add the -T argument to give you more tries if you want. Note that this makes it easier for others to brute force your box (though I suppose they could do that anyway if they remove your hard drive). I haven't tested this so adding that option may or may not work. I think 3 guesses is a reasonable default to allow you to make a couple of mistakes while preventing brute force attempts but you may feel differently.

Alien Bob 12-31-2012 05:04 AM

Quote:

Originally Posted by robertolamb (Post 4859832)
My hard disk is encrypted by having followed the tutorial Combining LUKS and LVM. When I enter the correct passphrase, my computer starts normally. when I enter consecutively 3 bad passphrases, I get an error message:

any advices?

What did you expect would happen then? Sounds like an OK result to me.

Eric

STDOUBT 12-31-2012 08:40 AM

Quote:

Sounds like an OK result to me.
Salute, Eric!
IMO, failing to input the correct passphrase should not offer you any kind of shell!!!
Read closely his message -he gets dropped to a limited (busybox?) shell.

Alien Bob 12-31-2012 09:02 AM

Quote:

Originally Posted by STDOUBT (Post 4860047)
Salute, Eric!
IMO, failing to input the correct passphrase should not offer you any kind of shell!!!
Read closely his message -he gets dropped to a limited (busybox?) shell.

There is nothing wrong with getting dropped to the Slackware emergency shell. In fact, it is there for people with configuration errors whose system won't boot. Three consecutive passphrase entry errors could be a keyboard problem which has to be investigated.

With a LUKS encrypted hard drive there is nothing a hacker can do in the restricted shell which gives him a way into the system. If the hacker is at the console anyway (which is the only place where you can enter the LUKS passphrase) he could just as well use a bootable CDROM to gain access to the computer without booting Slackware, or he can even rip out the entire harddisk and take it home. There is no difference in the level of danger to your encrypted files.

Eric

robertolamb 12-31-2012 09:34 AM

Quote:

Originally Posted by T3slider (Post 4859843)
From `man cryptsetup`:
Code:

      --tries, -T
              How  often  the  input  of the passphrase shall be retried. This
              option is relevant every time a password is asked, like  create,
              luksOpen, luksFormat or luksAddKey. The default is 3 tries.

You could modify the lines in the `init` script in the initrd (and/or /etc/rc.d/rc.S depending on whether you have other non-root LUKS partitions) that open the device (cryptsetup lines with luksOpen) to add the -T argument to give you more tries if you want. Note that this makes it easier for others to brute force your box (though I suppose they could do that anyway if they remove your hard drive). I haven't tested this so adding that option may or may not work. I think 3 guesses is a reasonable default to allow you to make a couple of mistakes while preventing brute force attempts but you may feel differently.


I followed the tutorial README_CRYPT.TXT Combining LUKS and LVM section (same setup, partitions, volumes, names). Please, can you be more specific and tell me exactly what changes to make to change the default 3 to 4 tries. It might be easier to show me where the changes are if you make changes directly on the README_CRYPT.TXT

thank you


Quote:

Originally Posted by Alien Bob (Post 4859936)
What did you expect would happen then? Sounds like an OK result to me.

Eric

Sorry, I did not read the 'man crypysetup' which states "The default is 3 tries" before posting. I was not expecting a kick out but rather a constant retry similar to Slackware logging in. Evidently, 3 tries is safer. To avoid Kernel panic caused by the exit command after 3 bad passphrases at prompt #, what are the constructive choices that are available to me? Hard reboot?

thank you


All times are GMT -5. The time now is 10:54 AM.