Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • C cryptsetup
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 35
    • Issues 35
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 3
    • Merge requests 3
  • Deployments
    • Deployments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • cryptsetupcryptsetup
  • cryptsetup
  • Issues
  • #670
Closed
Open
Issue created Sep 09, 2021 by Mark@darkskiez

External Token API does not ask for PIN except in --token-only mode.

I've been writing my own token to use the new external token API, but I've been surprised at a few quirks which I'll file here for your consideration...

When I return -ENOANO cryptsetup will ask for the PIN, and retry the library call with cryptsetup_token_open_pin,.. but only when cryptsetup open is invoked in --token-only mode..

Otherwise it goes straight to asking the user for the unlock passphrase and never tries again.

It seems to me like it would be nice to ask for a token PIN if the library suggested it.

It might be nice to pass the passphrase into the library as a PIN if it didn't unlock anything successfully, but I can see that has potentially its own security risks or problems with tokens that have try counters.

Is it appropriate for the token library to prompt for a PIN on the console rather than return -ENOANO if it will be ignored?

Assignee
Assign to
Time tracking