Skip to content

GitLab

    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    • Menu
    Projects Groups Snippets
  • Get a free trial
  • Sign up
  • Login
  • Sign in / Register
  • C cryptsetup
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 46
    • Issues 46
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 7
    • Merge requests 7
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • cryptsetup
  • cryptsetup
  • Issues
  • #670
Closed
Open
Created Sep 09, 2021 by Mark@darkskiez

External Token API does not ask for PIN except in --token-only mode.

I've been writing my own token to use the new external token API, but I've been surprised at a few quirks which I'll file here for your consideration...

When I return -ENOANO cryptsetup will ask for the PIN, and retry the library call with cryptsetup_token_open_pin,.. but only when cryptsetup open is invoked in --token-only mode..

Otherwise it goes straight to asking the user for the unlock passphrase and never tries again.

It seems to me like it would be nice to ask for a token PIN if the library suggested it.

It might be nice to pass the passphrase into the library as a PIN if it didn't unlock anything successfully, but I can see that has potentially its own security risks or problems with tokens that have try counters.

Is it appropriate for the token library to prompt for a PIN on the console rather than return -ENOANO if it will be ignored?

Assignee
Assign to
Time tracking