Remotely attaching GELI provider on boot -- is this a useful
feature?
Xin Li
delphij at delphij.net
Tue Aug 21 16:19:07 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I've been playing around GELI a little bit and come with an idea, have
a prototype and wonders if this would be useful.
The scenario is that a system administrator wants a system be started
with only network access. In the current startup order 'geli' is
started way earlier than SSH and network configuration, so in my
prototype I have added a new script that runs before 'geli', starts
the network and SSH and keep looking at the geli device, or someone
pressed Enter on console (so 'geli' will takeover and ask for
passphrase). The administrator is expected to enable root login with
public key authentication and / (for base system) and /root is
encrypted (for public key).
Of course, this is only a prototype and there are a lot of rough edges
like hardcoded geli device name, etc., but will this be useful for
general consumption?
- ----
#!/bin/sh
#
# PROVIDE: geli0
# BEFORE: disks
# REQUIRE: initrandom
# KEYWORD: nojail
. /etc/rc.subr
name="geli0"
start_cmd="geli0_start"
stop_cmd=":"
required_modules="geom_eli:g_eli"
geli0_start()
{
mount -uw /
/etc/rc.d/devd start
/etc/rc.d/hostid start
/etc/rc.d/hostname start
/etc/rc.d/netif start
/etc/rc.d/routing start
/etc/rc.d/sshd start
echo -n "Waiting ada0s1d to be available, press enter to
continue..."
while true; do
if [ -e /dev/ada0s1d.eli ]; then
break
fi
read -t 5 dummy && break
done
/etc/rc.d/sshd stop
/etc/rc.d/routing stop
/etc/rc.d/netif stop
/etc/rc.d/devd stop
}
load_rc_config $name
run_rc_command "$1"
- ----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
iQEcBAEBCAAGBQJQM7TtAAoJEG80Jeu8UPuzVTwH/Ami0s3CdAtPZzifu6SWhIQU
FjIum2W6+W184jIyKJWgR97TVpWeyVPQBu1RMxnYgdgNroTlZq4QnsaD4GenJswi
CzzOT01EY05nqkDSmMNTvRUXQIxIeRJc0c2yzGay6YviCRfSw2FxAFj/4rKZvMSx
XRdIy6swLJAeWE9jbL3w5pZnhzK6rHo12GFIIGkHpuSnUPL8PJvOKFUWbiF4O0un
li8rnNDR8bq1gy5kzaSwN138CqK6O3rN0MN3li9WC9ukFNZ6MxZ1CTNncC0pK8zD
DoiYw9fAo7YTnYxBCXIiTsBsEsIjdHOAegGbwvIZaVD+2XdIKoo7v9wtjggPiQY=
=aKe4
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list