Sophie

Sophie

distrib > * > 2008.0 > x86_64 > by-pkgid > fda094cbbbca89091cb9dde79db4e809 > files > 1

pam_mount-0.17-1.3mdv2008.0.src.rpm

--- pam_mount-0.10.0/config/pam_mount.conf~	2005-11-17 18:29:49.000000000 -0200
+++ pam_mount-0.10.0/config/pam_mount.conf	2005-12-09 10:40:44.000000000 -0200
@@ -140,6 +140,23 @@
 # volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key
 
 
+#
+# dm_crypt with smart card support example (need to have opensc installed and configured
+# and with pkcs15-crypt supporting reading PIN from <stdin>):
+# volume user crypt - /dev/sda2 /home/user sc_key_id=45,sc_key_file=/etc/cryptsetup.key - -
+#
+# where:
+# sc_key_id:   ID of the private key stored in the smart card which will
+#              decrypt the key file
+# sc_key_file: file which contains the filesystem key. This file is encrypted with the
+#              public key associated with the private sc_key_id
+#
+# sample command to encrypt cryptsetup.clear into cryptsetup.key with the smart card
+# using key id 45:
+# openssl rsautl -in cryptsetup.clear -out cryptsetup.key -engine pkcs11 -keyform engine \
+#         -encrypt -inkey 45 -pubin
+#
+
 # cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled.
 # cryptoloop mounts must be in the global config /etc/security/pam_mount.conf
 # Linux encrypted home directory examples, using cryptoloop:
--- pam_mount-0.10.0/scripts/mount.crypt.orig	2005-12-09 10:35:03.000000000 -0200
+++ pam_mount-0.10.0/scripts/mount.crypt	2005-12-09 10:35:27.000000000 -0200
@@ -30,6 +30,7 @@
 CRYPTSETUP=/sbin/cryptsetup
 MOUNT=/bin/mount
 FSCK="/sbin/fsck";
+PKCS15_CRYPT=/usr/bin/pkcs15-crypt
 
 OPTIONS=""
 FSTYPE="";
@@ -117,6 +118,12 @@
                 fsck)
                         DOFSCK=true;
                         ;;
+		sc_key_id)
+			SC_KEY_ID="$VAL"
+			;;
+		sc_key_file)
+			SC_KEY_FILE="$VAL"
+			;;
 		* )
 			if [ -z "$MOUNTOPTIONS" ]; then
 				MOUNTOPTIONS="$opt"
@@ -146,7 +153,12 @@
 # Check for LUKS
 if "$CRYPTSETUP" isLuks "$DEVICE" 2>/dev/null; then
     LUKS=true;
-    "$CRYPTSETUP" luksOpen "$DEVICE" "$DMDEVICE";
+    if [ -n "$SC_KEY_ID" ]; then
+    	$PKCS15_CRYPT --pkcs1 --decipher -k $SC_KEY_ID --raw -i $SC_KEY_FILE -p - | \
+	    "$CRYPTSETUP" luksOpen "$DEVICE" "$DMDEVICE" --key-file /dev/stdin;
+    else
+       "$CRYPTSETUP" luksOpen "$DEVICE" "$DMDEVICE"
+    fi
 else
     LUKS=false;
     "$CRYPTSETUP" -c "${CIPHER:-aes}" -h "${HASH:-ripemd160}" \

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional