diff options
author | Jan Malakhovski <oxij@oxij.org> | 2018-06-10 20:18:27 +0000 |
---|---|---|
committer | Jan Malakhovski <oxij@oxij.org> | 2018-08-08 02:47:50 +0000 |
commit | 8c83ba03867e2aef97d331c902e745dc9cafba9d (patch) | |
tree | 489a1f63c255cd20e1c2432702d5fdbca4258cb6 /nixos | |
parent | c35917e330fb063f732e680371f0b7877dd65cc8 (diff) | |
download | nixlib-8c83ba03867e2aef97d331c902e745dc9cafba9d.tar nixlib-8c83ba03867e2aef97d331c902e745dc9cafba9d.tar.gz nixlib-8c83ba03867e2aef97d331c902e745dc9cafba9d.tar.bz2 nixlib-8c83ba03867e2aef97d331c902e745dc9cafba9d.tar.lz nixlib-8c83ba03867e2aef97d331c902e745dc9cafba9d.tar.xz nixlib-8c83ba03867e2aef97d331c902e745dc9cafba9d.tar.zst nixlib-8c83ba03867e2aef97d331c902e745dc9cafba9d.zip |
nixos: initrd/luks: disable input echo for the whole stage
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 5f42c76d5d7f..27c1f891f485 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -78,9 +78,15 @@ let # For Yubikey salt storage mkdir -p /crypt-storage + + # Disable all input echo for the whole stage. We could use read -s + # instead but that would ocasionally leak characters between read + # invocations. + stty -echo ''; postCommands = '' + stty echo umount /crypt-storage 2>/dev/null umount /crypt-ramfs 2>/dev/null ''; @@ -113,8 +119,8 @@ let # ask cryptsetup-askpass echo -n "${device}" > /crypt-ramfs/device - # and try reading it from /dev/console - IFS= read -t 1 -rs passphrase + # and try reading it from /dev/console with a timeout + IFS= read -t 1 -r passphrase if [ -n "$passphrase" ]; then ${if luks.reusePassphrases then '' # remember it for the next device @@ -199,7 +205,7 @@ let for try in $(seq 3); do ${optionalString yubikey.twoFactor '' echo -n "Enter two-factor passphrase: " - read -rs k_user + read -r k_user echo ''} |