Bug 538853

Summary: Incorrect password in LUKS (encrypted /home) results in erroneous behavior
Product: [openSUSE] openSUSE 11.3 Reporter: Forgotten User l5pf6EzKS1 <forgotten_l5pf6EzKS1>
Component: OtherAssignee: Ludwig Nussel <lnussel>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: alinm.elena, mateusz.czykiel
Version: unspecified   
Target Milestone: Factory   
Hardware: x86   
OS: All   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User l5pf6EzKS1 2009-09-13 23:14:27 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.1) Gecko/20090714 SUSE/3.5.1-3.1 Firefox/3.5.1

If a /home is created encrypted, LUKS is asking a password during the boot before /home is mounted.

If the password is incorrect, it immediately asks for another password again, but in 3-5 seconds an error (cannot insert module) pops up, entered part of password is cleared, and the LUKS us asked for password again. If the password is still being typed at the moment the error is shown, everything typed is shown on screen. Tried with 18-character password.

Now if the correct password is entered, LUKS still shows "enter the password:" prompt, which then gets disregarded automatically once the volume is unlocked. This confuses users.

Reproducible: Always

Steps to Reproduce:
1. Create an installation with encrypted /home. Use long (18-20 characters) password.
2. Once rebooted, type the part of password, type a wrong letter, then press "enter" to disregard the old password (typical user behavior when they cannot remember how many times they actually typed the letter)
3. When a new "enter the password" line is shown, immediately try to enter it again (try to type 2-3 keys a second). At some point there will be an error message, and all the keys pressed at this moment will be shown on screen (security issue). Then another "enter the password" line shows on screen, and you have to retype everything again.
4. If now you type a valid password, you'll see the "enter the password" line again. It will disappear in a few seconds, but it confuses users.


Expected Results:  
It should only show "enter the password" line when it's actually reading the password from the terminal. It should not show this line before the password has been verified (in this case no line should be shown) or found invalid (in this case the line should only be shown after the password is known to be invalid).

As a side note, the "error loading kernel module" and "no slots unlocked" are hard to understand for a regular user. Some "invalid password" message would be helpful.
Comment 1 Ludwig Nussel 2009-09-16 12:01:52 UTC 
that's a nasty side effect of the way how the prompt get overwritten
Comment 2 Ludwig Nussel 2009-09-16 12:08:39 UTC 
*** Bug 535597 has been marked as a duplicate of this bug. ***
Comment 3 Mateusz Czykiel 2009-09-20 19:46:00 UTC 
I've got this bug too. I add that during boot I've receive message: "[32.835828] Intel AES-NI instructions are not detected.
modprobe: FATAL: Error inserting padlock_sha(/lib/modules/2.6.31-rc9-7-desktop/kernel/drivers/crypto/padlock-sha.ko): No such device"
Comment 4 Ludwig Nussel 2009-09-28 07:46:54 UTC 
Out of time to fix this for 11.2. The debian askpass helper I was hoping for doesn't support all features I need yet. I prefer to delay the fix to 11.3 rather than risking regressions now.
Comment 5 Ludwig Nussel 2010-01-19 08:16:56 UTC 
fix submitted for factory. will be in cryptsetup 1.1.0 package