Comment 30 for bug 55159

 BROADER PATCH FOR BOTH LUKS AND REGULAR MAPPINGS

After posting my patch, I realized I only wrote it for LUKS! Therefore, I spent most of today rebooting again and again to test revisions to add the code to the part of cryptdisks.functions that controls setting a regular mapping as well. It works, though with a regular mapping cryptsetup will not error out regardless of the passphrase-the mapping just won't mount if the passphrase is wrong.

This alone is a good reason to use LUKS. With this code and LUKS, if the password is wrong usplash (and cryptsetup underneath) will simply hold and wait until the right password is entered or you run out of tries-then the boot process resumes. Usplash is verbose while cryptsetup is running.

With these revisions, askpass(the source of the security hole) is NOT used and the passphrase is NOT echoed to the console (I checked). Verified to work on Intel Atom and AMD Athlon 64 w/32 bit Ubuntu Jaunty, earlier patch(posted above) also verified on 2 GHZ 32 bit(old style) AMD Athlon with Ubuntu Hardy. Either version of cryptsetup is fine with this patch.

TODO: Find a way to force tries=1 for each call of cryptsetup, then loop the script again so cryptsetup (and the Usplash prompts) are called once each time for every try in "tries=" in /etc/crypttab. This would make the splash screen text responsive to a bad password instead of the user having to know no response=bad passphrase. Still, usplash works, and the passphrase doesn't get echoed to the console.

Anyway, here is the new code-straight out of /lib/cryptsetup on the machine this is uploaded from.