From nobody@FreeBSD.org  Tue Oct 11 10:32:49 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 031A3106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Oct 2011 10:32:49 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id D4BD18FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Oct 2011 10:32:48 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p9BAWmlK095963
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Oct 2011 10:32:48 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p9BAWmoG095957;
	Tue, 11 Oct 2011 10:32:48 GMT
	(envelope-from nobody)
Message-Id: <201110111032.p9BAWmoG095957@red.freebsd.org>
Date: Tue, 11 Oct 2011 10:32:48 GMT
From: Rob VanHooren <robv@ieee.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: GELI password entry is too visible
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         161486
>Category:       kern
>Synopsis:       [geli] GELI password entry is too visible
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pjd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 11 10:40:05 UTC 2011
>Closed-Date:    Tue Oct 25 16:39:03 UTC 2011
>Last-Modified:  Tue Oct 25 16:39:03 UTC 2011
>Originator:     Rob VanHooren
>Release:        8.2-STABLE
>Organization:
.
>Environment:
FreeBSD host 8.2-STABLE FreeBSD 8.2-STABLE #0: Mon Oct 10 11:51:15 EDT 2011     root@host:/usr/obj/usr/src/sys/HOST  amd64

>Description:
With enabled kern.geom.eli.visible_passphrase="1" to show GELI password, shows the plaintext password.

This knob is useful for debugging, however too insecure (esp. since the plaintext winds up in logs).

Should have an option to provide keystroke feedback, without entirely compromising the plaintext.


>How-To-Repeat:
with GELI entries, set kern.geom.eli.visible_passphrase=1 in loader.conf, reboot & observe keystroke feedback is plaintext.  Observe also the plaintext in dmesg.boot & /var/log/messages

>Fix:
The solution may be quite simple and I wonder why GELI developer didn't include it from the beginning.  

An knob enhancement which provides obsured keystroke feedback at GELI password entry can be achieved easily with just few lines listed below. 

--- sys/libkern/gets.c.orig 2011-04-14 22:04:25.234478722 +0200
+++ sys/libkern/gets.c 2011-04-14 22:04:32.606479912 +0200
@@ -54 +54,3 @@
- if (visible)
+ if (visible > 1)
+ printf("* \b");
+ else if (visible == 1)
@@ -63 +65,3 @@
- if (visible)
+ if (visible > 1)
+ printf("*");
+ else if (visible == 1)

Now in /boot/loader.conf

kern.geom.eli.visible_passphrase=2 (or any value greater than 1) echoes asterisks as keystroke feedback.

I use 8.2-STABLE kernel patched as above, and it seems nothing else is broken.

Note for fBSD9, gets.c structure is a bit different so the patch will need some tweaks to roll it forward from 8.2 into 9 & head.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-geom 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Oct 11 17:57:33 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161486 
State-Changed-From-To: open->closed 
State-Changed-By: pjd 
State-Changed-When: wto 25 paź 2011 16:38:05 UTC 
State-Changed-Why:  
This is already implemented as of r215299. 


Responsible-Changed-From-To: freebsd-geom->pjd 
Responsible-Changed-By: pjd 
Responsible-Changed-When: wto 25 paź 2011 16:38:05 UTC 
Responsible-Changed-Why:  
I'll take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=161486 
>Unformatted:
