nixos: initrd/luks: disable input echo for the whole stage

2024-11-16 14:54:29 +01:00 · 2018-06-10 20:18:27 +00:00 · 2018-06-10 20:18:27 +00:00 · 8c83ba0386
commit 8c83ba0386
parent c35917e330
1 changed files with 9 additions and 3 deletions
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -78,9 +78,15 @@ let

    # For Yubikey salt storage
    mkdir -p /crypt-storage
+
+    # Disable all input echo for the whole stage. We could use read -s
+    # instead but that would ocasionally leak characters between read
+    # invocations.
+    stty -echo
  '';

  postCommands = ''
+    stty echo
    umount /crypt-storage 2>/dev/null
    umount /crypt-ramfs 2>/dev/null
  '';
@ -113,8 +119,8 @@ let
                    # ask cryptsetup-askpass
                    echo -n "${device}" > /crypt-ramfs/device

-                    # and try reading it from /dev/console
-                    IFS= read -t 1 -rs passphrase
+                    # and try reading it from /dev/console with a timeout
+                    IFS= read -t 1 -r passphrase
                    if [ -n "$passphrase" ]; then
                       ${if luks.reusePassphrases then ''
                         # remember it for the next device
@ -199,7 +205,7 @@ let
        for try in $(seq 3); do
            ${optionalString yubikey.twoFactor ''
            echo -n "Enter two-factor passphrase: "
-            read -rs k_user
+            read -r k_user
            echo
            ''}