Ubuntu
cryptsetup package

cryptroot-unlock doesn't work at all when terminal width is below 51

Bug #1968636 reported by Adam Vodopjan
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

I'm speaking about ubuntu 20.04.4 with cryptsetup 2:2.2.2-3ubuntu2.4. The behaviour is the same in ubuntu 22.04. I havent tried 18.04 and older LTS, probably the same problem there as well.

So I have your usual setup with luks encrypted root. I've installed dropbear-initramfs to make it remotely unlockable, set everything up and tried to unlock it connecting from termux with my phone. When I ran cryptroot-unlock it kept silent (not even the prompt) for some secs and quit with such error:

    Error: Timeout reached while waiting for askpass.

Long story short: if I rotated the phone everything worked as supposed.

I tracked it down to this piece in cryptroot-unlock:

    # Print the list of PIDs the executed command of which is $exe.
    pgrep_exe() {
        local exe pid
        exe="$(readlink -f -- "$1" 2>/dev/null)" && [ -f "$exe" ] || return 0
        ps | awk '{print $1, $5}' | while read LINE; do
            set $LINE
            local pid=$1
            local cmd=$(readlink -f -- "$2")
            if [ "$cmd" == "$exe" ]; then
                echo $pid
                break
            fi
        done
    }

Notice it walks through "ps" (busybox one) lines which adapts its output to the terminal width. Check out this shell session:

    > stty size
    40 115
    > /usr/lib/initramfs-tools/bin/busybox ps | grep '[b]usybox'
    18944 account 2804 R /usr/lib/initramfs-tools/bin/busybox ps
    ## resize the terminal width to 50
    > stty size
    40 50
    > /usr/lib/initramfs-tools/bin/busybox ps | grep '[b]usybox'
    18947 account 2804 R {busybox} /usr/lib/ini

Look at the last line above. "ps" ensures one terminal line per process, no wrapping. If a line is too long, cut it. If the full binary path is to be cut, prepend the binary basename in curly braces.

Here is a shell session over dropbear connection:

    > stty size
    40 115
    > ps | grep '[a]skpass'
      285 root 2364 S /lib/cryptsetup/askpass Please unlock disk dm_crypt-0:
    ## resize the terminal width to 50
    > stty size
    40 50
    > ps | grep '[a]skpass'
      285 root 2364 S {askpass} /lib/cryptse

As you can see askpass cmdline is a total mess now and because of that pgrep_exe cant find askpass PID.

A quick fix could be "ps -w" instead of just "ps" in pgrep_exe. It would make ps assume the terminal width 132 which is enough for askpass line to be printed pristine.

Currently one cant unlock encrypted root with terminal width up to and including 50.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cryptsetup (Ubuntu):
status: New → Confirmed
Revision history for this message
Irkandur (irkandur) wrote :

Hello there.

I have Ubuntu 22.04.1 running on a Raspberry Pi, everything is fine and smooth.

I have an encrypted root partition which I also unlock from initrd thanks to dropbear.
As soon as I'm authenticated with dropbear (pubkey), I normally get askpass screen, type my password, and got disconnected after a sucess cryptsetup message.

Doing this from my phone, it doesn't work (even with rotating the screen, so my terminal may not report change in width).

Doing this from my computer is fine.

I wanted to do the suggested "ps -w" tricks but the busybox from APT doesn't have this option for the ps applet.

Btw, this issue may be more linked to the cryptsetup-initramfs package?

Regards

Brian Murray (brian-murray)
Changed in cryptsetup (Ubuntu):
importance: Undecided → Low
Revision history for this message
Adam Vodopjan (grozzly) wrote :

@irkandur

> Btw, this issue may be more linked to the cryptsetup-initramfs package?

cryptsetup is the source package for cryptsetup-initramfs

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.