</varlistentry>
<varlistentry>
- <term><option>silent</option></term>
-
- <listitem><para>If an encryption password or security token PIN is
- read from console, no asterisks will be shown while typing the pin or
- password.</para></listitem>
+ <term><option>password-echo=yes|no|masked</option></term>
+
+ <listitem><para>Controls whether to echo passwords or security token PINs
+ that are read from console. Takes a boolean or the special string <literal>masked</literal>.
+ The default is <option>password-echo=masked</option>.</para>
+
+ <para>If enabled, the typed characters are echoed literally. If disabled,
+ the typed characters are not echoed in any form, the user will not get
+ feedback on their input. If set to <literal>masked</literal>, an asterisk
+ (<literal>*</literal>) is echoed for each character typed. Regardless of
+ which mode is chosen, if the user hits the tabulator key (<literal>↹</literal>)
+ at any time, or the backspace key (<literal>⌫</literal>) before any other
+ data has been entered, then echo is turned off.</para></listitem>
</varlistentry>
<varlistentry>
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size,
- bool silent) {
+ AskPasswordFlags ask_password_flags) {
- AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED | (silent*ASK_PASSWORD_SILENT);
_cleanup_strv_free_erase_ char **pins = NULL;
_cleanup_free_ void *loaded_salt = NULL;
const char *salt;
char *e;
int r;
+ ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
+
assert(cid);
assert(key_file || key_data);
if (headless)
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
- r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, flags, &pins);
+ r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, ask_password_flags, &pins);
if (r < 0)
return log_error_errno(r, "Failed to ask for user password: %m");
- flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
+ ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
}
}
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size,
- bool silent);
+ AskPasswordFlags ask_password_flags);
int find_fido2_auto_data(
struct crypt_device *cd,
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size,
- bool silent) {
+ AskPasswordFlags ask_password_flags) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 token support not available.");
static unsigned arg_tries = 3;
static bool arg_readonly = false;
static bool arg_verify = false;
-static bool arg_silent = false;
+static AskPasswordFlags arg_ask_password_flags = 0;
static bool arg_discards = false;
static bool arg_same_cpu_crypt = false;
static bool arg_submit_from_crypt_cpus = false;
arg_readonly = true;
else if (streq(option, "verify"))
arg_verify = true;
- else if (streq(option, "silent"))
- arg_silent = true;
- else if (STR_IN_SET(option, "allow-discards", "discard"))
+ else if ((val = startswith(option, "password-echo="))) {
+ if (streq(val, "masked"))
+ arg_ask_password_flags &= ~(ASK_PASSWORD_ECHO|ASK_PASSWORD_SILENT);
+ else {
+ r = parse_boolean(val);
+ if (r < 0) {
+ log_warning_errno(r, "Invalid password-echo= option \"%s\", ignoring.", val);
+ return 0;
+ }
+
+ SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_ECHO, r);
+ SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_SILENT, !r);
+ }
+ } else if (STR_IN_SET(option, "allow-discards", "discard"))
arg_discards = true;
else if (streq(option, "same-cpu-crypt"))
arg_same_cpu_crypt = true;
_cleanup_strv_free_erase_ char **passwords = NULL;
char **p, *id;
int r = 0;
- AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | (arg_silent*ASK_PASSWORD_SILENT);
+ AskPasswordFlags flags = arg_ask_password_flags | ASK_PASSWORD_PUSH_CACHE;
assert(vol);
assert(src);
arg_headless,
required,
&decrypted_key, &decrypted_key_size,
- arg_silent);
+ arg_ask_password_flags);
if (r >= 0)
break;
if (r != -EAGAIN) /* EAGAIN means: token not found */