Allow keyboard password input apart from HTTPS/SSH

[kennethso168]

I'm thinking of having a virtualized router running inside my cluster of sedutil-encrypted homeservers. I tested your PBA image and found a problem: the image does not allow any keyboard input, so the password can only be inputted via HTTPS/SSH after a DHCP-configured network is up. However, in the event of all nodes of the cluster being shutdown (e.g. power outage), I will have no "router" and no DHCP server, and therefore unable to input the password unless maybe I set up a temporary hardware router just for unlocking the drives.

Therefore it would be great if keyboard input of the password is allowed as a fallback option apart from HTTPS/SSH. I have already implement this in my fork. To make it work I have to implement keyboard input in the main function. It also starts a goroutine that waits for network connection. When there is a network connection, it starts another two goroutine for HTTPS and SSH server.

I have tested this on a ProxMox VM and my spare PC:

(N.B.: this is a VM so the program says there is no TCG Opal disks after I have entered my password. On my spare PC it would say 'Disks unlocked, please reboot manually')

Password input is not echoed to the screen (not even asterisks). Current implementation rules out r, reboot, or any combination of uppercase or lowercase of these two strings to be used as the password of the disks as they are used to reboot the server.

Do you have any comments? I can also open a PR for this.

[Jip-Hop]

Sounds like an interesting use case! And yes I agree it would be an improvement to also allow unlocking with a directly attached keyboard. Few notes though. How would you be able to input 'reboot' if already inputting 'r' would cause a reboot? Or only after pressing the enter key? Why not just use the escape key to trigger a reboot? Then you don't have to rule out any words/letters from the password.

One of the issues I had with the regular sedutil PBA is the keyboard mapping. Have you considered that? The us_english keyboard mapping may not be applicable to everyone, which makes typing in the password correctly (e.g. for people with a German or French keyboard) much harder...

[kennethso168]

Yes, currently it'll only reboot after pressing the enter key.

Using some kind of escape key would also be nice. The problem is this is really my first time writing in golang so need to figure out how do do that 😂. Currently it's just a simple scanln

And yes I'm using the us_english keyboard.

[kapitainsky]

It would be nice if there is some consistency e.g. for SSH unlock at the moment it is ESC to reboot

Here some example how to read any ACSII code in golang:

https://www.socketloop.com/tutorials/golang-get-ascii-code-from-a-key-press-cross-platform-example

you could maybe use similar logic I used for SSH part (and it also includes echo:)) - it is in bash but all algo can be similar:

https://github.com/Jip-Hop/sedunlocksrv-pba/blob/613861e634f26b54da52b8de7fb81e6882fc9435/ssh/ssh_sed_unlock.sh#L36-L58

[kennethso168]

Thanks @kapitainsky for your input. I agree that it'd be nice if the controls are consistent with the SSH unlock.

However, the golang example you provided uses the termbox-go library, which the author said that it was "somewhat not maintained anymore". And I think we should avoid external dependencies for such a crucial piece of software.

I found this example in pure golang and the unix shell. I think I can quickly try it.

[kapitainsky]

What I only wanted to say is that definitely there is some way - it was first example I googled. golang is mature language and simply I do not buy an option that it is not possible:)

[kennethso168]

Done in https://github.com/kennethso168/sedunlocksrv-pba/commit/138e81031ea030d854624818933e6eebeea2d5b9

Unlock in action on a real device:

I also made it possible to shutdown using keyboard using Ctrl-D in alignment with the SSH server

@Jip-Hop ready for a PR now?

[Jip-Hop]

Looks good! Definitely an improvement in functionality so thanks for that. I won't be able to test the PR in action (don't have a spare system with SED currently).

How is the flow working now? While waiting for network you can unlock directly with keyboard, but when there's network connectivity, then what happens? Still unlockable via keyboard or then only via SSH or https?

I don't remember but do you think it will be hard to support a different keyboard mapping when building the image?

[kennethso168]

Yes, it is still possible to unlock after network connectivity as the SSH and https servers are started in background as goroutines.

Quickly I found this for setting the keyboard layout in TinyCoreLinux. I think this could be run in tc-config to set the keyboard layout for the password input, but I won't be able to test that as I only have US keyboards.

[kennethso168]

https://unix.stackexchange.com/questions/740728/problem-when-changing-the-keyboard-layout-in-tiny-core-linux

It is also needed to install a package to populate the keymap directory

[Jip-Hop]

Thanks for looking into it! Would you mind making it work for different keyboard mappings too? If not, please add a little documentation about this new feature and we can merge it the way it is :)

[kennethso168]

I think there are more considerations into how to implement different keyboard mappings. I will open another issue for that.

So I will add a little documentation and open a PR.

And just to let you know a little more about the workflow. Here is a demo on a Proxmox VM recorded using OBS Studio. I disabled the network link on the VM, started the recording, started the VM, entered "pass", re-enabled the network link and entered "word". The password inputted would be "password":

https://github.com/Jip-Hop/sedunlocksrv-pba/assets/5262487/141a3175-545c-4942-9afa-1f82839cc77c