[Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk

Rickard Bellgrim rickard at opendnssec.org
Tue Aug 28 08:26:02 UTC 2012


> - Do we need to check the size of the shared memory returned?
> It does not specify what happens if there already is a share memory segment and its a different size then what you specify in shmget(), might be good to check the size if it might have been changed between compilation/version etc.

If there is a memory segment but it is smaller than the given size,
then shmget will fail with the error EINVAL. This will happen if we
increase HSM_MAX_SESSIONS or HSM_MAX_PIN_LENGTH. The memory segment
would need to be destroyed with the command below. I can add a comment
about this in the code, so that we remember this in future releases.

If we decrease HSM_MAX_SESSIONS or HSM_MAX_PIN_LENGTH, then the
alignment in any existing memory would be wrong. Thus a bad PIN will
be given back to the code. The code is however written so that the PIN
will be removed from the shared memory if it causes a failed login
attempt.

> - Tools to destroy/recreate the share memory segment?
> As in above if the share memory segment is changed between versions/compilations then for migration there might be good if there is a tool to recreate or destroy the segment. And it might be something some sysadmins want.

For now it is:
ipcrm -M 0x0d50d5ec

https://wiki.opendnssec.org/display/DOCSTRUNK/Running+OpenDNSSEC#RunningOpenDNSSEC-HSMlogin

> - Not save the pin?
> If I see it correctly the pin is saved in shared memory whether you want it or not, maybe this should be an option for the paranoid?

If it is not saved in the shared memory, then it will not propagate to
the daemons which are waiting for the PIN to appear.

// Rickard



More information about the Opendnssec-develop mailing list