summaryrefslogtreecommitdiffstats
path: root/bin
diff options
context:
space:
mode:
authorGravatar Christian Hesse <mail@eworm.de>2013-05-27 10:50:21 +0200
committerGravatar Christian Hesse <mail@eworm.de>2013-05-27 10:50:21 +0200
commit8e74f73bf46c3dc6ed96e1e0db04db88e7761521 (patch)
treeedd2fd51f8cca7c3e69cc2e4896a2bd230a171c7 /bin
parentfd8e3a0f6f0370699690d0c09630f8e64e30e10e (diff)
downloadmkinitcpio-ykfde-8e74f73bf46c3dc6ed96e1e0db04db88e7761521.tar.gz
mkinitcpio-ykfde-8e74f73bf46c3dc6ed96e1e0db04db88e7761521.tar.zst
Initial import0.2.0
Diffstat (limited to 'bin')
-rw-r--r--bin/ykfde91
1 files changed, 91 insertions, 0 deletions
diff --git a/bin/ykfde b/bin/ykfde
new file mode 100644
index 0000000..56e75a7
--- /dev/null
+++ b/bin/ykfde
@@ -0,0 +1,91 @@
+#!/bin/sh
+
+function help() {
+ echo "usage: ${0} [OPTIONS]"
+ echo
+ echo "where OPTIONS are:"
+ echo " -1 use Yubico key slot 1"
+ echo " -2 use Yubico key slot 2"
+ echo " -d DEVICE add key to device DEVICE"
+ echo " -h show this help"
+ echo " -k keep challenge, just add a new slot"
+}
+
+DIR="/tmp/.ykfde-${$}/"
+PASS=""
+SLOT="1"
+KEEP="0"
+
+while getopts "12d:hk" opt; do
+ case ${opt} in
+ 1)
+ SLOT="1"
+ ;;
+ 2)
+ SLOT="2"
+ echo "Do not forget to add 'ykfde_slot=2' to your boot parameters!"
+ ;;
+ d)
+ DEVICE="${OPTARG}"
+ ;;
+ h)
+ help
+ exit 0
+ ;;
+ k)
+ KEEP="1"
+ ;;
+ esac
+done
+
+if [ -z "${DEVICE}" ]; then
+ echo "No device given." >&2
+ help
+ exit 1
+elif [ ! -b "${DEVICE}" ]; then
+ echo "Device '${DEVICE}' does not exist or is not a block device." >&2
+ exit 1
+elif ! cryptsetup isLuks "${DEVICE}" 2>/dev/null; then
+ echo "Device '${DEVICE}' does not exist." >&2
+ exit 1
+fi
+
+install -d -m0700 "${DIR}"
+echo "Please give extra password if you want to activate two factor"
+echo -n "authentication, just ENTER for none: "
+stty -echo
+read PASS
+stty echo
+echo
+
+if [ -n "${PASS}" ]; then
+ echo "Do not forget to add 'ykfde_twofactor=y' to your boot parameters!"
+fi
+
+# generate challenge
+if [ "${KEEP}" = "1" ] && [ -s "/etc/ykfde-challenge" ]; then
+ echo "User requested to keep challenge, not generating a new one."
+ ln -s "/etc/ykfde-challenge" "${DIR}/ykfde-challenge"
+else
+ makepasswd --chars=$((64-${#PASS})) | tr -d '\n' > "${DIR}/ykfde-challenge"
+fi
+
+# generate response and add key to LUKS device
+if ! ykchalresp -${SLOT} "${PASS}$(cat ${DIR}/ykfde-challenge)" > "${DIR}/ykfde-response"; then
+ # ykchalresp should have shouted, so do not complain here
+ exit 1
+fi
+if ! cryptsetup luksAddKey "${DEVICE}" "${DIR}/ykfde-response"; then
+ # cryptsetup should have shouted, ...
+ exit 1
+fi
+
+# shred response and install challenge
+shred --remove "${DIR}/ykfde-response"
+if [ "${KEEP}" != "1" ] && [ -s "${DIR}/ykfde-challenge" ] && [ ! -L "${DIR}/ykfde-challenge" ]; then
+ install -D -m 0400 "${DIR}/ykfde-challenge" "/etc/ykfde-challenge"
+fi
+rm -rf "${DIR}"
+
+echo "Please do not forget to remove old keys when changing challenge!"
+echo "Now run 'mkinitcpio' to build a new initramfs!"