diff options
-rw-r--r-- | bin/ykfde | 91 | ||||
-rw-r--r-- | hook/ykfde | 36 | ||||
-rw-r--r-- | install/ykfde | 13 |
3 files changed, 140 insertions, 0 deletions
diff --git a/bin/ykfde b/bin/ykfde new file mode 100644 index 0000000..56e75a7 --- /dev/null +++ b/bin/ykfde @@ -0,0 +1,91 @@ +#!/bin/sh + +function help() { + echo "usage: ${0} [OPTIONS]" + echo + echo "where OPTIONS are:" + echo " -1 use Yubico key slot 1" + echo " -2 use Yubico key slot 2" + echo " -d DEVICE add key to device DEVICE" + echo " -h show this help" + echo " -k keep challenge, just add a new slot" +} + +DIR="/tmp/.ykfde-${$}/" +PASS="" +SLOT="1" +KEEP="0" + +while getopts "12d:hk" opt; do + case ${opt} in + 1) + SLOT="1" + ;; + 2) + SLOT="2" + echo "Do not forget to add 'ykfde_slot=2' to your boot parameters!" + ;; + d) + DEVICE="${OPTARG}" + ;; + h) + help + exit 0 + ;; + k) + KEEP="1" + ;; + esac +done + +if [ -z "${DEVICE}" ]; then + echo "No device given." >&2 + help + exit 1 +elif [ ! -b "${DEVICE}" ]; then + echo "Device '${DEVICE}' does not exist or is not a block device." >&2 + exit 1 +elif ! cryptsetup isLuks "${DEVICE}" 2>/dev/null; then + echo "Device '${DEVICE}' does not exist." >&2 + exit 1 +fi + +install -d -m0700 "${DIR}" +echo "Please give extra password if you want to activate two factor" +echo -n "authentication, just ENTER for none: " +stty -echo +read PASS +stty echo +echo + +if [ -n "${PASS}" ]; then + echo "Do not forget to add 'ykfde_twofactor=y' to your boot parameters!" +fi + +# generate challenge +if [ "${KEEP}" = "1" ] && [ -s "/etc/ykfde-challenge" ]; then + echo "User requested to keep challenge, not generating a new one." + ln -s "/etc/ykfde-challenge" "${DIR}/ykfde-challenge" +else + makepasswd --chars=$((64-${#PASS})) | tr -d '\n' > "${DIR}/ykfde-challenge" +fi + +# generate response and add key to LUKS device +if ! ykchalresp -${SLOT} "${PASS}$(cat ${DIR}/ykfde-challenge)" > "${DIR}/ykfde-response"; then + # ykchalresp should have shouted, so do not complain here + exit 1 +fi +if ! cryptsetup luksAddKey "${DEVICE}" "${DIR}/ykfde-response"; then + # cryptsetup should have shouted, ... + exit 1 +fi + +# shred response and install challenge +shred --remove "${DIR}/ykfde-response" +if [ "${KEEP}" != "1" ] && [ -s "${DIR}/ykfde-challenge" ] && [ ! -L "${DIR}/ykfde-challenge" ]; then + install -D -m 0400 "${DIR}/ykfde-challenge" "/etc/ykfde-challenge" +fi +rm -rf "${DIR}" + +echo "Please do not forget to remove old keys when changing challenge!" +echo "Now run 'mkinitcpio' to build a new initramfs!" diff --git a/hook/ykfde b/hook/ykfde new file mode 100644 index 0000000..be75694 --- /dev/null +++ b/hook/ykfde @@ -0,0 +1,36 @@ +#!/bin/sh + +run_hook() { + ykfde_slot="${ykfde_slot:-1}" + ykfde_count=0 + + if [ -s /ykfde-challenge ]; then + modprobe -a -q usbhid >/dev/null 2>&1 + + if [ "${ykfde_twofactor}" = "y" ]; then + echo -n "Please give two factor key for Yubikey: " + stty -echo + read TWOFACTOR + stty echo + echo + else + TWOFACTOR="" + fi + + # Any chance to get this more efficient? Without polling and without long sleep times would be great. + while ! ykchalresp -${ykfde_slot} "${TWOFACTOR}$(cat /ykfde-challenge)" > /crypto_keyfile.bin 2>/dev/null; do + if [ $((ykfde_count++)) -gt 10 ]; then + msg ":: No Yubikey presend, fallback to interactive mode" + rm -f /ykfde-challenge + return 1 + fi + sleep 0.3 + done + + msg ":: Created crypto keyfile using Yubikey, handing over to encrypt hook" + rm -f /ykfde-challenge + else + msg ":: No challenge found, falling back to interactive mode" + return 1 + fi +} diff --git a/install/ykfde b/install/ykfde new file mode 100644 index 0000000..bbf5bd2 --- /dev/null +++ b/install/ykfde @@ -0,0 +1,13 @@ +#!/bin/sh + +build() { + add_runscript + add_binary ykchalresp + add_file /etc/ykfde-challenge / + add_module 'usbhid' +} + +help() { + echo "This hook adds support for opening LUKS devices with Yubico key." + echo "Please use command 'ykfde' to prepare." +} |