diff options
| -rw-r--r-- | bin/ykfde | 7 | ||||
| -rw-r--r-- | conf/ykfde.conf | 2 | ||||
| -rw-r--r-- | hook/ykfde | 36 | ||||
| -rw-r--r-- | install/ykfde | 4 | ||||
| -rw-r--r-- | udev/20-ykfde.rules | 4 | ||||
| -rwxr-xr-x | udev/ykfde | 9 |
6 files changed, 22 insertions, 40 deletions
@@ -5,7 +5,7 @@ function help() { echo echo "where OPTIONS are:" echo " -1 use Yubico key slot 1" - echo " -2 use Yubico key slot 2" + echo " -2 use Yubico key slot 2 (default)" echo " -d DEVICE add key to device DEVICE" echo " -h show this help" echo " -k keep challenge, just add a new slot" @@ -13,17 +13,18 @@ function help() { TMPDIR="$(mktemp --tmpdir=/tmp/ .$(basename ${0})-${$}-XXXXXX)" PASS="" -SLOT="1" +SLOT="2" KEEP="0" while getopts "12d:hk" opt; do case ${opt} in 1) SLOT="1" + echo "Please update /etc/ykfde.conf if needed!" ;; 2) SLOT="2" - echo "Do not forget to add 'ykfde_slot=2' to your boot parameters!" + echo "Please update /etc/ykfde.conf if needed!" ;; d) DEVICE="${OPTARG}" diff --git a/conf/ykfde.conf b/conf/ykfde.conf new file mode 100644 index 0000000..fa715db --- /dev/null +++ b/conf/ykfde.conf @@ -0,0 +1,2 @@ +# Specify what Yubikey slot to use for full disk encryption +YKFDE_SLOT=2 diff --git a/hook/ykfde b/hook/ykfde deleted file mode 100644 index be75694..0000000 --- a/hook/ykfde +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -run_hook() { - ykfde_slot="${ykfde_slot:-1}" - ykfde_count=0 - - if [ -s /ykfde-challenge ]; then - modprobe -a -q usbhid >/dev/null 2>&1 - - if [ "${ykfde_twofactor}" = "y" ]; then - echo -n "Please give two factor key for Yubikey: " - stty -echo - read TWOFACTOR - stty echo - echo - else - TWOFACTOR="" - fi - - # Any chance to get this more efficient? Without polling and without long sleep times would be great. - while ! ykchalresp -${ykfde_slot} "${TWOFACTOR}$(cat /ykfde-challenge)" > /crypto_keyfile.bin 2>/dev/null; do - if [ $((ykfde_count++)) -gt 10 ]; then - msg ":: No Yubikey presend, fallback to interactive mode" - rm -f /ykfde-challenge - return 1 - fi - sleep 0.3 - done - - msg ":: Created crypto keyfile using Yubikey, handing over to encrypt hook" - rm -f /ykfde-challenge - else - msg ":: No challenge found, falling back to interactive mode" - return 1 - fi -} diff --git a/install/ykfde b/install/ykfde index bbf5bd2..ddb6b4e 100644 --- a/install/ykfde +++ b/install/ykfde @@ -1,8 +1,10 @@ #!/bin/sh build() { - add_runscript add_binary ykchalresp + add_binary /usr/lib/udev/ykfde + add_file /usr/lib/initcpio/udev/20-ykfde.rules /usr/lib/udev/rules.d/20-ykfde.rules + add_file /etc/ykfde.conf add_file /etc/ykfde-challenge / add_module 'usbhid' } diff --git a/udev/20-ykfde.rules b/udev/20-ykfde.rules new file mode 100644 index 0000000..54cd1c2 --- /dev/null +++ b/udev/20-ykfde.rules @@ -0,0 +1,4 @@ +# do challenge response with Yubikey II and try to answer +# password agent +ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111", \ + RUN+="/usr/lib/udev/ykfde" diff --git a/udev/ykfde b/udev/ykfde new file mode 100755 index 0000000..ce83117 --- /dev/null +++ b/udev/ykfde @@ -0,0 +1,9 @@ +#!/bin/sh + +source /etc/ykfde.conf + +# Looks like Yubikey is reset after challenge response, triggering +# yet another add event. Ignore if the file exists. +[ -s /crypto_keyfile.bin ] && exit 0 + +ykchalresp -${YKFDE_SLOT:-2} "$(cat /ykfde-challenge)" > /crypto_keyfile.bin 2>/dev/null |