From 0498dd512161b7fb07e703e03bc9b8ca8b3dd400 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 22 Dec 2014 22:03:21 +0100 Subject: replace shell script with C code, and many more * place bin/ykfde with C source code bin/ykfde.c * challenge/response can be updated in place WARNING: This required config file syntax change! * updates and simplification to udev/ykfde * a lot more... Signed-off-by: Christian Hesse --- bin/ykfde | 74 --------------------------------------------------------------- 1 file changed, 74 deletions(-) delete mode 100755 bin/ykfde (limited to 'bin/ykfde') diff --git a/bin/ykfde b/bin/ykfde deleted file mode 100755 index 41601b1..0000000 --- a/bin/ykfde +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh - -function help() { - echo "usage: ${0} [OPTIONS]" - echo - echo "where OPTIONS are:" - echo " -1 use Yubico key slot 1" - echo " -2 use Yubico key slot 2 (default)" - echo " -h show this help" -} - -DEVICE="$(egrep -v '^(#|$)' /etc/crypttab.initramfs 2>/dev/null | head -n1 | sed 's/\s\+/:/g' | cut -d: -f2)" -SERIAL="$(ykinfo -sq)" -SLOT="2" -TMPDIR="$(mktemp --directory --tmpdir=/tmp/ .$(basename ${0})-${$}-XXXXXX)" - -while getopts "12h" opt; do - case ${opt} in - 1) - SLOT="1" - ;; - 2) - SLOT="2" - ;; - h) - help - exit 0 - ;; - esac -done - -# check we have all information -if [ -z "${DEVICE}" ]; then - echo "Failed to get device from /etc/crypttab.initramfs." >&2 - exit 1 -elif [ ! -b "${DEVICE}" ]; then - echo "Device '${DEVICE}' does not exist or is not a block device." >&2 - exit 1 -elif ! cryptsetup isLuks "${DEVICE}" 2>/dev/null; then - echo "Device '${DEVICE}' is not a LUKS device." >&2 - exit 1 -elif [ -z "${SERIAL}" ]; then - echo "Did not get a serial number from key. Did you insert one?" >&2 - exit 1 -fi - -# This directroy should exist, but we create it in case it does not -if [ ! -d "/etc/ykfde.d/" ]; then - install -d -m 0700 "/etc/ykfde.d/" -fi - -# generate the challenge -if ! makepasswd --chars=64 | tr -d '\n' > "/etc/ykfde.d/challenge-${SERIAL}"; then - exit 1 -fi - -# generate response -if ! ykchalresp -${SLOT} "$(cat "/etc/ykfde.d/challenge-${SERIAL}")" | tr -d '\n' > "${TMPDIR}/ykfde-response"; then - # ykchalresp should have shouted, so do not complain here - exit 1 -fi - -# add key to LUKS device -if ! cryptsetup luksAddKey "${DEVICE}" "${TMPDIR}/ykfde-response"; then - # cryptsetup should have shouted, ... - exit 1 -fi - -# shred response and remove temporary directory -shred --remove "${TMPDIR}/ykfde-response" -rm -rf "${TMPDIR}" - -echo "Please do not forget to remove old keys when changing challenge!" -echo "Now run 'mkinitcpio' to build a new initramfs!" -- cgit v1.2.3-54-g00ecf