aboutsummaryrefslogtreecommitdiffstats
path: root/bin/ykfde
blob: 5f853876122e89e761e6444c56eef61c6a66fd76 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/sh

source /etc/ykfde.conf

function help() {
	echo "usage: ${0} [OPTIONS]"
	echo
	echo "where OPTIONS are:"
	echo " -1         use Yubico key slot 1"
	echo " -2         use Yubico key slot 2 (default)"
	echo " -d DEVICE  add key to device DEVICE"
	echo " -h         show this help"
	echo " -k         keep challenge, just add a new slot"
}

TMPDIR="$(mktemp --directory --tmpdir=/tmp/ .$(basename ${0})-${$}-XXXXXX)"
PASS=""
SLOT="2"
KEEP="0"

while getopts "12d:hk" opt; do
	case ${opt} in
		1)
			SLOT="1"
			;;
		2)
			SLOT="2"
			;;
		d)
			DEVICE="${OPTARG}"
			;;
		h)
			help
			exit 0
			;;
		k)
			KEEP="1"
			;;
	esac
done

if [ -z "${DEVICE}" ]; then
	echo "No device given." >&2
	help
	exit 1
elif [ ! -b "${DEVICE}" ]; then
	echo "Device '${DEVICE}' does not exist or is not a block device." >&2
	exit 1
elif ! cryptsetup isLuks "${DEVICE}" 2>/dev/null; then
	echo "Device '${DEVICE}' does not exist." >&2
	exit 1
fi

if [ "${YKFDE_SLOT}" != "${SLOT}" ]; then
	echo "Please update /etc/ykfde.conf to match your slot!"
fi

echo "Please give extra password if you want to activate two factor"
echo -n "authentication, just ENTER for none: "
stty -echo
read PASS
stty echo
echo

if [ -n "${PASS}" ]; then
	echo "Do not forget to add 'ykfde_twofactor=y' to your boot parameters!"
fi

# generate challenge
if [ "${KEEP}" = "1" ] && [ -s "/etc/ykfde-challenge" ]; then
	echo "User requested to keep challenge, not generating a new one."
	ln -s "/etc/ykfde-challenge" "${TMPDIR}/ykfde-challenge"
else
	makepasswd --chars=$((64-${#PASS})) | tr -d '\n' > "${TMPDIR}/ykfde-challenge"
fi

# generate response and add key to LUKS device
if ! ykchalresp -${SLOT} "${PASS}$(cat ${TMPDIR}/ykfde-challenge)" | tr -d '\n' > "${TMPDIR}/ykfde-response"; then
	# ykchalresp should have shouted, so do not complain here
	exit 1
fi
if ! cryptsetup luksAddKey "${DEVICE}" "${TMPDIR}/ykfde-response"; then
	# cryptsetup should have shouted, ...
	exit 1
fi

# shred response and install challenge
shred --remove "${TMPDIR}/ykfde-response"
if [ "${KEEP}" != "1" ] && [ -s "${TMPDIR}/ykfde-challenge" ] && [ ! -L "${TMPDIR}/ykfde-challenge" ]; then
	install -D -m 0400 "${TMPDIR}/ykfde-challenge" "/etc/ykfde-challenge"
fi
rm -rf "${TMPDIR}"

echo "Please do not forget to remove old keys when changing challenge!"
echo "Now make sure /etc/crypttab.initramfs has the needed entry, then"
echo "run 'mkinitcpio' to build a new initramfs!"