diff options
author | Christian Hesse <mail@eworm.de> | 2014-04-16 19:15:59 +0200 |
---|---|---|
committer | Christian Hesse <mail@eworm.de> | 2014-04-16 19:15:59 +0200 |
commit | b86e58f61ff27a08468b87d67b6040415edace97 (patch) | |
tree | d8f25500861d5f2d94dd16772e7405e65aae3ce1 /bin | |
parent | fb6551d506d9f74f9d2a85d39ed5f2f111cc04aa (diff) | |
download | mkinitcpio-ykfde-b86e58f61ff27a08468b87d67b6040415edace97.tar.gz mkinitcpio-ykfde-b86e58f61ff27a08468b87d67b6040415edace97.tar.zst |
save a challenge for every key
Diffstat (limited to 'bin')
-rwxr-xr-x[-rw-r--r--] | bin/ykfde | 51 |
1 files changed, 18 insertions, 33 deletions
diff --git a/bin/ykfde b/bin/ykfde index 3901f2e..41f2718 100644..100755 --- a/bin/ykfde +++ b/bin/ykfde @@ -8,15 +8,13 @@ function help() { echo " -2 use Yubico key slot 2 (default)" echo " -d DEVICE add key to device DEVICE" echo " -h show this help" - echo " -k keep challenge, just add a new slot" } TMPDIR="$(mktemp --directory --tmpdir=/tmp/ .$(basename ${0})-${$}-XXXXXX)" -PASS="" SLOT="2" -KEEP="0" +SERIAL="$(ykinfo -sq)" -while getopts "12d:hk" opt; do +while getopts "12d:h" opt; do case ${opt} in 1) SLOT="1" @@ -31,12 +29,10 @@ while getopts "12d:hk" opt; do help exit 0 ;; - k) - KEEP="1" - ;; esac done +# check we have all information if [ -z "${DEVICE}" ]; then echo "No device given." >&2 help @@ -45,48 +41,37 @@ elif [ ! -b "${DEVICE}" ]; then echo "Device '${DEVICE}' does not exist or is not a block device." >&2 exit 1 elif ! cryptsetup isLuks "${DEVICE}" 2>/dev/null; then - echo "Device '${DEVICE}' does not exist." >&2 + echo "Device '${DEVICE}' is not a LUKS device." >&2 + exit 1 +elif [ -z "${SERIAL}" ]; then + echo "Did not get a serial number from key." >&2 exit 1 fi -if [ "${YKFDE_SLOT}" != "${SLOT}" ]; then - echo "Please update /etc/ykfde.conf to match your slot!" -fi - -echo "Please give extra password if you want to activate two factor" -echo -n "authentication, just ENTER for none: " -stty -echo -read PASS -stty echo -echo - -if [ -n "${PASS}" ]; then - echo "Do not forget to add 'ykfde_twofactor=y' to your boot parameters!" +# This directroy should exist, but we create it in case it does not +if [ ! -d "/etc/ykfde.d/" ]; then + install -d -m 0700 "/etc/ykfde.d/" fi -# generate challenge -if [ "${KEEP}" = "1" ] && [ -s "/etc/ykfde-challenge" ]; then - echo "User requested to keep challenge, not generating a new one." - ln -s "/etc/ykfde-challenge" "${TMPDIR}/ykfde-challenge" -else - makepasswd --chars=$((64-${#PASS})) | tr -d '\n' > "${TMPDIR}/ykfde-challenge" +# generate the challenge +if ! makepasswd --chars=64 | tr -d '\n' > "/etc/ykfde.d/challenge-${SERIAL}"; then + exit 1 fi -# generate response and add key to LUKS device -if ! ykchalresp -${SLOT} "${PASS}$(cat ${TMPDIR}/ykfde-challenge)" | tr -d '\n' > "${TMPDIR}/ykfde-response"; then +# generate response +if ! ykchalresp -${SLOT} "$(cat "/etc/ykfde.d/challenge-${SERIAL}")" | tr -d '\n' > "${TMPDIR}/ykfde-response"; then # ykchalresp should have shouted, so do not complain here exit 1 fi + +# add key to LUKS device if ! cryptsetup luksAddKey "${DEVICE}" "${TMPDIR}/ykfde-response"; then # cryptsetup should have shouted, ... exit 1 fi -# shred response and install challenge +# shred response and remove temporary directory shred --remove "${TMPDIR}/ykfde-response" -if [ "${KEEP}" != "1" ] && [ -s "${TMPDIR}/ykfde-challenge" ] && [ ! -L "${TMPDIR}/ykfde-challenge" ]; then - install -D -m 0400 "${TMPDIR}/ykfde-challenge" "/etc/ykfde-challenge" -fi rm -rf "${TMPDIR}" echo "Please do not forget to remove old keys when changing challenge!" |