blob: 7335cdeb9142ef786cb6b66a863dde88b52a4d03 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
#!/bin/bash
set -e
set -u
usage () {
cat <<EOF
# ==================
# Prior to running this script to add a Yubikey as a LUKS passphrase, first
# configure your Yubikey for challenge-response with the following:
#
# ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 [-ochal-btn-trig]
#
# Refer to the manpage for ykpersonalize for details on each option.
# -ochal-btn-trig is optional but strongly recommended so that you
# are always aware of when your Yubikey performs an HMAC. It can, however
# cause problems if you are attempting to use the same slot as a means of
# logging into a local Windows account (which may or may not matter for you).
#
# Expected Usage:
#
# add_2fa [-1 | -2] | cryptsetup addLuksKey /device
#
# The first argument is optional and names the Yubikey slot to use for the
# challenge-response protocol. Default is "-2". This script will correspond
# with cryptsetup's addLuksKey dialog to add the Yubikey's response as a
# disk encryption passphrase. Although this can be achived via a keyfile,
# passing the response via stdout means the response (which is in effect
# the same as a passphrase in sensitivity) never hits the disk and therefore
# never needs to be shredded.
EOF
}
DEFAULT_SLOT="-2"
SLOT="${1:-$DEFAULT_SLOT}"
if ! ( [[ "$SLOT" == "-1" ]] || [[ "$SLOT" == "-2" ]] ) ; then
usage >&2
exit 1
fi
echo "Enter an existing LUKS passphrase: " >&2
read -s existing
echo "Enter a new first factor passphrase: " >&2
read -s first
response=''
until [[ "$response" != "" ]]; do
# A little side note about ykchalresp. Originally there was
# more comprehensive error handling here, but it was ugly
# because ykchalresp uses 1 for just about every failure
# mode. The stderr was different, but capturing both stdout
# and stderr is a real challenge in shell and relying on
# error messages is a bad idea (tm) anyway. So now stderr
# bubbles out to the user and this script loops until the
# user gives up.
echo "Use your Yubikey as a second factor: " >&2
if stdout=$(ykchalresp "$SLOT" "$first") ; then
response="$stdout"
else
echo "Press enter before trying again" >&2
read -s enter
fi
done
echo "Adding key to Luks container" >&2
# The following is based on the 'cryptsetup luksAddKey' dialog
echo "$existing"
echo "$response"
echo "$response"
|