Re: [systemd-devel] unlocking encrypted hard disk two factor authentication (password and Yubikey)
Lennart Poettering on Fri, 2014/05/16 18:56: > On Wed, 30.04.14 23:20, Christian Hesse (m...@eworm.de) wrote: > > > 4. udev launches my executable 'ykfde' > > 5. ykfde asks for a second password (second factor) > > 6. user types second password on keyboard > > 7. ykfde reveives second password and generates challenge > > 8. ykfde sends challenge to the key > > 9. ykfde receives response from the key > > 10. ykfde answers systemd's password request > > 11. systemd unlocks the hard disk and continues booting > > > > Is there any way to make sure the users answers the second password > > request? > > > > If no Yubikey is present (and no second password request is started) the > > user should be able to answer as usual by typing a valid key. > > Did I get this right: > > a) if there's a yubikey present, your tool shall answer cryptsetup's > password queries, and the user shall only answer your tool's questions? > > b) if there's no yubikey present, the user shall directly answer >cryptsetup's password queries? > > So basically, you want to plug your tool in the middle of the password > pipeline, when the tool is running? Exactly. > I don't see a way how to do that in the current scheme. We could extend > it in a way where a client could take posession of a password requests > or so. Maybe via bsd file locks on the file containing the prompt or > so. As soon as some other process sees that it would have to hide the > prompt? > > But meh, I am I have the suspicion we'll revisit the entire password > prompt protocol anyway as soon as we have kdbus and can use the bus > during early boot... I am not too keen thinking up this just now if we > already know that thing will change quite a bit sooner or later in this > area... Ah, ok... Would be great if anybody keeps this in mind then. ;) Thanks! -- Schoene Gruesse Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] unlocking encrypted hard disk two factor authentication (password and Yubikey)
On Wed, 30.04.14 23:20, Christian Hesse (m...@eworm.de) wrote: > 4. udev launches my executable 'ykfde' > 5. ykfde asks for a second password (second factor) > 6. user types second password on keyboard > 7. ykfde reveives second password and generates challenge > 8. ykfde sends challenge to the key > 9. ykfde receives response from the key > 10. ykfde answers systemd's password request > 11. systemd unlocks the hard disk and continues booting > > Is there any way to make sure the users answers the second password request? > > If no Yubikey is present (and no second password request is started) the user > should be able to answer as usual by typing a valid key. Did I get this right: a) if there's a yubikey present, your tool shall answer cryptsetup's password queries, and the user shall only answer your tool's questions? b) if there's no yubikey present, the user shall directly answer cryptsetup's password queries? So basically, you want to plug your tool in the middle of the password pipeline, when the tool is running? I don't see a way how to do that in the current scheme. We could extend it in a way where a client could take posession of a password requests or so. Maybe via bsd file locks on the file containing the prompt or so. As soon as some other process sees that it would have to hide the prompt? But meh, I am I have the suspicion we'll revisit the entire password prompt protocol anyway as soon as we have kdbus and can use the bus during early boot... I am not too keen thinking up this just now if we already know that thing will change quite a bit sooner or later in this area... Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] unlocking encrypted hard disk two factor authentication (password and Yubikey)
Hello everybody, for encrypted hard disks systemd asks via password agent [0] request for a key to unlock the device. I coded a little program that can answer the request with information received from a Yubikey [1] in challenge/response HMAC-SHA1 mode: 1. systemd asks for password 2. Yubikey is inserted 3. udev receives a hotplug event from Yubikey 4. udev launches my executable 'ykfde' 5. ykfde sends challenge to the key 6. ykfde receives response from the key 7. ykfde answers systemd's password request 8. systemd unlocks the hard disk and continues booting Everything works perfectly so far. Now I would like to add two factor authentication. The process should look something like this: ... 4. udev launches my executable 'ykfde' 5. ykfde asks for a second password (second factor) 6. user types second password on keyboard 7. ykfde reveives second password and generates challenge 8. ykfde sends challenge to the key 9. ykfde receives response from the key 10. ykfde answers systemd's password request 11. systemd unlocks the hard disk and continues booting Is there any way to make sure the users answers the second password request? If no Yubikey is present (and no second password request is started) the user should be able to answer as usual by typing a valid key. [0] http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/ [1] http://www.yubico.com/products/yubikey-hardware/yubikey/ -- main(a){char*c=/*Schoene Gruesse */"C7?Bj;MEH" "CX:;",b;for(a/*Chris get my mail address:*/=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig*/b/42*2-3)*42);} signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel