Hello everybody, for encrypted hard disks systemd asks via password agent [0] request for a key to unlock the device. I coded a little program that can answer the request with information received from a Yubikey [1] in challenge/response HMAC-SHA1 mode:
1. systemd asks for password 2. Yubikey is inserted 3. udev receives a hotplug event from Yubikey 4. udev launches my executable 'ykfde' 5. ykfde sends challenge to the key 6. ykfde receives response from the key 7. ykfde answers systemd's password request 8. systemd unlocks the hard disk and continues booting Everything works perfectly so far. Now I would like to add two factor authentication. The process should look something like this: ... 4. udev launches my executable 'ykfde' 5. ykfde asks for a second password (second factor) 6. user types second password on keyboard 7. ykfde reveives second password and generates challenge 8. ykfde sends challenge to the key 9. ykfde receives response from the key 10. ykfde answers systemd's password request 11. systemd unlocks the hard disk and continues booting Is there any way to make sure the users answers the second password request? If no Yubikey is present (and no second password request is started) the user should be able to answer as usual by typing a valid key. [0] http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/ [1] http://www.yubico.com/products/yubikey-hardware/yubikey/ -- main(a){char*c=/* Schoene Gruesse */"C7?Bj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
signature.asc
Description: PGP signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
