Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added 1FA hardware hash support #78

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 21 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ If you set CONCATENATE=1 option in the file /etc/ykluks.cfg then both your passw
If you set HASH=1 option in the file /etc/ykluks.cfg then your password will be hashed with sha256 algorithm before using as challenge for yubikey: printf password | sha256sum | awk '{print $1}'
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8


Changing the welcome text
-------------------------

Expand All @@ -62,8 +63,8 @@ After changing this file, you need to run

so that the changes get transferred to the initramfs.

Use 1FA to allow unattended, passwordless boot
----------------------------------------------
Use "weak" 1FA to allow unattended, passwordless boot on any hardware
---------------------------------------------------------------------

In order to bypass the password prompt and allow the system to boot when the paired Yubikey is present without requiring interactive input of the challenge password, then you must edit /etc/ykluks.cfg to contain the challenge password that you previously enrolled (and which should be bypassed). Example:

Expand All @@ -79,6 +80,24 @@ After changing this file, you need to run

so that the changes get transferred to the initramfs.

Use "more-secure" 1FA to allow passwordless boot only on certain hardware
-------------------------------------------------------------------------

In order to bypass the password prompt and allow the system to boot when the paired Yubikey is present without requiring interactive input of the challenge password, the challenge password is calculated based on a hash of the output of a command which returns hardware info and serial numbers (`dmidecode -t system`). To enable, uncomment this line in /etc/ykluks.cfg

YUBIKEY_CHALLENGE_HARDWARE_HASH=1

The challenge password is calculated based off the hash of the dmidecode output like this:

dmidecode -t system | sha256sum | awk '{print $1}')

Notes:
- To make this work with multiple machines, run `yubikey-luks-enroll -s <LUKS slot>` with a different LUKS slot for each machine (default is 7).
- An added degree of security is optained as an attacker will need access to all of:
- Your bootable medium (eg your SSD)
- Computer that you use (for the `dmidecode` output)
- Yubikey in order to decrypt the LUKS encrypted partition
- The `YUBIKEY_CHALLENGE` setting has no effect if `YUBIKEY_CHALLENGE_HARDWARE_HASH=1` uncommented

Enable yubikey-luks initramfs module
------------------------------------
Expand Down
1 change: 1 addition & 0 deletions hook
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ esac
copy_exec /usr/bin/ykchalresp
copy_exec /usr/bin/ykinfo
copy_exec /usr/bin/sha256sum
if [ -n "$YUBIKEY_CHALLENGE_HARDWARE_HASH" ]; then copy_exec /usr/sbin/dmidecode; fi
cp /usr/share/yubikey-luks/ykluks-keyscript "${DESTDIR}/sbin/ykluks-keyscript"
cp /etc/ykluks.cfg "${DESTDIR}/etc/ykluks.cfg"

Expand Down
6 changes: 5 additions & 1 deletion initramfs-suspend
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,11 @@ echo mem > /sys/power/state

[ -z "${cryptname}" ] ||
while true; do
P1=$(/lib/cryptsetup/askpass "$WELCOME_TEXT")
if [ "$YUBIKEY_CHALLENGE_HARDWARE_HASH" == "1" ]; then
P1="$(dmidecode -t system | sha256sum | awk '{print $1}')"
else
P1=$(/lib/cryptsetup/askpass "$WELCOME_TEXT")
fi

if [ "$HASH" = "1" ]; then
P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
Expand Down
10 changes: 7 additions & 3 deletions key-script
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ message()

check_yubikey_present="$(ykinfo -q -"$YUBIKEY_LUKS_SLOT")"

if [ -z "$YUBIKEY_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then
if { [ -z "$YUBIKEY_CHALLENGE" ] && [ "$YUBIKEY_CHALLENGE_HARDWARE_HASH" != "1" ]; } || [ "$check_yubikey_present" != "1" ] ; then
if [ -z "$cryptkeyscript" ]; then
if [ -x /bin/plymouth ] && plymouth --ping; then
cryptkeyscript="plymouth ask-for-password --prompt"
Expand All @@ -32,7 +32,11 @@ if [ -z "$YUBIKEY_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then
fi
PW="$($cryptkeyscript "$WELCOME_TEXT")"
else
PW="$YUBIKEY_CHALLENGE"
if [ "$YUBIKEY_CHALLENGE_HARDWARE_HASH" == "1" ]; then
PW="$(dmidecode -t system | sha256sum | awk '{print $1}')"
else
PW="$YUBIKEY_CHALLENGE"
fi
fi

if [ "$check_yubikey_present" = "1" ]; then
Expand All @@ -52,7 +56,7 @@ if [ "$check_yubikey_present" = "1" ]; then
message "Failed to retrieve the response from the Yubikey"
fi
else
printf '%s' "$PW"
printf '%s' "$PW"
fi

exit 0
5 changes: 5 additions & 0 deletions ykluks.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,8 @@ SUSPEND=0
# for an unattended boot so long as the Yubikey is present.
# Leave this empty (or unset), if you want to do 2FA -- i.e. being asked for the password during boot time.
# YUBIKEY_CHALLENGE="password"

# Uncomment this line if you want to use a hash of the `dmidecode` output instead of the 'YUBIKEY_CHALLENGE' password (above)
# If this line is uncommented then 'YUBIKEY_CHALLENGE' has no effect and 1FA is enabled
# This is designed to give a slightly more secure 1FA experience however it prevents the ubikey from unlocking the luks partition on unknown hardware
# YUBIKEY_CHALLENGE_HARDWARE_HASH=1
20 changes: 13 additions & 7 deletions yubikey-luks-enroll
Original file line number Diff line number Diff line change
Expand Up @@ -73,15 +73,21 @@ while true ; do
read -r _ <&1
done

P1=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer:")
if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
if [ "$YUBIKEY_CHALLENGE_HARDWARE_HASH" = "1" ]; then
if ! command -v dmidecode > /dev/null; then echo "dmidecode could not be found, please install it"; exit 1; fi
P1="$(dmidecode -t system | sha256sum | awk '{print $1}')"
if [ "$DBG" = "1" ]; then echo "Using Password: $P1"; fi
else
P1=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password. This is the password that will only work while your yubikey is installed in your computer:")
if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi

P2=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password again:")
if [ "$DBG" = "1" ]; then echo "Password: $P2"; fi
P2=$(/lib/cryptsetup/askpass "Please enter the yubikey challenge password again:")
if [ "$DBG" = "1" ]; then echo "Password: $P2"; fi

if [ "$P1" != "$P2" ]; then
echo "Passwords do not match"
exit 1
if [ "$P1" != "$P2" ]; then
echo "Passwords do not match"
exit 1
fi
fi

if [ "$HASH" = "1" ]; then
Expand Down
9 changes: 7 additions & 2 deletions yubikey-luks-open
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,13 @@ while true ; do
read -r _ <&1
done

P1=$(/lib/cryptsetup/askpass "Enter password created with yubikey-luks-enroll:")
if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
if [ "$YUBIKEY_CHALLENGE_HARDWARE_HASH" = "1" ]; then
P1="$(dmidecode -t system | sha256sum | awk '{print $1}')"
if [ "$DBG" = "1" ]; then echo "Using Password: $P1"; fi
else
P1=$(/lib/cryptsetup/askpass "Enter password created with yubikey-luks-enroll:")
if [ "$DBG" = "1" ]; then echo "Password: $P1"; fi
fi

if [ "$HASH" = "1" ]; then
P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
Expand Down