[systemd-devel] unlocking encrypted hard disk two factor authentication (password and Yubikey)

Wed Apr 30 14:20:42 PDT 2014

Hello everybody,

for encrypted hard disks systemd asks via password agent [0] request for a key
to unlock the device. I coded a little program that can answer the request
with information received from a Yubikey [1] in challenge/response HMAC-SHA1
mode:

1. systemd asks for password
2. Yubikey is inserted
3. udev receives a hotplug event from Yubikey
4. udev launches my executable 'ykfde'
5. ykfde sends challenge to the key
6. ykfde receives response from the key
7. ykfde answers systemd's password request
8. systemd unlocks the hard disk and continues booting

Everything works perfectly so far.

Now I would like to add two factor authentication. The process should look
something like this:

...
4. udev launches my executable 'ykfde'
5. ykfde asks for a second password (second factor)
6. user types second password on keyboard
7. ykfde reveives second password and generates challenge
8. ykfde sends challenge to the key
9. ykfde receives response from the key
10. ykfde answers systemd's password request
11. systemd unlocks the hard disk and continues booting

Is there any way to make sure the users answers the second password request?

If no Yubikey is present (and no second password request is started) the user
should be able to answer as usual by typing a valid key.

[0] http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/
[1] http://www.yubico.com/products/yubikey-hardware/yubikey/
-- 
main(a){char*c=/*    Schoene Gruesse                         */"C7?Bj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140430/d49e9db9/attachment.sig>