[systemd-devel] unlocking encrypted hard disk two factor authentication (password and Yubikey)

Christian Hesse mail at eworm.de
Tue Jun 3 05:01:03 PDT 2014


Lennart Poettering <lennart at poettering.net> on Fri, 2014/05/16 18:56:
> On Wed, 30.04.14 23:20, Christian Hesse (mail at eworm.de) wrote:
> 
> > 4. udev launches my executable 'ykfde'
> > 5. ykfde asks for a second password (second factor)
> > 6. user types second password on keyboard
> > 7. ykfde reveives second password and generates challenge
> > 8. ykfde sends challenge to the key
> > 9. ykfde receives response from the key
> > 10. ykfde answers systemd's password request
> > 11. systemd unlocks the hard disk and continues booting
> > 
> > Is there any way to make sure the users answers the second password
> > request?
> > 
> > If no Yubikey is present (and no second password request is started) the
> > user should be able to answer as usual by typing a valid key.
> 
> Did I get this right:
> 
> a) if there's a yubikey present, your tool shall answer cryptsetup's
> password queries, and the user shall only answer your tool's questions?
> 
> b) if there's no yubikey present, the user shall directly answer
>    cryptsetup's password queries?
> 
> So basically, you want to plug your tool in the middle of the password
> pipeline, when the tool is running?

Exactly.

> I don't see a way how to do that in the current scheme. We could extend
> it in a way where a client could take posession of a password requests
> or so. Maybe via bsd file locks on the file containing the prompt or
> so. As soon as some other process sees that it would have to hide the
> prompt?
> 
> But meh, I am I have the suspicion we'll revisit the entire password
> prompt protocol anyway as soon as we have kdbus and can use the bus
> during early boot... I am not too keen thinking up this just now if we
> already know that thing will change quite a bit sooner or later in this
> area...

Ah, ok...
Would be great if anybody keeps this in mind then. ;)

Thanks!
-- 
Schoene Gruesse
Chris
                         O< ascii ribbon campaign
                   stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140603/00ec0090/attachment.sig>


More information about the systemd-devel mailing list