[systemd-devel] systemd-crypttab: FIDO2 and passwords
Christian Kastner
ckk at debian.org
Mon Mar 8 17:29:28 UTC 2021
On 07.03.21 23:34, Lennart Poettering wrote:
> Right now whether to require the FIDO2 PIN is not configurable. We
> could make it configurable though, so that you could use it in 1FA
> situations.
I myself am only interested in 2FA; I misread the documentation as the
current implementation being 1FA, but that misunderstanding is now
resolved. Thanks!
If I understand src/cryptsetup/{cryptsetup-fido2,cryptsetup}.c
correctly, then the PIN is used as input to the security token, and
whatever the token returns is base64-encoded and then used as the key
for LUKS, right?
If so, I wonder whether this isn't vulnerable to physical USB attacks
(see [1] for an example how simple this can be).
As I mentioned earlier, I speculate that the fido2luks project hashes
the password before FIDO2, and then again with the FIDO2 response, to
alleviate this.
[1] https://ha.cking.ch/s8_data_line_locator/
More information about the systemd-devel
mailing list