Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Idea: Unlock remote machine via SSH #57

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Frederick888
Copy link
Contributor

@Frederick888 Frederick888 commented Dec 6, 2019

This is a proof of concept which contains a lot of ugly hacks and it's not intended to be merged.

I would like to use yubikey-full-disk-encryption to unlock a headless machine without the hassle of unplugging/plugging YubiKey. So inspired by the encryptssh hook from mkinitcpio-utils I'm using currently, here's a prototype that utilises SSH port forwarding to achieve this job.

Server-Side Requirements
  1. nc from gnu-netcat
  2. ss from iproute2
  3. a patched mkinitcpio-dropbear (contains an upstream dss fix and a minor change to allow port forwarding)

dropbear (and netconf) needs to be pre-configured according to https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp).

mkinitcpio hooks should look like:

HOOKS=(base udev autodetect keyboard keymap modconf block netconf dropbear ykfde filesystems fsck)
Client-Side Requirements
  1. ncat from nmap
  2. ykfde-ssh from this PR
Basically what it does is
  1. Server fires up network and dropbear
  2. Client uses ykfde-ssh Hostname and it:
    1.1 starts ncat to listen on 127.0.0.1:9000 and wait for the challenge
    1.2 forwards 127.0.0.1:9000 to Server
  3. Server uses ss to detect whether 127.0.0.1:9000 is open
  4. Server uses nc to send the challenge to 127.0.0.1:9000 and obtains the response

I've tested it in a virtual machine and it seems to work pretty smoothly. However the configuration does tend to be overly complex and I actually wonder whether there is a better way of doing this rather than using SSH port forwarding. But @agherzan if you feel comfortable about this idea I can then make some time to tidy it up and submit a proper PR.

Copy link
Collaborator

@Vincent43 Vincent43 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is interesting functionality, thank you. I'm not able to test it in any way but left few comments.

The final form would need some info in README too.

@@ -0,0 +1,6 @@
#!/usr/bin/env bash
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you make shebang consistent with other ykfde-* scripts? We use #!/bin/bash -p elsewhere.

@@ -0,0 +1,6 @@
#!/usr/bin/env bash

ncat -c 'read challenge; /bin/ykchalresp -2 "$challenge";' -l 9000 &
Copy link
Collaborator

@Vincent43 Vincent43 Dec 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ykchalresp invocation leaks challenge, see #44 and how it was fixed.

Also this line triggers following shellcheck warning:

In ykfde-ssh line 3:
ncat -c 'read challenge; /bin/ykchalresp -2 "$challenge";' -l 9000 &
        ^-- SC2016: Expressions don't expand in single quotes, use double quotes for that.

For more information:
  https://www.shellcheck.net/wiki/SC2016 -- Expressions don't expand in singl...

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am pretty sure that this is single quoted intentionally.

Copy link
Owner

@agherzan agherzan Dec 17, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - it was to avoid expand. But if that is the case, a comment and a shellcheck disable should be added.

@@ -149,6 +150,8 @@ ykfde_do_it() {
_rc=$?

if [ "$_rc" -eq 0 ]; then
touch /.done
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think those two should depend on "$YKFDE_SSH"

@agherzan
Copy link
Owner

Shall we close this PR for now?

@Frederick888
Copy link
Contributor Author

Ah, sorry, got busy for a while then completely forgot about this. I still would like to finish this feature, but I can't give you a time frame right now. Is it ok? Or I'm also happy to submit another PR when I actually manage to wrap it up.

@Vincent43
Copy link
Collaborator

Take your time, we can wait 😄

@agherzan
Copy link
Owner

That's absolutely alright. Just wanted to make sure it's still planned sometime in the future.

@Piraty
Copy link

Piraty commented Oct 18, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants