Add one-factor-authentication (non-interactive) (#65)

Adds one-factor-authentication without the need for the user to enter the challenge passphrase. The presence of the correct yubikey is sufficient. * changes to yubikey luks scripts, added readme and config relevant to the challenge password being included when one-factor authentication is used Co-authored-by: XOMBO <support@xombo.com>
cornelinux · Jan 26, 2021 · 79677de · 79677de
1 parent ad28cf1
commit 79677de
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -62,8 +62,26 @@ After changing this file, you need to run
 
 so that the changes get transferred to the initramfs.
 
+Use 1FA to allow unattended, passwordless boot 
+----------------------------------------------
+
+In order to bypass the password prompt and allow the system to boot when the paired Yubikey is present without requiring interactive input of the challenge password, then you must edit /etc/ykluks.cfg to contain the challenge password that you previously enrolled (and which should be bypassed). Example: 
+
+    YUBIKEY_CHALLENGE="enrolled-challenge-password"
+
+Leave this empty, if you want to do 2FA -- i.e. being asked for the password during boot time.
+
+Note that 1FA, when using this feature, will weaken security as it no longer prompts for the chalenge password and will decrypt the volume with only the Yubikey being present at boot time.
+
+After changing this file, you need to run
+
+    update-initramfs -u
+
+so that the changes get transferred to the initramfs.
+
+
 Enable yubikey-luks initramfs module
--------------------------
+------------------------------------
 
 In order to use yubikey-luks for unlocking LUKS encrypted volume at boot you must append keyscript=/usr/share/yubikey-luks/ykluks-keyscript to the /etc/crypttab file. Example:
 
@@ -80,14 +98,14 @@ Alternatively you may add keyscript=/sbin/ykluks-keyscript to your boot cmdline
     cryptoptions=target=cryptroot,source=/dev/sda,keyscript=/sbin/ykluks-keyscript
 
 Enable yubikey-luks-suspend module
-------------------------------------
+----------------------------------
 
 You can enable yubikey-luks-suspend module which allows for automatically locking encrypted LUKS containers and wiping keys from memory on suspend and unlocking them on resume by using luksSuspend, luksResume commands.
 
     systemctl enable yubikey-luks-suspend.service
 
 Open LUKS container protected with yubikey-luks
-------------------------------------
+-----------------------------------------------
 
 You can open LUKS container protected with yubikey-luks on running system
 

diff --git a/key-script b/key-script
@@ -22,16 +22,19 @@ message()
 
 check_yubikey_present="$(ykinfo -q -"$YUBIKEY_LUKS_SLOT")"
 
-if [ -z "$cryptkeyscript" ]; then
-    if [ -x /bin/plymouth ] && plymouth --ping; then
-        cryptkeyscript="plymouth ask-for-password --prompt"
-    else
-        cryptkeyscript="/lib/cryptsetup/askpass"
-    fi
+if [ -z "$YUBIKEY_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then
+  if [ -z "$cryptkeyscript" ]; then
+      if [ -x /bin/plymouth ] && plymouth --ping; then
+          cryptkeyscript="plymouth ask-for-password --prompt"
+      else
+          cryptkeyscript="/lib/cryptsetup/askpass"
+      fi
+  fi
+  PW="$($cryptkeyscript "$WELCOME_TEXT")"
+else
+  PW="$YUBIKEY_CHALLENGE"
 fi
 
-PW="$($cryptkeyscript "$WELCOME_TEXT")"
-
 if [ "$check_yubikey_present" = "1" ]; then
     message "Accessing yubikey..."
     if [ "$HASH" = "1" ]; then

diff --git a/ykluks.cfg b/ykluks.cfg
@@ -1,11 +1,29 @@
 # If you change this file, you need to run 
 #   update-initramfs -u
-WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase"
-# Set to "1" if you want both your password and Yubikey response be bundled together and writtent to key slot.
+
+# Set to the prompt that appears when the LUKS password is needed to decrypt
+# the volume protected with a Yubikey
+WELCOME_TEXT="Please insert Yubikey and press enter or enter a valid passphrase"
+
+# Set to "1" if you want both your password and Yubikey response be bundled 
+# together and written to the key slot
 CONCATENATE=0
+
 # Set to "1" if you want to hash your password with sha256.
 HASH=0
+
 # Set which Slot to use (1 or 2), defaults to 2
 YUBIKEY_LUKS_SLOT=2
+
 # Set this to "1" if you want to use Yubikey with suspend (default to 0)
 SUSPEND=0
+
+# Set this to a previously-enrolled challenge password if you want to use 1FA 
+# (one-factor authentication), which checks for the paired Yubikey's presence.
+# This will suppress the interactive prompt for the password during boot time.
+# If the Yubikey is not presetnt at boot time, then the password prompt 
+# is displayed and will unlock if one of the LUKS slots is using that as 
+# a normal password. This is weaker than 2-factor authentication, but allows 
+# for an unattended boot so long as the Yubikey is present.
+# Leave this empty (or unset), if you want to do 2FA -- i.e. being asked for the password during boot time.
+# YUBIKEY_CHALLENGE="password"