-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FDE with 2FA doesn't check 2nd factor? #7
Comments
There can be various reasons for that. First of all... What version are you using? When you run Possibly you have an active LUKS slot that works with your Yubikey but without 2nd factor. See your acitve slots with:
Does the timestamp (and file content) of the challenge in |
AFAICT, I'm running the latest version: $ ykfde -V
ykfde: ykfde v0.6.1 (compiled: Apr 5 2016, 09:25:56)
I checked the luks slots, and I only have 2 enabled: the one without the yubikey and the one with the yubikey. I tried rebooting without the yubikey to make sure. There are new files created in |
I think I know what is going on, but I don't know how to fix it. |
So. I erased everything, removed the challenges, killed the slot used by ykfde and then re-set it. Here are the hooks in my
and here is the
|
Does it help to run |
If I run |
This does not log, no. Should work as expected... Are you sure there is no other mechanism unlocking with your static key in slot 0? It does not boot when the Yubikey is missing, no? Looks like I have to sleep on it for a night... Currently I am out of ideas. |
OK. |
Ok, did some testing inside a virtual machine. Let's go step-by-step: Let's set up and map a LUKS device:
This has a static passphrase now. So run
Now we can run
So let's try with a second factor. That should fail as there is non.
Giving an empty second factor and setting a new one works, though.
Running the same command again fails as the second factor is no longer empty.
But with the correct second factor it works.
Now let's kill the slot and start over.
With an empty slot we can set up the second factor directly.
Works as expected... If it does not work for you anything from above must behave different. |
Ah, I have an idea... Last chance to explain your behaviour: Your Yubikey is not configured for |
I'll try again tomorrow morning, and I'll check to see if the yubikey is configured properly. |
Pushed commit 8c5352f, that should give something like this if the Yubikey is not configured properly:
|
So... it seems the yubikey wasn't in |
No problem. ;) |
Hello,
I set up ykfde to use 2 factor authentication. Everything seems to work great, but this morning I typed a wrong password and yet, my disk was decrypted. So I tried again with a wrong password on purpose and it worked again. I'm using archlinux.
I don't know what information I could provide to help debug this.
I previously had setup ykfde without 2fa (because it wasn't available yet), so maybe I made a mistake when I switched.
To switch, I first changed the config and then typed
sudo ykfde -s <2fa>
and then usedykfde-cpio
and then regenerated the initcpio files.Cheers
The text was updated successfully, but these errors were encountered: