Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot add LUKS key: fgets error 0x00 #31

Closed
schaerfo opened this issue Nov 16, 2020 · 5 comments
Closed

Cannot add LUKS key: fgets error 0x00 #31

schaerfo opened this issue Nov 16, 2020 · 5 comments
Assignees
@mjec
Labels
bug Something isn't working

Comments

@schaerfo
Copy link

Describe the bug
After generating the keyfile, adding the key to LUKS with khefin-add-luks-key fails.

To Reproduce
Steps to reproduce the behavior:

  1. Generate a keyfile with khefin enrol
  2. Attempt to add the LUKS key with sudo khefin-add-luks-key /tmp/keyfile /dev/nvme0n1p6
  3. Enter passphrase for keyfile
  4. The error khefin: Unable to get authenticator PIN for ONLYKEY at /dev/hidraw1 on STDIN: fgets error 0x00 is displayed and khefin exits with status 68

Expected behavior
I am prompted to tap the security key, after that, the LUKS key is added.

Environment:

  • Operating system: Manjaro Linux
  • Version: 0.6.0
  • Authenticator make and model: Onlykey, Solokey Tap A (same behavior with both keys)
@mjec
Copy link
Owner

mjec commented Nov 16, 2020

Thanks for the report @schaerfo! I'll take a look in the next couple of days, but I think I know what the issue might be.

@mjec mjec self-assigned this Nov 16, 2020
@mjec mjec added the bug Something isn't working label Nov 16, 2020
@mjec
Copy link
Owner

mjec commented Nov 24, 2020

Quick update here:

  • As I suspected, the fix is to prompt for PIN as well as passphrase in the khefin-add-luks-key script
  • We also need to do this in the initramfs and mkinitcpio run scripts
  • I would like to avoid prompting unless there is at least one authenticator connected which requires a PIN, to avoid prompting for a PIN when it's not necessary; but this involves adding a new subcommand to khefin for this purpose

I'm still in the process of putting this together in a patch, but I'll have that sorted out this week for sure.

@schaerfo
Copy link
Author

Thank you for your work so far, no need to hurry

@ZenithalHourlyRate
Copy link
Contributor

Reproduced this bug using Yubikey having FIDO PIN. Meanwhile, with another key (CanoKey) without FIDO PIN, the behavior is expected.

ZenithalHourlyRate added a commit to ZenithalHourlyRate/khefin that referenced this issue Jan 17, 2021
@ZenithalHourlyRate
Add PIN support in scripts (closes mjec#31)
fc9c10d
ZenithalHourlyRate added a commit to ZenithalHourlyRate/khefin that referenced this issue Jan 17, 2021
@ZenithalHourlyRate
Add PIN support in scripts (closes mjec#31)
caf7d1f
mjec added a commit that referenced this issue Jan 17, 2021
@mjec @ZenithalHourlyRate
Make mkinitcpio scripts work with PINs (issue #31)
7f8b193 
Co-authored-by: Zenithal <i@zenithal.me>
mjec added a commit that referenced this issue Jan 17, 2021
@mjec @ZenithalHourlyRate
Add PIN support to initramfs tools (issue #31)
6494760 
Co-authored-by: Zenithal <i@zenithal.me>
@mjec
Copy link
Owner

mjec commented Jan 17, 2021

This is fixed in version 0.6.1, now tagged and released.

@mjec mjec closed this as completed Jan 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mjec mjec

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mjec @schaerfo @ZenithalHourlyRate