Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Idea: Unlock remote machine via SSH #57

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Idea: Unlock remote machine via SSH #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ reinstall:
install -Dm755 src/ykfde-enroll "$(DESTDIR)/usr/bin/ykfde-enroll"
install -Dm755 src/ykfde-format "$(DESTDIR)/usr/bin/ykfde-format"
install -Dm755 src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open"
install -Dm755 src/ykfde-ssh "$(DESTDIR)/usr/bin/ykfde-ssh"
install -Dm755 src/ykfde-shell "$(DESTDIR)/usr/share/yubikey-full-disk-encryption/utils/shells/ykfde_shell"
install -Dm644 README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md"
test:
./testrun.sh
Expand Down
2 changes: 1 addition & 1 deletion PKGBUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ arch=('any')
url='https://github.com/agherzan/yubikey-full-disk-encryption'
license=('Apache')
depends=('yubikey-personalization' 'cryptsetup' 'udisks2' 'expect')
optdepends=('ykchalresp-nfc: NFC support')
optdepends=('ykchalresp-nfc: NFC support' 'netcat: SSH support' 'mkinitcpio-dropbear: SSH support')
makedepends=('git')
backup=('etc/ykfde.conf')
source=('git+https://github.com/agherzan/yubikey-full-disk-encryption.git')
Expand Down
18 changes: 17 additions & 1 deletion src/hooks/ykfde
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
# set default values:
DBG=""
YKFDE_CONFIG_FILE="/etc/ykfde.conf"
YKFDE_SSH=""
YKFDE_NFC=""
YKFDE_DISK_UUID=""
YKFDE_LUKS_NAME=""
Expand Down Expand Up @@ -149,6 +150,8 @@ ykfde_do_it() {
_rc=$?

if [ "$_rc" -eq 0 ]; then
touch /.done
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think those two should depend on "$YKFDE_SSH"

killall dropbear
message " Decryption was successful."
if [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" ] && [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" -gt 0 ]; then
[ "$DBG" ] && message " > Making $YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP sleep."
Expand Down Expand Up @@ -189,7 +192,7 @@ ykfde_challenge_response() {
_starttime="$(date +%s)"
message " > Waiting $_yubikey_timeout_str for YubiKey..."

while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do
while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_ssh_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do
_endtime="$(date +%s)"
_usedtime=$((_endtime - _starttime))
[ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykinfo -$YKFDE_CHALLENGE_SLOT': "
Expand All @@ -198,6 +201,11 @@ ykfde_challenge_response() {
[ "$DBG" ] && message "[$_rc] '$_tmp'"
if [ "$_rc" -eq 0 ]; then
_yubikey_detected=1
elif [ "$YKFDE_SSH" ]; then
ss -Htln
if [ -n "$(ss -Htln 'sport :9000')" ]; then
_yubikey_ssh_detected=1
fi
elif [ "$YKFDE_NFC" ]; then
[ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykchalresp-nfc -n': "
_tmp="$(ykchalresp-nfc -n 2>&1)"
Expand Down Expand Up @@ -239,6 +247,14 @@ ykfde_challenge_response() {
done
fi

if [ -n "$_yubikey_ssh_detected" ]; then
message " Trying to perform challenge-response over SSH..."
while [ -z "$_ykfde_response" ]; do
sleep 0.5
_ykfde_response="$(printf '%s\n' "$YKFDE_CHALLENGE" | nc 127.0.0.1 9000 | tr -d '\n')"
done
fi

if [ -n "$_yubikey_nfc_detected" ]; then
while [ -z "$_ykfde_response" ]; do
[ "$DBG" ] && message " Running: 'ykchalresp-nfc -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..."
Expand Down
10 changes: 10 additions & 0 deletions src/install/ykfde
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,16 @@ build() {
add_file "/etc/ykfde.conf" "/etc/ykfde.conf"
add_file "/usr/lib/ykfde-suspend/initramfs-suspend" "/ykfde-suspend" 755

# ssh support
if [ "$YKFDE_SSH" ]; then
add_binary "nc"
add_binary "ss"
add_binary "/usr/share/yubikey-full-disk-encryption/utils/shells/ykfde_shell" "/bin/ykfde_shell"

echo 'root:x:0:0:root:/root:/bin/ykfde_shell' > "${BUILDROOT}"/etc/passwd
echo '/bin/ykfde_shell' > "${BUILDROOT}"/etc/shells
fi

# nfc support
if [ "$YKFDE_NFC" ]; then
# serial drivers for nfc
Expand Down
6 changes: 6 additions & 0 deletions src/ykfde-ssh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/usr/bin/env bash
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you make shebang consistent with other ykfde-* scripts? We use #!/bin/bash -p elsewhere.


ncat -c 'read challenge; /bin/ykchalresp -2 "$challenge";' -l 9000 &
Copy link
Collaborator

@Vincent43 Vincent43 Dec 6, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ykchalresp invocation leaks challenge, see #44 and how it was fixed.

Also this line triggers following shellcheck warning:

In ykfde-ssh line 3:
ncat -c 'read challenge; /bin/ykchalresp -2 "$challenge";' -l 9000 &
        ^-- SC2016: Expressions don't expand in single quotes, use double quotes for that.

For more information:
  https://www.shellcheck.net/wiki/SC2016 -- Expressions don't expand in singl...

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am pretty sure that this is single quoted intentionally.

Copy link
Owner

@agherzan agherzan Dec 17, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - it was to avoid expand. But if that is the case, a comment and a shellcheck disable should be added.

NCAT_PID=$!
ssh "root@$1" -R 127.0.0.1:9000:127.0.0.1:9000
kill $NCAT_PID >/dev/null 2>&1
3 changes: 3 additions & 0 deletions src/ykfde.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@

### OPTIONAL ###

# Enable communication with YubiKey via SSH (Experimental).
#YKFDE_SSH="1"

# Enable communication with YubiKey via NFC (Experimental).
#YKFDE_NFC="1"

Expand Down
5 changes: 5 additions & 0 deletions src/ykfde_shell
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/sh
echo "Trying to unlock using YubiKey via SSH..."
while [ ! -f /.done ]; do
sleep 0.5
done