|
|
|
|
@ -275,6 +275,7 @@ let |
|
|
|
|
local new_challenge |
|
|
|
|
local new_response |
|
|
|
|
local new_k_luks |
|
|
|
|
local replace_key |
|
|
|
|
|
|
|
|
|
mount -t ${dev.yubikey.storage.fsType} ${dev.yubikey.storage.device} /crypt-storage || \ |
|
|
|
|
die "Failed to mount YubiKey salt storage device" |
|
|
|
|
@ -283,6 +284,7 @@ let |
|
|
|
|
iterations="$(cat /crypt-storage${dev.yubikey.storage.path} | sed -n 2p | tr -d '\n')" |
|
|
|
|
challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)" |
|
|
|
|
response="$(ykchalresp -${toString dev.yubikey.slot} -x $challenge 2>/dev/null)" |
|
|
|
|
replace_key="${toString dev.yubikey.replaceKey}" |
|
|
|
|
|
|
|
|
|
for try in $(seq 3); do |
|
|
|
|
${optionalString dev.yubikey.twoFactor '' |
|
|
|
|
@ -329,10 +331,12 @@ let |
|
|
|
|
else |
|
|
|
|
opened=false |
|
|
|
|
echo "Authentication failed!" |
|
|
|
|
rm -f /crypt-ramfs/passphrase |
|
|
|
|
fi |
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
[ "$opened" == false ] && die "Maximum authentication errors reached" |
|
|
|
|
if [ "$replace_key" == "true" ]; then |
|
|
|
|
|
|
|
|
|
echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..." |
|
|
|
|
for i in $(seq ${toString dev.yubikey.saltLength}); do |
|
|
|
|
@ -374,6 +378,8 @@ let |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
rm -f /crypt-ramfs/new_key |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
umount /crypt-storage |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -825,6 +831,12 @@ in |
|
|
|
|
description = lib.mdDoc "Time in seconds to wait for the YubiKey."; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
replaceKey = mkOption { |
|
|
|
|
default = true; |
|
|
|
|
type = types.bool; |
|
|
|
|
description = lib.mdDoc "Whether to replace the salt and luks key after a YubiKey was used. => Only one YubiKey can be used"; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
/* TODO: Add to the documentation of the current module: |
|
|
|
|
|
|
|
|
|
Options related to the storing the salt. |
|
|
|
|
|
