Re: cryptsetup Yubikey challenge-response support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Sounds like there is interest, which is good.

There are so many ways to do this it's just not funny.

My preferred approach is to popen out to programs/scripts in libexec
and have a generic challenge response protocol over stdin/stdout.
Potentially there is a need for etc support for configuration, but not
necessarlily. That way cryptsetup does not need libusb or udev
(although udev integration is not necessary anyway) etc and allows for
doing challenge response over a network, optionally relying on
multiple keys, mixture of keys plus network, using mastorage devices
as keys etc, The only limit is imagination.

Incorporating libusb or middle-ware libs into crypt setup is
interesting, but will make testing too damn painful in my opinion.
Plus using popen stdin/stdout protocol reduces new code, keeps things
a bit unixy, and allows anyone to implement thieir own challeng
response program/script.

cryptsetup could maintain the most popular challenge response scripts,
but distros and sysadmins can add their own too.

How does that sound?

Cheers,

Dan

On Wed, 8 Apr 2020 at 13:06, Tim Steiner <t@xxxxxx> wrote:
>
> Thanks for including me. So based on my research there would be two ways to do this:
>
> 1) Use libykpers, support for other vendor keys was added in version 1.20.0. This is how both OnlyKey and Yubikey are supported by Keepassxc - https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKey.cpp#L82
>
> You could definitely use this method right now and both OnlyKey and Yubikey would be supported. However Nitrokey does not support this method right now, I am not sure if they would implement this feature or not.
>
> 2) Use FIDO2 HMACSHA1 using something like this - https://github.com/Yubico/python-fido2, OnlyKey, YubiKey, and Nitrokey would support the HmacSecret extension here - https://github.com/Yubico/python-fido2/blob/master/examples/hmac_secret.py
>
> There are tradeoffs to each approach, benefits of 1) are that its already well tested and stable, is a standard C library, works without needing a UDEV rule since the challenge-response is actually sent via the USB keyboard USB interface. Benefits of 2) It would support more hardware tokens, you could probably also have more secrets, with libykpers there is only support for 2 slots, meaning 2 hmac keys.
>
> So really it would take some research to decide which way to go, I would be happy to assist with integration of OnlyKey and testing.
>
> Tim Steiner
>
> CISSP-ISSAP, C|EH, OSCP, PMP
>
> Email: T@xxxxxx
>
> CryptoTrust | crp.to
>
> Send me a secure message or file
>
>
>
>
>
> ---- On Wed, 08 Apr 2020 06:06:44 -0400 Nikolay Kichukov <hijacker@xxxxxxxxx> wrote ----
>
> I am also interested, HMAC/SHA challenge-response for OnlyKey would be
> great addition to cryptsetup.
>
> I do not think this should be product specific implementation, but
> general for all hardware tokens that support it: OnlyKey, Yubikey,
> Nitrokey, etc.
>
> Adding Tim here, who is the maintainer of the OnlyKey project and may be
> interested.
>
> Thanks,
> -Nik
>
> On 4/8/20 10:37 AM, 7heo wrote:
> > Hello,
> >
> > I believe this is a very good idea, but the implementation should not be limited to yubikey. There are other solutions out there (nitrokey is one) that would also need to be supported IMHO.
> >
> > In addition, I would favor the implementation support of bare usb keys (mass storage), for those of us who wish to use their already-owned encrypted mass storage keys in order to unlock their drive.
> >
> > I had started to implement this (the latter part) in the Alpine Linux initramfs some years ago but given the complexity of the task and the lack of public interest, coupled with FOSS politics, I gave up on it.
> >
> > If you start working on an implementation, I'd be curious to see that and I could eventually participate.
> >
> > Also, your email looks just fine to me :)
> >
> > Cheers,
> > 7heo
> >
> > On Apr 8, 2020 09:54, Dan Farrell <djfarrell@xxxxxxxxx> wrote:
> >>
> >> Hi,
> >>
> >> Hopefully this email comes through without HTML and property wrapped,
> >> sorry if it doesn't.
> >>
> >> I am wondering if any group has started or is interested in adding
> >> Yubikey challenge-response support to cryptsetup?
> >>
> >> The idea would be to add the option to insert a USB key to (optionally
> >> automagically) unlock at boot time (or whenever cryptsetup is
> >> running). There would be a backup password of course.
> >>
> >> I'm interested in doing this for myself if it's not underway at the
> >> moment. I have some basic ideas on how to do this. I do realise this
> >> could be done external to cryptsetup with distro support, but doing
> >> that messing around with initramfs etc sounds painful, let alone each
> >> distro would need be supported individually.
> >>
> >> If it's of no interest, that's ok, I'll do it for myself. But if there
> >> is interest I would be willing to work with maintainers to find the
> >> best way to do this and contribute the effort.
> >>
> >> Regards,
> >>
> >> Dan Farrell
> >> _______________________________________________
> >> dm-crypt mailing list
> >> dm-crypt@xxxxxxxx
> >> https://www.saout.de/mailman/listinfo/dm-crypt
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@xxxxxxxx
> > https://www.saout.de/mailman/listinfo/dm-crypt
> >
>
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> https://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt



[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux