Re: systemd-crypttab: FIDO2 and passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07.03.21 23:34, Lennart Poettering wrote:
> Right now whether to require the FIDO2 PIN is not configurable. We
> could make it configurable though, so that you could use it in 1FA
> situations.

I myself am only interested in 2FA; I misread the documentation as the
current implementation being 1FA, but that misunderstanding is now
resolved. Thanks!

If I understand src/cryptsetup/{cryptsetup-fido2,cryptsetup}.c
correctly, then the PIN is used as input to the security token, and
whatever the token returns is base64-encoded and then used as the key
for LUKS, right?

If so, I wonder whether this isn't vulnerable to physical USB attacks
(see [1] for an example how simple this can be).

As I mentioned earlier, I speculate that the fido2luks project hashes
the password before FIDO2, and then again with the FIDO2 response, to
alleviate this.

[1] https://ha.cking.ch/s8_data_line_locator/


_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux