forked from HRouhani/yubikey-luks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathykluks-keyscript
61 lines (53 loc) · 1.58 KB
/
ykluks-keyscript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#! /bin/sh
#
# This is /sbin/ykluks-keyscript, which gets called when unlocking the disk
#
YUBIKEY_LUKS_SLOT=2 #Set this in case the value is missing in /etc/ykluks.cfg
. /etc/ykluks.cfg
if [ -z "$WELCOME_TEXT" ]; then
WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase"
fi
message()
{
if [ -x /bin/plymouth ] && plymouth --ping; then
plymouth message --text="$*"
else
echo "$@" >&2
fi
return 0
}
check_yubikey_present="$(ykinfo -q -"$YUBIKEY_LUKS_SLOT")"
if [ -z "$YUBIKEY_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then
if [ -z "$cryptkeyscript" ]; then
if [ -x /bin/plymouth ] && plymouth --ping; then
cryptkeyscript="plymouth ask-for-password --prompt"
else
cryptkeyscript="/lib/cryptsetup/askpass"
fi
fi
PW="$($cryptkeyscript "$WELCOME_TEXT")"
else
PW="$YUBIKEY_CHALLENGE"
fi
# Check if YubiKey has been inserted during promt
check_yubikey_present="$(ykinfo -q -"$YUBIKEY_LUKS_SLOT")"
if [ "$check_yubikey_present" = "1" ]; then
message "Accessing yubikey..."
if [ "$HASH" = "1" ]; then
PW=$(printf %s "$PW" | sha256sum | awk '{print $1}')
fi
R="$(printf %s "$PW" | ykchalresp -"$YUBIKEY_LUKS_SLOT" -i- 2>/dev/null || true)"
if [ "$R" ]; then
message "Retrieved the response from the Yubikey"
if [ "$CONCATENATE" = "1" ]; then
printf '%s' "$PW$R"
else
printf '%s' "$R"
fi
else
message "Failed to retrieve the response from the Yubikey"
fi
else
printf '%s' "$PW"
fi
exit 0