err

* create PKGBUILD file

* use build & install method

* add package dependencies

.drone.yml

@@ -5,24 +5,24 @@ steps:
  - name: fmt
    image: rust:1.43.0
    commands:
-     -  rustup component add rustfmt
+     - rustup component add rustfmt
-     -  cargo fmt --all -- --check
+     - cargo fmt --all -- --check
  - name: test
-   image: rust:1.43.0
+   image: ubuntu:focal
-   commands:
-    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
-    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
-    - cargo test
-
- - name: publish
-   image: rust:1.43.0
    environment:
+    DEBIAN_FRONTEND: noninteractive
+   commands:
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev 
+    - cargo test --locked
+ - name: publish
+   image: ubuntu:focal
+   environment:
+    DEBIAN_FRONTEND: noninteractive
     CARGO_REGISTRY_TOKEN:
      from_secret: cargo_tkn
    commands:
     - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev
-    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
     - cargo package --all-features
     - cargo publish --all-features
    when:

.gitignore

@@ -2,3 +2,7 @@
 **/*.rs.bk
 .idea/
 *.iml
+fido2luks.bash
+fido2luks.elv
+fido2luks.fish
+fido2luks.zsh

Cargo.lock

@@ -1,10 +1,25 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
 [[package]]
-name = "aho-corasick"
+name = "addr2line"
-version = "0.7.10"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8716408b8bc624ed7f65d223ddb9ac2d044c0547b6fa4b0d554f3a9540496ada"
+checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
+
+[[package]]
+name = "aho-corasick"
+version = "0.7.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
 dependencies = [
  "memchr",
 ]
@@ -37,37 +52,29 @@ checksum = "1d49d90015b3c36167a20fe2810c5cd875ad504b39cff3d4eae7977e6b7c1cb2"
 
 [[package]]
 name = "autocfg"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
+checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 
 [[package]]
 name = "backtrace"
-version = "0.3.46"
+version = "0.3.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e"
+checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
 dependencies = [
- "backtrace-sys",
+ "addr2line",
  "cfg-if",
  "libc",
+ "miniz_oxide",
+ "object",
  "rustc-demangle",
 ]
 
-[[package]]
-name = "backtrace-sys"
-version = "0.1.36"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78848718ee1255a2485d1309ad9cdecfc2e7d0362dd11c6829364c6b35ae1bc7"
-dependencies = [
- "cc",
- "libc",
-]
-
 [[package]]
 name = "bindgen"
-version = "0.53.2"
+version = "0.54.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6bb26d6a69a335b8cb0e7c7e9775cd5666611dc50a37177c3f2cedcfc040e8c8"
+checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
 dependencies = [
  "bitflags",
  "cexpr",
@@ -79,8 +86,8 @@ dependencies = [
  "lazycell",
  "log",
  "peeking_take_while",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
  "regex",
  "rustc-hash",
  "shlex",
@@ -111,9 +118,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.52"
+version = "1.0.59"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d"
+checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"
 
 [[package]]
 name = "cexpr"
@@ -143,9 +150,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "2.33.0"
+version = "2.33.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
+checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
 dependencies = [
  "ansi_term",
  "atty",
@@ -181,9 +188,9 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-channel"
-version = "0.4.2"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cced8691919c02aac3cb0a1bc2e9b73d89e832bf9a06fc579d4e71b68a2da061"
+checksum = "b153fe7cbef478c567df0f972e02e6d736db11affe43dfc9c56a9374d1adfb87"
 dependencies = [
  "crossbeam-utils",
  "maybe-uninit",
@@ -206,7 +213,7 @@ version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
  "cfg-if",
  "crossbeam-utils",
  "lazy_static",
@@ -217,12 +224,13 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-queue"
-version = "0.2.1"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db"
+checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
 dependencies = [
  "cfg-if",
  "crossbeam-utils",
+ "maybe-uninit",
 ]
 
 [[package]]
@@ -231,7 +239,7 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
  "cfg-if",
  "lazy_static",
 ]
@@ -284,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
  "fnv",
  "ident_case",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
  "strsim 0.9.3",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 
 [[package]]
@@ -297,8 +305,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
  "darling_core",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 
 [[package]]
@@ -309,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
  "darling",
  "derive_builder_core",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 
 [[package]]
@@ -321,16 +329,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
  "darling",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 
 [[package]]
 name = "either"
-version = "1.5.3"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
+checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
 
 [[package]]
 name = "env_logger"
@@ -347,9 +355,9 @@ dependencies = [
 
 [[package]]
 name = "failure"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8529c2421efa3066a5cbd8063d2244603824daccb6936b079010bb2aa89464b"
+checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
 dependencies = [
  "backtrace",
  "failure_derive",
@@ -357,37 +365,39 @@ dependencies = [
 
 [[package]]
 name = "failure_derive"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
+checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
  "synstructure",
 ]
 
 [[package]]
 name = "fido2luks"
-version = "0.2.9"
+version = "0.2.15"
 dependencies = [
  "ctap_hmac",
  "failure",
  "hex",
  "libcryptsetup-rs",
+ "pamsm",
  "ring",
  "rpassword",
  "serde",
  "serde_derive",
  "serde_json",
  "structopt",
+ "sudo",
 ]
 
 [[package]]
 name = "fnv"
-version = "1.0.6"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2fad85553e09a6f881f739c29f0b00b0f01357c743266d478b68951ce23285f3"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
 name = "fuchsia-cprng"
@@ -401,6 +411,12 @@ version = "0.3.55"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 
+[[package]]
+name = "gimli"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
+
 [[package]]
 name = "glob"
 version = "0.3.0"
@@ -418,9 +434,9 @@ dependencies = [
 
 [[package]]
 name = "hermit-abi"
-version = "0.1.12"
+version = "0.1.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61565ff7aaace3525556587bd2dc31d4a07071957be715e63ce7b1eccf51a8f4"
+checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
 dependencies = [
  "libc",
 ]
@@ -448,9 +464,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 
 [[package]]
 name = "itoa"
-version = "0.4.5"
+version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8b7a7c0c47db5545ed3fef7468ee7bb5b74691498139e4b3f6a20685dc6dd8e"
+checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
 
 [[package]]
 name = "lazy_static"
@@ -460,21 +476,21 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 
 [[package]]
 name = "lazycell"
-version = "1.2.1"
+version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
+checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
 
 [[package]]
 name = "libc"
-version = "0.2.69"
+version = "0.2.76"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
+checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"
 
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38cd24132ee0239515bc895782f65ab3e382a0f78e7cee30417159e5c6f81b6b"
+checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
 dependencies = [
  "either",
  "libc",
@@ -487,9 +503,9 @@ dependencies = [
 
 [[package]]
 name = "libcryptsetup-rs-sys"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c605998e81e2a99c1f4c5d0be45ea1df6f1dc45dc64f5ca2847b0dbebf49ae7"
+checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
 dependencies = [
  "bindgen",
  "cc",
@@ -509,9 +525,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.8"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
+checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
 dependencies = [
  "cfg-if",
 ]
@@ -530,18 +546,27 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
 
 [[package]]
 name = "memoffset"
-version = "0.5.4"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4fc2c02a7e374099d4ee95a193111f72d2110197fe200272371758f6c3643d8"
+checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
+]
+
+[[package]]
+name = "miniz_oxide"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
+dependencies = [
+ "adler",
 ]
 
 [[package]]
 name = "nom"
-version = "5.1.1"
+version = "5.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b471253da97532da4b61552249c521e01e736071f71c1a4f7ebbfbf0a06aad6"
+checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
 dependencies = [
  "memchr",
  "version_check",
@@ -560,13 +585,25 @@ dependencies = [
 
 [[package]]
 name = "num-traits"
-version = "0.2.11"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096"
+checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 ]
 
+[[package]]
+name = "object"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
+
+[[package]]
+name = "pamsm"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3580ed2ebe075c74db583233318abf4b07bc8d9a40c7691d0ae9c186e19e43dd"
+
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -575,33 +612,31 @@ checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
 
 [[package]]
 name = "pkg-config"
-version = "0.3.17"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
+checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
 
 [[package]]
 name = "proc-macro-error"
-version = "1.0.2"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98e9e4b82e0ef281812565ea4751049f1bdcdfccda7d3f459f2e138a40c08678"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
  "proc-macro-error-attr",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
  "version_check",
 ]
 
 [[package]]
 name = "proc-macro-error-attr"
-version = "1.0.2"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f5444ead4e9935abd7f27dc51f7e852a0569ac888096d5ec2499470794e2e53"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
- "syn-mid",
  "version_check",
 ]
 
@@ -616,11 +651,11 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.10"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df246d292ff63439fea9bc8c0a270bed0e390d5ebd4db4ba15aba81111b5abe3"
+checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29"
 dependencies = [
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 
 [[package]]
@@ -640,11 +675,11 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.3"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2bdc6c187c65bca4260c9011c9e3132efe4909da44726bad24cf7572ae338d7f"
+checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
 ]
 
 [[package]]
@@ -787,9 +822,9 @@ dependencies = [
 
 [[package]]
 name = "regex"
-version = "1.3.7"
+version = "1.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6020f034922e3194c711b82a627453881bc4682166cabb07134a10c26ba7692"
+checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -799,9 +834,9 @@ dependencies = [
 
 [[package]]
 name = "regex-syntax"
-version = "0.6.17"
+version = "0.6.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fe5bd57d1d7414c6b5ed48563a2c855d995ff777729dcd91c369ec7fea395ae"
+checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
 
 [[package]]
 name = "ring"
@@ -858,9 +893,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 
 [[package]]
 name = "ryu"
-version = "1.0.4"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed3d612bc64430efeb3f7ee6ef26d590dce0c43249217bddc62112540c7941e1"
+checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
 
 [[package]]
 name = "scopeguard"
@@ -885,26 +920,26 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 
 [[package]]
 name = "serde"
-version = "1.0.106"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
+checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
 
 [[package]]
 name = "serde_derive"
-version = "1.0.106"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c"
+checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
 ]
 
 [[package]]
 name = "serde_json"
-version = "1.0.51"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da07b57ee2623368351e9a0488bb0b261322a15a6e0ae53e243cbdc0f4208da9"
+checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
 dependencies = [
  "itoa",
  "ryu",
@@ -931,9 +966,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 
 [[package]]
 name = "structopt"
-version = "0.3.14"
+version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "863246aaf5ddd0d6928dfeb1a9ca65f505599e4e1b399935ef7e75107516b4ef"
+checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
 dependencies = [
  "clap",
  "lazy_static",
@@ -942,15 +977,25 @@ dependencies = [
 
 [[package]]
 name = "structopt-derive"
-version = "0.4.7"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d239ca4b13aee7a2142e6795cbd69e457665ff8037aed33b3effdc430d2f927a"
+checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
 dependencies = [
  "heck",
  "proc-macro-error",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
+]
+
+[[package]]
+name = "sudo"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a88e74edf206f281aff2820aa2066c781331044c770626dcafe19491f214e05"
+dependencies = [
+ "libc",
+ "log",
 ]
 
 [[package]]
@@ -966,36 +1011,25 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "1.0.18"
+version = "1.0.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213"
+checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
-]
-
-[[package]]
-name = "syn-mid"
-version = "0.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
-dependencies = [
- "proc-macro2 1.0.10",
- "quote 1.0.3",
- "syn 1.0.18",
 ]
 
 [[package]]
 name = "synstructure"
-version = "0.12.3"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
+checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.40",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 
 [[package]]
@@ -1027,11 +1061,12 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.1.43"
+version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
+checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
 dependencies = [
  "libc",
+ "wasi",
  "winapi",
 ]
 
@@ -1043,9 +1078,9 @@ checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
 
 [[package]]
 name = "unicode-width"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "caaa9d531767d1ff2150b9332433f32a24622147e5ebb1f26409d5da67afd479"
+checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
 
 [[package]]
 name = "unicode-xid"
@@ -1055,9 +1090,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 
 [[package]]
 name = "unicode-xid"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
+checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
 
 [[package]]
 name = "untrusted"
@@ -1076,15 +1111,21 @@ dependencies = [
 
 [[package]]
 name = "vec_map"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
+checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
 
 [[package]]
 name = "version_check"
-version = "0.9.1"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "078775d0255232fb988e6fccf26ddc9d1ac274299aaedcedce21c6f72cc533ce"
+checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
+
+[[package]]
+name = "wasi"
+version = "0.10.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
 
 [[package]]
 name = "which"
@@ -1097,9 +1138,9 @@ dependencies = [
 
 [[package]]
 name = "winapi"
-version = "0.3.8"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
 dependencies = [
  "winapi-i686-pc-windows-gnu",
  "winapi-x86_64-pc-windows-gnu",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.9"
+version = "0.2.15"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license-file = "LICENSE"
+license = "MPL-2.0"
 
 [dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -24,6 +24,18 @@ libcryptsetup-rs = "0.4.1"
 serde_json = "1.0.51"
 serde_derive = "1.0.106"
 serde = "1.0.106"
+pamsm = { version = "0.4.1", features = ["libpam"] }
+sudo = "0.5.0"
+
+[build-dependencies]
+ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
+hex = "0.3.2"
+ring = "0.13.5"
+failure = "0.1.5"
+rpassword = "4.0.1"
+libcryptsetup-rs = "0.4.1"
+pamsm = { version = "0.4.1", features = ["libpam"] }
+structopt = "0.3.2"
 
 [profile.release]
 lto = true
@@ -32,13 +44,25 @@ panic = 'abort'
 incremental = false
 overflow-checks = false
 
+[[bin]]
+name = "fido2luks"
+path = "src/main.rs"
+
+[lib]
+name = "fido2luks_pam"
+path = "src/lib.rs"
+crate-type = ["cdylib"]
+
 [package.metadata.deb]
 depends = "$auto, cryptsetup"
-build-depends = "libclang-dev, libcryptsetup-dev"
+build-depends = "libclang-dev, libcryptsetup-dev, libpam-dev"
 extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 assets = [
     ["target/release/fido2luks", "usr/bin/", "755"],
+    ["target/release/libfido2luks_pam.so", "usr/lib/x86_64-linux-gnu/security/pam_fido2luks.so", "755"],
+    ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
     ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
     ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
     ["initramfs-tools/fido2luks.conf", "etc/", "644"],
 ]
+conf-files = ["/etc/fido2luks.conf"]

PKGBUILD

@@ -0,0 +1,25 @@
+# Maintainer: shimunn <shimun@shimun.net>
+pkgname=fido2luks
+pkgver=0.2.12
+pkgrel=1
+makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
+depends=('cryptsetup')
+arch=('i686' 'x86_64' 'armv6h' 'armv7h')
+pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
+url="https://github.com/shimunn/fido2luks"
+license=('MPL-2.0')
+
+pkgver() {
+	# Use tag version if possible otherwise concat project version and git ref
+	git describe --exact-match --tags HEAD 2> /dev/null || \
+		echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
+}
+
+build() {
+    cargo build --release --locked --all-features --target-dir=target
+}
+
+package() {
+    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
+    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+}

README.md

@@ -1,6 +1,6 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 
-This will allow you to unlock your luks encrypted disk with an fido2 compatible key
+This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
 
 Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 
@@ -65,7 +65,7 @@ cp /usr/bin/fido2luks /boot/fido2luks/
 cp /etc/fido2luks.conf /boot/fido2luks/
 ```
 
-## Test
+## Testing
 
 Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 
@@ -96,6 +96,13 @@ set -a
 
 Then add the new secret to each device and update dracut afterwards `dracut -f`
 
+### Multiple keys
+
+Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
+```
+FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
+```
+
 ## Removal
 
 Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
@@ -107,3 +114,17 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
+
+## License
+
+Licensed under
+
+ * Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
+
+### Contribution
+
+Unless you explicitly state otherwise, any contribution intentionally
+submitted for inclusion in the work by you, as defined in the MPL 2.0
+license, shall be licensed as above, without any additional terms or
+conditions.
+

build.rs

@@ -0,0 +1,24 @@
+#![allow(warnings)]
+#[macro_use]
+extern crate failure;
+extern crate ctap_hmac as ctap;
+
+#[path = "src/cli_args/mod.rs"]
+mod cli_args;
+#[path = "src/error.rs"]
+mod error;
+#[path = "src/util.rs"]
+mod util;
+
+use cli_args::Args;
+use std::env;
+use std::str::FromStr;
+use structopt::clap::Shell;
+use structopt::StructOpt;
+
+fn main() {
+    // generate completion scripts, zsh does panic for some reason
+    for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
+        Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), ".");
+    }
+}

dracut/95fido2luks/fido2luks@fido2luks\x2dtest.service

@@ -1,17 +0,0 @@
-[Unit]
-Description="fido2luks setup for /data/home/marvin/Documents/RustProjects/fido2luks/luks2.img"
-After=data-home-marvin-Documents-RustProjects-fido2luks-luks2.img.device cryptsetup-pre.target systemd-journald.socket
-Before=systemd-cryptsetup@fido2luks\x2dtest.service umount.target fido2luks.target
-BindsTo=data-home-marvin-Documents-RustProjects-fido2luks-luks2.img.device
-Conflicts=umount.target
-
-[Service]
-Type=oneshot
-EnvironmentFile="../../fido2luks.conf"
-Restart=on-failure
-RestartSec=3
-RemainAfterExit=yes
-
-ExecStartPre=-/bin/true
-ExecStart=fido2luks open
-ExecStop=/usr/lib/systemd/systemd-cryptsetup detach "fido2luks-test"

dracut/95fido2luks/generator.sh

@@ -1,96 +0,0 @@
-#!/usr/bin/env bash
-# https://www.freedesktop.org/software/systemd/man/systemd.generator.html#Output%20directories
-normal_dir=$1
-early_dir=$2
-late_dir=$3
-CONFIG="${4:-/etc/fido2luks.conf}"
-GENERATOR_NORMAL_DIR=${1:-/run/systemd/system}
-TARGET="fido2luks.target"
-SYSTEMD_CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
-
-error() {
-  printf "$1" 1>&2
-  [ -e /dev/kmsg ] && printf "$1" > /dev/kmsg
-  exit 1
-}
-
-make_service() {
-  local config="$1"
-  local service_dir="${2:-.}"
-  source "$config"
-  if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ] && [ -z "$FIDO2LUKS_USE_TOKEN" ]; then
-    error "Config is missing credential_id"
-  fi
-  if [ -z "$FIDO2LUKS_DEVICE" ]; then
-    error "Config is missing device"
-  fi
-  if [ -z "$FIDO2LUKS_MAPPER_NAME" ]; then
-    error "Config is missing mapper_name"
-  fi
-  #local uuid="$(blkid -o value -s UUID '$FIDO2LUKS_DEVICE')"
-  #if [ $? -ne 0 ]; then
-  #  error "Failed to get UUID for \"%s\"" "$FIDO2LUKS_DEVICE"
-  #fi
-  local escaped_path=$(systemd-escape -p "$FIDO2LUKS_DEVICE")
-  local escaped_name=$(systemd-escape -p "$FIDO2LUKS_MAPPER_NAME")
-  local service_file="$service_dir/fido2luks@$escaped_name.service"
-  local device_unit="$escaped_path.device"
-  local cryptsetup_service="systemd-cryptsetup@$escaped_name.service"
-
-cat > $service_file <<- EOM
-[Unit]
-Description="fido2luks setup for ${FIDO2LUKS_DEVICE}"
-After=${device_unit} cryptsetup-pre.target systemd-journald.socket
-Before=${cryptsetup_service} umount.target ${TARGET}
-BindsTo=$device_unit
-Conflicts=umount.target
-
-[Service]
-Type=oneshot
-Environment=FIDO2LUKS_PASSWORD_HELPER="/usr/bin/systemd-ask-password 'FIDO2 password salt for $FIDO2LUKS_DEVICE'"
-EnvironmentFile="$config"
-Restart=on-failure
-RestartSec=3
-RemainAfterExit=yes
-
-ExecStartPre=-${FIDO2LUKS_BOOT_PRE:-/bin/true}
-ExecStart=fido2luks open
-ExecStop=${SYSTEMD_CRYPTSETUP} detach "${FIDO2LUKS_MAPPER_NAME}"
-EOM
-
- mkdir -p "$service_dir/$cryptsetup_service.d" "$service_dir/$cryptsetup_service.wants"
-
-cat > $service_dir/$cryptsetup_service.d/fido2luks-$escaped_name.conf <<- EOM
-[Unit]
-ConditionPathExists=!/dev/mapper/$FIDO2LUKS_MAPPER_NAME
-EOM
-
-  ln -sf $service_file "$service_dir/$cryptsetup_service.wants/"
-}
-
-service_generator() {
-  local config="$1"
-  if [ ! -e "$config" ]; then
-    printf "Config does not exist" 1>&2;
-    return 1
-  fi
-  source "$config"
-  local escaped_name=$(systemd-escape -p "$FIDO2LUKS_MAPPER_NAME")
-  make_service "$config" $normal_dir
-}
-
-generate_services() {
-  if [ -e "$CONFIG" ]; then
-    service_generator "$CONFIG"
-  fi
-  if [ -e $CONFIG.d ]; then
-    for config in $CONFIG.d/*;  do
-      service_generator "$config"
-    done
-  fi
-}
-if [ ! -z "$PRINT_SERVICE_FILE" ]; then
-  make_service "$1"
-else
-  generate_services
-fi

dracut/95fido2luks/module-setup.sh

@@ -1,41 +0,0 @@
-#!/usr/bin/env bash
-
-check () {
-        if ! dracut_module_included "systemd"; then
-                "fido2luks needs systemd in the initramfs"
-                return 1
-        fi
-        return 255
-}
-
-depends () {
-        echo "systemd crypt"
-        return 0
-}
-
-mirror() {
-  inst_simple "$1" "$1"
-}
-
-install () {
-        set -ex
-        bash -n "$moddir/generator.sh"
-        local tmp=$(mktemp -d -t dracut-fido2luks-XXX)
-        trap "rm -rf $tmp" EXIT
-        $moddir/generator.sh "" "" "$tmp" /etc/fido2luks.conf
-        
-        inst "$moddir/generator.sh" "$systemdutildir/system-generators/fido2luks-generator.sh"
-        mirror "/usr/bin/fido2luks"
-        mirror "/etc/fido2luks.conf"
-        [ -d /etc/fido2luks.conf.d ] && for config in /etc/fido2luks.conf.d/*;  do
-          mirror "$config"
-        done
-        inst "$systemdutildir/systemd-cryptsetup"
-        mkdir -p "$initdir/fido2luks"
-
-        inst "$moddir/fido2luks.target" "$systemdsystemunitdir/fido2luks.target"
-        mkdir -p "$systemdsystemunitdir/fido2luks.target.wants"
-
-        mkdir -p "$systemdsystemunitdir/sysinit.target.wants"
-        ln -sf "$systemdsystemunitdir/fido2luks.target" "$systemdsystemunitdir/sysinit.target.wants/"
-}

dracut/95fido2luks/systemd-cryptsetup@fido2luks\x2dtest.service.d/fido2luks-fido2luks\x2dtest.conf

@@ -1,2 +0,0 @@
-[Unit]
-ConditionPathExists=!/dev/mapper/fido2luks-test

dracut/96luks-2fa/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+FIDO2LUKS_PASSWORD_HELPER=/usr/bin/systemd-ask-password Please enter second factor for LUKS disk encryption
+

dracut/96luks-2fa/luks-2fa-generator.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+NORMAL_DIR="/run/systemd/system"
+LUKS_2FA_WANTS="/etc/systemd/system/luks-2fa.target.wants"
+
+CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
+FIDO2LUKS="/usr/bin/fido2luks"
+MOUNT=$(command -v mount)
+UMOUNT=$(command -v umount)
+
+TIMEOUT=120
+CON_MSG="Please connect your authenticator"
+
+generate_service () {
+        local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR}
+
+        local sd_target_uuid=$(systemd-escape -p $target_uuid)
+        local target_dev="dev-disk-by\x2duuid-${sd_target_uuid}.device"
+
+        local crypto_target_service="systemd-cryptsetup@luks\x2d${sd_target_uuid}.service"
+        local sd_service="${sd_dir}/luks-2fa@luks\x2d${sd_target_uuid}.service"
+        local fido2luks_args="--bin"
+        if [ ! -z "$timeout" ]; then
+          fido2luks_args="$fido2luks_args --await-dev ${timeout}"
+        fi
+        {
+                printf -- "[Unit]"
+                printf -- "\nDescription=%s" "2fa for luks"
+                printf -- "\nBindsTo=%s" "$target_dev"
+                printf -- "\nAfter=%s cryptsetup-pre.target systemd-journald.socket" "$target_dev"
+                printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service"
+                printf -- "\nConflicts=umount.target"
+                printf -- "\nDefaultDependencies=no"
+                [ ! -z "$timeout" ] && printf -- "\nJobTimeoutSec=%s" "$timeout"
+                printf -- "\n\n[Service]"
+                printf -- "\nType=oneshot"
+                printf -- "\nRemainAfterExit=yes"
+                printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
+                [ ! -z "$credential_id" ] && printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
+                printf -- "\nKeyringMode=%s" "shared"
+		            printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
+                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret $fido2luks_args | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
+                printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
+        } > "$sd_service"
+
+        mkdir -p "${sd_dir}/${crypto_target_service}.d"
+        {
+                printf -- "[Unit]"
+                printf -- "\nConditionPathExists=!/dev/mapper/luks-%s" "$target_uuid"
+        } > "${sd_dir}/${crypto_target_service}.d/drop-in.conf"
+
+        ln -sf "$sd_service" "${LUKS_2FA_WANTS}/"
+}
+
+parse_cmdline () {
+        local CMDLINE
+        IFS=':' read -ra CMDLINE <<<${1#rd.luks.2fa=}
+
+        local __k_uuid=$2
+        eval $__k_uuid=${CMDLINE[0]#UUID=}
+
+        local __t_uuid=$3
+        eval $__t_uuid=${CMDLINE[1]#UUID=}
+
+        local __t=$4
+        eval $__t=${CMDLINE[2]:-$TIMEOUT}
+
+}
+
+generate_from_cmdline () {
+        local credential_id= target_uuid= timeout=
+
+        for argv in $(cat /proc/cmdline); do
+                case $argv in
+                        rd.luks.2fa=*)
+                                parse_cmdline $argv credential_id target_uuid timeout
+                                generate_service $credential_id $target_uuid $timeout
+                                ;;
+                esac
+        done
+}
+
+generate_from_cmdline

dracut/96luks-2fa/luks-2fa.target

@@ -1,4 +1,4 @@
 [Unit]
-Description=fido2luks target
+Description=2FA with LUKS
 Before=sysinit.target dracut-pre-mount.service
 After=systemd-ask-password-console.path

dracut/96luks-2fa/module-setup.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+check () {
+        if ! dracut_module_included "systemd"; then
+                "luks-2fa needs systemd in the initramfs"
+                return 1
+        fi
+        return 255
+        set -e
+        bash -n "$moddir/luks-2fa-generator.sh"
+}
+
+depends () {
+        echo "systemd"
+        return 0
+}
+
+install () {
+        inst "$moddir/luks-2fa-generator.sh" "/etc/systemd/system-generators/luks-2fa-generator.sh"
+        inst_simple "/usr/bin/fido2luks" "/usr/bin/fido2luks"
+        inst_simple "/etc/fido2luks.conf" "/etc/fido2luks.conf"
+        inst "$systemdutildir/systemd-cryptsetup"
+        mkdir -p "$initdir/luks-2fa"
+
+        inst "$moddir/luks-2fa.target" "/etc/systemd/system/luks-2fa.target"
+        mkdir -p "$initdir/etc/systemd/system/luks-2fa.target.wants"
+        
+        mkdir -p "$initdir/etc/systemd/system/sysinit.target.wants"
+        ln -sf "/etc/systemd/system/luks-2fa.target" "$initdir/etc/systemd/system/sysinit.target.wants/"
+}

dracut/LICENSE

@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.

dracut/Makefile

@@ -1,9 +1,23 @@
-.PHONY: install
+.PHONY: install clean
+
+DRACUT_MODULES_D=/usr/lib/dracut/modules.d
+DRACUT_CONF_D=/etc/dracut.conf.d
+
+MODULE_CONF_D=dracut.conf.d
+MODULE_CONF=luks-2fa.conf
+MODULE_DIR=96luks-2fa
+
+help:
+	@echo make help to show this help
+	@echo make install to install
+	@echo make clean to remove
 
 install:
-	cp -r 95fido2luks /usr/lib/dracut/modules.d/
+	cp ${MODULE_CONF_D}/${MODULE_CONF} ${DRACUT_CONF_D}/
-	cp -r dracut.conf.d/fido2luks.conf /usr/lib/dracut/dracut.conf.d/
+	cp -r ${MODULE_DIR} ${DRACUT_MODULES_D}/
+	cp ${MODULE_DIR}/fido2luks.conf /etc/fido2luks.conf
 	dracut -fv
 clean:
-	rm -r /usr/lib/dracut/modules.d/95fido2luks /usr/lib/dracut/dracut.conf.d/fido2luks.conf
+	rm ${DRACUT_CONF_D}/${MODULE_CONF}
+	rm -r ${DRACUT_MODULES_D}/${MODULE_DIR}
 	dracut -fv

dracut/README.md

@@ -0,0 +1 @@
+Thease scripts originate from https://github.com/raffaeleflorio/luks-2fa-dracut and where adapted to my usecase

dracut/dracut.conf.d/fido2luks.conf

@@ -1 +0,0 @@
-add_dracutmodules+=" fido2luks "

dracut/dracut.conf.d/luks-2fa.conf

@@ -0,0 +1 @@
+add_dracutmodules+=" luks-2fa "

initramfs-tools/README.md

@@ -1,13 +1,34 @@
 ## Initramfs-tools based systems(Ubuntu and derivatives)
 
-After installation generate your credentials and add keys to your disk as described in the top-level README
+For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
-then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
 
-Example:
-```
-sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
 ```
+sudo -s
 
-But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
+# Insert FIDO key.
+fido2luks credential
+# Tap FIDO key
+# Copy returned string <CREDENTIAL>
+
+nano /etc/fido2luks.conf
+# Insert <CREDENTIAL> 
+# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL> 
+
+set -a
+. /etc/fido2luks.conf
+fido2luks -i add-key /dev/<LUKS PARTITION>
+# Current password: <Any current LUKS password>
+# Password: <Password used as FIDO challange>
+# Tap FIDO key
+
+nano /etc/crypttab
+# Append to end ",discard,initramfs,keyscript=fido2luks"
+# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
+
+update-initramfs -u
+
+
+```
 
 [Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
+

initramfs-tools/fido2luks.conf

@@ -1,3 +1,3 @@
 FIDO2LUKS_SALT=Ask
-#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
+#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=

initramfs-tools/keyscript.sh

@@ -3,7 +3,12 @@ set -a
 . /etc/fido2luks.conf
 
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
-	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt 'FIDO2 password salt for $CRYPTTAB_NAME'"
+	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
+	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
+fi
+
+if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
+	export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
 fi
 
 fido2luks print-secret --bin

src/cli.rs

@@ -1,134 +1,36 @@
 use crate::error::*;
+use crate::luks::{Fido2LuksToken, LuksDevice};
+use crate::util::sha256;
 use crate::*;
+use cli_args::*;
 
+use structopt::clap::Shell;
 use structopt::StructOpt;
 
 use ctap::{FidoCredential, FidoErrorKind};
-use failure::_core::fmt::{Display, Error, Formatter};
-use failure::_core::str::FromStr;
-use failure::_core::time::Duration;
-use std::io::Write;
-use std::process::exit;
-use std::thread;
 
-use crate::luks::{Fido2LuksToken, LuksDevice};
+use std::io::{Read, Write};
-use crate::util::sha256;
+use std::str::FromStr;
+use std::thread;
+use std::time::Duration;
+
 use std::borrow::Cow;
 use std::collections::HashSet;
+use std::fs::File;
 use std::time::SystemTime;
 
-#[derive(Debug, Eq, PartialEq, Clone)]
+pub use cli_args::Args;
-pub struct HexEncoded(pub Vec<u8>);
 
-impl Display for HexEncoded {
+fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
-    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+    if let Some(src) = ap.pin_source.as_ref() {
-        f.write_str(&hex::encode(&self.0))
+        let mut pin = String::new();
+        File::open(src)?.read_to_string(&mut pin)?;
+        Ok(pin)
+    } else {
+        util::read_password("Authenticator PIN", false)
     }
 }
 
-impl AsRef<[u8]> for HexEncoded {
-    fn as_ref(&self) -> &[u8] {
-        &self.0[..]
-    }
-}
-
-impl FromStr for HexEncoded {
-    type Err = hex::FromHexError;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Ok(HexEncoded(hex::decode(s)?))
-    }
-}
-
-#[derive(Debug, Eq, PartialEq, Clone)]
-pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
-
-impl<T: Display + FromStr> Display for CommaSeparated<T> {
-    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
-        for i in &self.0 {
-            f.write_str(&i.to_string())?;
-            f.write_str(",")?;
-        }
-        Ok(())
-    }
-}
-
-impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
-    type Err = <T as FromStr>::Err;
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Ok(CommaSeparated(
-            s.split(',')
-                .map(|part| <T as FromStr>::from_str(part))
-                .collect::<Result<Vec<_>, _>>()?,
-        ))
-    }
-}
-
-#[derive(Debug, StructOpt)]
-pub struct Credentials {
-    /// FIDO credential ids, separated by ',' generate using fido2luks credential
-    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
-    pub ids: CommaSeparated<HexEncoded>,
-}
-
-#[derive(Debug, StructOpt)]
-pub struct AuthenticatorParameters {
-    /// Request a PIN to unlock the authenticator
-    #[structopt(short = "P", long = "pin")]
-    pub pin: bool,
-
-    /// Await for an authenticator to be connected, timeout after n seconds
-    #[structopt(
-        long = "await-dev",
-        name = "await-dev",
-        env = "FIDO2LUKS_DEVICE_AWAIT",
-        default_value = "15"
-    )]
-    pub await_time: u64,
-}
-
-#[derive(Debug, StructOpt)]
-pub struct LuksParameters {
-    #[structopt(env = "FIDO2LUKS_DEVICE")]
-    device: PathBuf,
-
-    /// Try to unlock the device using a specifc keyslot, ignore all other slots
-    #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
-    slot: Option<u32>,
-}
-
-#[derive(Debug, StructOpt, Clone)]
-pub struct LuksModParameters {
-    /// Number of milliseconds required to derive the volume decryption key
-    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
-    #[structopt(long = "kdf-time", name = "kdf-time")]
-    kdf_time: Option<u64>,
-}
-
-#[derive(Debug, StructOpt)]
-pub struct SecretParameters {
-    /// Salt for secret generation, defaults to 'ask'
-    ///
-    /// Options:{n}
-    ///  - ask              : Prompt user using password helper{n}
-    ///  - file:<PATH>      : Will read <FILE>{n}
-    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
-    #[structopt(
-        name = "salt",
-        long = "salt",
-        env = "FIDO2LUKS_SALT",
-        default_value = "ask"
-    )]
-    pub salt: InputSalt,
-    /// Script used to obtain passwords, overridden by --interactive flag
-    #[structopt(
-        name = "password-helper",
-        env = "FIDO2LUKS_PASSWORD_HELPER",
-        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
-    )]
-    pub password_helper: PasswordHelper,
-}
-
 fn derive_secret(
     credentials: &[HexEncoded],
     salt: &[u8; 32],
@@ -165,171 +67,6 @@ fn derive_secret(
     Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
 }
 
-fn read_pin() -> Fido2LuksResult<String> {
-    util::read_password("Authenticator PIN", false)
-}
-
-#[derive(Debug, StructOpt)]
-pub struct Args {
-    /// Request passwords via Stdin instead of using the password helper
-    #[structopt(short = "i", long = "interactive")]
-    pub interactive: bool,
-    #[structopt(subcommand)]
-    pub command: Command,
-}
-
-#[derive(Debug, StructOpt, Clone)]
-pub struct OtherSecret {
-    /// Use a keyfile instead of a password
-    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
-    keyfile: Option<PathBuf>,
-    /// Use another fido device instead of a password
-    /// Note: this requires for the credential fot the other device to be passed as argument as well
-    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
-    fido_device: bool,
-}
-
-#[derive(Debug, StructOpt)]
-pub enum Command {
-    #[structopt(name = "print-secret")]
-    PrintSecret {
-        /// Prints the secret as binary instead of hex encoded
-        #[structopt(short = "b", long = "bin")]
-        binary: bool,
-        #[structopt(flatten)]
-        credentials: Credentials,
-        #[structopt(flatten)]
-        authenticator: AuthenticatorParameters,
-        #[structopt(flatten)]
-        secret: SecretParameters,
-    },
-    /// Adds a generated key to the specified LUKS device
-    #[structopt(name = "add-key")]
-    AddKey {
-        #[structopt(flatten)]
-        luks: LuksParameters,
-        #[structopt(flatten)]
-        credentials: Credentials,
-        #[structopt(flatten)]
-        authenticator: AuthenticatorParameters,
-        #[structopt(flatten)]
-        secret: SecretParameters,
-        /// Will wipe all other keys
-        #[structopt(short = "e", long = "exclusive")]
-        exclusive: bool,
-        /// Will add an token to your LUKS 2 header, including the credential id
-        #[structopt(short = "t", long = "token")]
-        token: bool,
-        #[structopt(flatten)]
-        existing_secret: OtherSecret,
-        #[structopt(flatten)]
-        luks_mod: LuksModParameters,
-    },
-    /// Replace a previously added key with a password
-    #[structopt(name = "replace-key")]
-    ReplaceKey {
-        #[structopt(flatten)]
-        luks: LuksParameters,
-        #[structopt(flatten)]
-        credentials: Credentials,
-        #[structopt(flatten)]
-        authenticator: AuthenticatorParameters,
-        #[structopt(flatten)]
-        secret: SecretParameters,
-        /// Add the password and keep the key
-        #[structopt(short = "a", long = "add-password")]
-        add_password: bool,
-        /// Will add an token to your LUKS 2 header, including the credential id
-        #[structopt(short = "t", long = "token")]
-        token: bool,
-        #[structopt(flatten)]
-        replacement: OtherSecret,
-        #[structopt(flatten)]
-        luks_mod: LuksModParameters,
-    },
-    /// Open the LUKS device
-    #[structopt(name = "open")]
-    Open {
-        #[structopt(flatten)]
-        luks: LuksParameters,
-        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
-        name: String,
-        #[structopt(flatten)]
-        credentials: Credentials,
-        #[structopt(flatten)]
-        authenticator: AuthenticatorParameters,
-        #[structopt(flatten)]
-        secret: SecretParameters,
-        #[structopt(short = "r", long = "max-retries", default_value = "0")]
-        retries: i32,
-    },
-    /// Open the LUKS device using credentials embedded in the LUKS 2 header
-    #[structopt(name = "open-token")]
-    OpenToken {
-        #[structopt(flatten)]
-        luks: LuksParameters,
-        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
-        name: String,
-        #[structopt(flatten)]
-        authenticator: AuthenticatorParameters,
-        #[structopt(flatten)]
-        secret: SecretParameters,
-        #[structopt(short = "r", long = "max-retries", default_value = "0")]
-        retries: i32,
-    },
-    /// Generate a new FIDO credential
-    #[structopt(name = "credential")]
-    Credential {
-        #[structopt(flatten)]
-        authenticator: AuthenticatorParameters,
-        /// Name to be displayed on the authenticator if it has a display
-        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
-        name: Option<String>,
-    },
-    /// Check if an authenticator is connected
-    #[structopt(name = "connected")]
-    Connected,
-    Token(TokenCommand),
-}
-
-///LUKS2 token related operations
-#[derive(Debug, StructOpt)]
-pub enum TokenCommand {
-    /// List all tokens associated with the specified device
-    List {
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
-        device: PathBuf,
-        /// Dump all credentials as CSV
-        #[structopt(long = "csv")]
-        csv: bool,
-    },
-    /// Add credential to a keyslot
-    Add {
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
-        device: PathBuf,
-        #[structopt(flatten)]
-        credentials: Credentials,
-        /// Slot to which the credentials will be added
-        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
-        slot: u32,
-    },
-    /// Remove credentials from token(s)
-    Remove {
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
-        device: PathBuf,
-        #[structopt(flatten)]
-        credentials: Credentials,
-        /// Token from which the credentials will be removed
-        #[structopt(long = "token")]
-        token_id: Option<u32>,
-    },
-    /// Remove all unassigned tokens
-    GC {
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
-        device: PathBuf,
-    },
-}
-
 pub fn parse_cmdline() -> Args {
     Args::from_args()
 }
@@ -345,7 +82,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         } => {
             let pin_string;
             let pin = if authenticator.pin {
-                pin_string = read_pin()?;
+                pin_string = read_pin(authenticator)?;
                 Some(pin_string.as_ref())
             } else {
                 None
@@ -362,7 +99,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         } => {
             let pin_string;
             let pin = if authenticator.pin {
-                pin_string = read_pin()?;
+                pin_string = read_pin(authenticator)?;
                 Some(pin_string.as_ref())
             } else {
                 None
@@ -370,7 +107,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
                 util::read_password_hashed("Password", false)
             } else {
-                secret.salt.obtain(&secret.password_helper)
+                secret.salt.obtain_sha256(&secret.password_helper)
             }?;
             let (secret, _cred) = derive_secret(
                 credentials.ids.0.as_slice(),
@@ -406,7 +143,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             ..
         } => {
             let pin = if authenticator.pin {
-                Some(read_pin()?)
+                Some(read_pin(authenticator)?)
             } else {
                 None
             };
@@ -414,7 +151,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                 if interactive || secret.password_helper == PasswordHelper::Stdin {
                     util::read_password_hashed(q, verify)
                 } else {
-                    secret.salt.obtain(&secret.password_helper)
+                    secret.salt.obtain_sha256(&secret.password_helper)
                 }
             };
             let other_secret = |salt_q: &str,
@@ -522,7 +259,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         } => {
             let pin_string;
             let pin = if authenticator.pin {
-                pin_string = read_pin()?;
+                pin_string = read_pin(authenticator)?;
                 Some(pin_string.as_ref())
             } else {
                 None
@@ -531,7 +268,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                 if interactive || secret.password_helper == PasswordHelper::Stdin {
                     util::read_password_hashed(q, verify)
                 } else {
-                    secret.salt.obtain(&secret.password_helper)
+                    secret.salt.obtain_sha256(&secret.password_helper)
                 }
             };
 
@@ -712,5 +449,17 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                 Ok(())
             }
         },
+        Command::GenerateCompletions { shell, out_dir } => {
+            Args::clap().gen_completions(
+                env!("CARGO_PKG_NAME"),
+                match shell.as_ref() {
+                    "bash" => Shell::Bash,
+                    "fish" => Shell::Fish,
+                    _ => unreachable!("structopt shouldn't allow us to reach this point"),
+                },
+                &out_dir,
+            );
+            Ok(())
+        }
     }
 }

src/cli_args/config.rs

@@ -10,33 +10,33 @@ use std::process::Command;
 use std::str::FromStr;
 
 #[derive(Debug, Clone, PartialEq)]
-pub enum InputSalt {
+pub enum SecretInput {
     AskPassword,
     String(String),
     File { path: PathBuf },
 }
 
-impl Default for InputSalt {
+impl Default for SecretInput {
     fn default() -> Self {
-        InputSalt::AskPassword
+        SecretInput::AskPassword
     }
 }
 
-impl From<&str> for InputSalt {
+impl From<&str> for SecretInput {
     fn from(s: &str) -> Self {
         let mut parts = s.split(':');
         match parts.next() {
-            Some("ask") | Some("Ask") => InputSalt::AskPassword,
+            Some("ask") | Some("Ask") => SecretInput::AskPassword,
-            Some("file") => InputSalt::File {
+            Some("file") => SecretInput::File {
                 path: parts.collect::<Vec<_>>().join(":").into(),
             },
-            Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
+            Some("string") => SecretInput::String(parts.collect::<Vec<_>>().join(":")),
             _ => Self::default(),
         }
     }
 }
 
-impl FromStr for InputSalt {
+impl FromStr for SecretInput {
     type Err = Fido2LuksError;
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
@@ -44,21 +44,42 @@ impl FromStr for InputSalt {
     }
 }
 
-impl fmt::Display for InputSalt {
+impl fmt::Display for SecretInput {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
         f.write_str(&match self {
-            InputSalt::AskPassword => "ask".to_string(),
+            SecretInput::AskPassword => "ask".to_string(),
-            InputSalt::String(s) => ["string", s].join(":"),
+            SecretInput::String(s) => ["string", s].join(":"),
-            InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
+            SecretInput::File { path } => ["file", path.display().to_string().as_str()].join(":"),
         })
     }
 }
 
-impl InputSalt {
+impl SecretInput {
-    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
+    pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<String> {
+        Ok(String::from_utf8(self.obtain(password_helper)?)?)
+    }
+
+    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<Vec<u8>> {
+        let mut secret = Vec::new();
+        match self {
+            SecretInput::File { path } => {
+                //TODO: replace with try_blocks
+                let mut do_io = || File::open(path)?.read_to_end(&mut secret);
+                do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
+            }
+            SecretInput::AskPassword => {
+                secret.extend_from_slice(password_helper.obtain()?.as_bytes())
+            }
+
+            SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
+        }
+        Ok(secret)
+    }
+
+    pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
         let mut digest = digest::Context::new(&digest::SHA256);
         match self {
-            InputSalt::File { path } => {
+            SecretInput::File { path } => {
                 let mut do_io = || {
                     let mut reader = File::open(path)?;
                     let mut buf = [0u8; 512];
@@ -73,10 +94,7 @@ impl InputSalt {
                 };
                 do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
             }
-            InputSalt::AskPassword => {
+            _ => digest.update(self.obtain(password_helper)?.as_slice()),
-                digest.update(password_helper.obtain()?.as_bytes());
-            }
-            InputSalt::String(s) => digest.update(s.as_bytes()),
         }
         let mut salt = [0u8; 32];
         salt.as_mut().copy_from_slice(digest.finish().as_ref());
@@ -135,10 +153,9 @@ impl PasswordHelper {
             Systemd => unimplemented!(),
             Stdin => Ok(util::read_password("Password", true)?),
             Script(password_helper) => {
-                let mut helper_parts = password_helper.split(' ');
+                let password = Command::new("sh")
-
+                    .arg("-c")
-                let password = Command::new((&mut helper_parts).next().unwrap())
+                    .arg(&password_helper)
-                    .args(helper_parts)
                     .output()
                     .map_err(|e| Fido2LuksError::AskPassError {
                         cause: error::AskPassError::IO(e),
@@ -158,24 +175,30 @@ mod test {
     #[test]
     fn input_salt_from_str() {
         assert_eq!(
-            "file:/tmp/abc".parse::<InputSalt>().unwrap(),
+            "file:/tmp/abc".parse::<SecretInput>().unwrap(),
-            InputSalt::File {
+            SecretInput::File {
                 path: "/tmp/abc".into()
             }
         );
         assert_eq!(
-            "string:abc".parse::<InputSalt>().unwrap(),
+            "string:abc".parse::<SecretInput>().unwrap(),
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
+        );
+        assert_eq!(
+            "ask".parse::<SecretInput>().unwrap(),
+            SecretInput::AskPassword
+        );
+        assert_eq!(
+            "lol".parse::<SecretInput>().unwrap(),
+            SecretInput::default()
         );
-        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
-        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
     }
 
     #[test]
     fn input_salt_obtain() {
         assert_eq!(
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
-                .obtain(&PasswordHelper::Stdin)
+                .obtain_sha256(&PasswordHelper::Stdin)
                 .unwrap(),
             [
                 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

src/cli_args/mod.rs

@@ -0,0 +1,293 @@
+use std::fmt::{Display, Error, Formatter};
+use std::path::PathBuf;
+use std::str::FromStr;
+use structopt::clap::AppSettings;
+use structopt::StructOpt;
+
+mod config;
+
+pub use config::*;
+
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct HexEncoded(pub Vec<u8>);
+
+impl Display for HexEncoded {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        f.write_str(&hex::encode(&self.0))
+    }
+}
+
+impl AsRef<[u8]> for HexEncoded {
+    fn as_ref(&self) -> &[u8] {
+        &self.0[..]
+    }
+}
+
+impl FromStr for HexEncoded {
+    type Err = hex::FromHexError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(HexEncoded(hex::decode(s)?))
+    }
+}
+
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
+
+impl<T: Display + FromStr> Display for CommaSeparated<T> {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        for i in &self.0 {
+            f.write_str(&i.to_string())?;
+            f.write_str(",")?;
+        }
+        Ok(())
+    }
+}
+
+impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
+    type Err = <T as FromStr>::Err;
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(CommaSeparated(
+            s.split(',')
+                .map(|part| <T as FromStr>::from_str(part))
+                .collect::<Result<Vec<_>, _>>()?,
+        ))
+    }
+}
+
+#[derive(Debug, StructOpt)]
+pub struct Credentials {
+    /// FIDO credential ids, separated by ',' generate using fido2luks credential
+    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
+    pub ids: CommaSeparated<HexEncoded>,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct AuthenticatorParameters {
+    /// Request a PIN to unlock the authenticator
+    #[structopt(short = "P", long = "pin")]
+    pub pin: bool,
+
+    /// Location to read PIN from
+    #[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
+    pub pin_source: Option<PathBuf>,
+
+    /// Await for an authenticator to be connected, timeout after n seconds
+    #[structopt(
+        long = "await-dev",
+        name = "await-dev",
+        env = "FIDO2LUKS_DEVICE_AWAIT",
+        default_value = "15"
+    )]
+    pub await_time: u64,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct LuksParameters {
+    #[structopt(env = "FIDO2LUKS_DEVICE")]
+    pub device: PathBuf,
+
+    /// Try to unlock the device using a specifc keyslot, ignore all other slots
+    #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
+    pub slot: Option<u32>,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct LuksModParameters {
+    /// Number of milliseconds required to derive the volume decryption key
+    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
+    #[structopt(long = "kdf-time", name = "kdf-time")]
+    pub kdf_time: Option<u64>,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct SecretParameters {
+    /// Salt for secret generation, defaults to 'ask'
+    ///
+    /// Options:{n}
+    ///  - ask              : Prompt user using password helper{n}
+    ///  - file:<PATH>      : Will read <FILE>{n}
+    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
+    #[structopt(
+        name = "salt",
+        long = "salt",
+        env = "FIDO2LUKS_SALT",
+        default_value = "ask"
+    )]
+    pub salt: SecretInput,
+    /// Script used to obtain passwords, overridden by --interactive flag
+    #[structopt(
+        name = "password-helper",
+        env = "FIDO2LUKS_PASSWORD_HELPER",
+        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+    )]
+    pub password_helper: PasswordHelper,
+}
+#[derive(Debug, StructOpt)]
+pub struct Args {
+    /// Request passwords via Stdin instead of using the password helper
+    #[structopt(short = "i", long = "interactive")]
+    pub interactive: bool,
+    #[structopt(subcommand)]
+    pub command: Command,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct OtherSecret {
+    /// Use a keyfile instead of a password
+    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
+    pub keyfile: Option<PathBuf>,
+    /// Use another fido device instead of a password
+    /// Note: this requires for the credential fot the other device to be passed as argument as well
+    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
+    pub fido_device: bool,
+}
+
+#[derive(Debug, StructOpt)]
+pub enum Command {
+    #[structopt(name = "print-secret")]
+    PrintSecret {
+        /// Prints the secret as binary instead of hex encoded
+        #[structopt(short = "b", long = "bin")]
+        binary: bool,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+    },
+    /// Adds a generated key to the specified LUKS device
+    #[structopt(name = "add-key")]
+    AddKey {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        /// Will wipe all other keys
+        #[structopt(short = "e", long = "exclusive")]
+        exclusive: bool,
+        /// Will add an token to your LUKS 2 header, including the credential id
+        #[structopt(short = "t", long = "token")]
+        token: bool,
+        #[structopt(flatten)]
+        existing_secret: OtherSecret,
+        #[structopt(flatten)]
+        luks_mod: LuksModParameters,
+    },
+    /// Replace a previously added key with a password
+    #[structopt(name = "replace-key")]
+    ReplaceKey {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        /// Add the password and keep the key
+        #[structopt(short = "a", long = "add-password")]
+        add_password: bool,
+        /// Will add an token to your LUKS 2 header, including the credential id
+        #[structopt(short = "t", long = "token")]
+        token: bool,
+        #[structopt(flatten)]
+        replacement: OtherSecret,
+        #[structopt(flatten)]
+        luks_mod: LuksModParameters,
+    },
+    /// Open the LUKS device
+    #[structopt(name = "open")]
+    Open {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
+    },
+    /// Open the LUKS device using credentials embedded in the LUKS 2 header
+    #[structopt(name = "open-token")]
+    OpenToken {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
+    },
+    /// Generate a new FIDO credential
+    #[structopt(name = "credential")]
+    Credential {
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        /// Name to be displayed on the authenticator if it has a display
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
+        name: Option<String>,
+    },
+    /// Check if an authenticator is connected
+    #[structopt(name = "connected")]
+    Connected,
+    Token(TokenCommand),
+    /// Generate bash completion scripts
+    #[structopt(name = "completions", setting = AppSettings::Hidden)]
+    GenerateCompletions {
+        /// Shell to generate completions for: bash, fish
+        #[structopt(possible_values = &["bash", "fish"])]
+        shell: String,
+        out_dir: PathBuf,
+    },
+}
+
+///LUKS2 token related operations
+#[derive(Debug, StructOpt)]
+pub enum TokenCommand {
+    /// List all tokens associated with the specified device
+    List {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Dump all credentials as CSV
+        #[structopt(long = "csv")]
+        csv: bool,
+    },
+    /// Add credential to a keyslot
+    Add {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        /// Slot to which the credentials will be added
+        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
+        slot: u32,
+    },
+    /// Remove credentials from token(s)
+    Remove {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        /// Token from which the credentials will be removed
+        #[structopt(long = "token")]
+        token_id: Option<u32>,
+    },
+    /// Remove all unassigned tokens
+    GC {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+    },
+}

src/error.rs

@@ -1,6 +1,10 @@
 use ctap::FidoError;
+use libcryptsetup_rs::LibcryptErr;
+use pamsm::PamError;
 use std::io;
-
+use std::io::ErrorKind;
+use std::string::FromUtf8Error;
+use Fido2LuksError::*;
 pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
 
 #[derive(Debug, Fail)]
@@ -25,6 +29,10 @@ pub enum Fido2LuksError {
     WrongSecret,
     #[fail(display = "not an utf8 string")]
     StringEncodingError { cause: FromUtf8Error },
+    #[fail(display = "elevated privileges required")]
+    MissingPrivileges,
+    #[fail(display = "{}", cause)]
+    Configuration { cause: ConfigurationError },
 }
 
 impl Fido2LuksError {
@@ -46,6 +54,26 @@ pub enum AskPassError {
     IO(io::Error),
     #[fail(display = "provided passwords don't match")]
     Mismatch,
+    #[fail(display = "unable to retrieve password: {}", _0)]
+    Pam(PamError),
+}
+
+impl From<PamError> for AskPassError {
+    fn from(e: PamError) -> Self {
+        AskPassError::Pam(e)
+    }
+}
+
+impl From<io::Error> for AskPassError {
+    fn from(e: io::Error) -> Self {
+        AskPassError::IO(e)
+    }
+}
+
+impl From<AskPassError> for Fido2LuksError {
+    fn from(cause: AskPassError) -> Self {
+        Fido2LuksError::AskPassError { cause }
+    }
 }
 
 #[derive(Debug, Fail)]
@@ -81,11 +109,6 @@ impl From<LuksError> for Fido2LuksError {
     }
 }
 
-use libcryptsetup_rs::LibcryptErr;
-use std::io::ErrorKind;
-use std::string::FromUtf8Error;
-use Fido2LuksError::*;
-
 impl From<FidoError> for Fido2LuksError {
     fn from(e: FidoError) -> Self {
         AuthenticatorError { cause: e }
@@ -113,3 +136,16 @@ impl From<FromUtf8Error> for Fido2LuksError {
         StringEncodingError { cause: e }
     }
 }
+#[derive(Debug, Fail)]
+pub enum ConfigurationError {
+    #[fail(display = "config is missing some values: {:?}", _0)]
+    Missing(Vec<String>),
+    #[fail(display = "config attribute {} contains an invalid value: {}", _1, _0)]
+    InvalidValue(String, String),
+}
+
+impl From<ConfigurationError> for Fido2LuksError {
+    fn from(cause: ConfigurationError) -> Fido2LuksError {
+        Fido2LuksError::Configuration { cause }
+    }
+}

src/lib.rs

@@ -0,0 +1,183 @@
+#[macro_use]
+extern crate failure;
+extern crate ctap_hmac as ctap;
+#[macro_use]
+extern crate serde_derive;
+use crate::cli_args::{CommaSeparated, HexEncoded};
+use crate::device::*;
+use crate::error::*;
+use crate::luks::*;
+use ctap::FidoCredential;
+use failure::_core::time::Duration;
+use pamsm::PamLibExt;
+use pamsm::*;
+use std::collections::{HashMap, HashSet};
+use std::path::Path;
+use std::str::FromStr;
+use sudo::{self, RunningAs};
+
+pub mod cli_args;
+pub mod device;
+pub mod error;
+pub mod luks;
+pub mod util;
+
+struct PamFido2Luks;
+
+impl PamFido2Luks {
+    fn open(
+        &self,
+        user: String,
+        mut password: impl FnMut(&str) -> PamResult<String>,
+        args: Vec<String>,
+    ) -> Fido2LuksResult<()> {
+        let args: HashMap<String, String> = args
+            .into_iter()
+            .filter_map(|arg| {
+                let mut parts = arg.split("=");
+                parts
+                    .by_ref()
+                    .next()
+                    .map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
+            })
+            .collect();
+
+        let credentials = match args.get("credentials").map(|creds| {
+            <CommaSeparated<String>>::from_str(creds)
+                .map(|cs| cs.0)
+                .map_err(|_| ConfigurationError::InvalidValue("credentials".into(), creds.into()))
+        }) {
+            Some(creds) => creds?,
+            _ => Vec::new(),
+        };
+        let pin = args.get("pin");
+        let pin_prefix = args
+            .get("pin-prefix")
+            .map(|p| p.parse::<bool>().unwrap_or_default())
+            .unwrap_or_default();
+        let device = args
+            .get("device")
+            .map(|device| device.replace("%user%", user.as_str()));
+        let name = args
+            .get("name")
+            .map(|name| name.replace("%user%", user.as_str()));
+
+        let mut attempts = args
+            .get("attempts")
+            .and_then(|a| a.parse::<usize>().ok())
+            .unwrap_or(3);
+
+        if let (Some(device), Some(name)) = (device, name) {
+            if !Path::new(&device).exists() || Path::new(&format!("/dev/mapper/{}", name)).exists()
+            {
+                return Ok(());
+            }
+            // root required to mount luks
+            match sudo::check() {
+                RunningAs::User => return Err(Fido2LuksError::MissingPrivileges),
+                _ => {
+                    sudo::escalate_if_needed().map_err(|_| Fido2LuksError::MissingPrivileges)?;
+                }
+            }
+            let mut device = LuksDevice::load(device)?;
+            let mut additional_credentials: HashSet<String> = HashSet::new();
+            if device.is_luks2()? {
+                for token in device.tokens()? {
+                    let (_, token) = token?;
+                    additional_credentials.extend(token.credential.into_iter());
+                }
+            }
+            let credentials: Vec<FidoCredential> = credentials
+                .into_iter()
+                .chain(additional_credentials.into_iter())
+                .map(|cred| HexEncoded::from_str(cred.as_str()))
+                .map(|cred| FidoCredential {
+                    id: cred.unwrap().0,
+                    public_key: None,
+                })
+                .collect();
+            let credentials: Vec<&FidoCredential> = credentials.iter().collect();
+            if !credentials.is_empty() {
+                loop {
+                    let (pin, pass) = if pin_prefix {
+                        let password = password("PIN + FIDO2 salt (pin:password):")
+                            .map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?;
+                        let mut parts = password.split(":");
+                        (
+                            parts.next().map(|p| p.to_string()).or(pin.cloned()),
+                            parts.collect::<Vec<_>>().join(":"),
+                        )
+                    } else {
+                        (
+                            pin.cloned(),
+                            password("FIDO2 salt: ")
+                                .map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?,
+                        )
+                    };
+
+                    let salt = util::sha256(&[pass.as_bytes()]);
+                    let secret = util::sha256(&[
+                        &salt,
+                        &perform_challenge(
+                            &credentials[..],
+                            &salt,
+                            Duration::from_secs(15),
+                            pin.as_ref().map(String::as_str),
+                        )?
+                        .0[..],
+                    ]);
+                    match device.activate(name.as_str(), &secret[..], None) {
+                        Ok(_) => return Ok(()),
+                        _ if attempts > 0 => {
+                            attempts -= 1;
+                            continue;
+                        }
+                        Err(e) => break Err(e),
+                    }
+                }
+            } else {
+                Err(ConfigurationError::Missing(vec!["credentials".into()]).into())
+            }
+        } else {
+            Ok(())
+        }
+    }
+}
+
+impl PamServiceModule for PamFido2Luks {
+    fn authenticate(pamh: Pam, _flag: PamFlag, args: Vec<String>) -> PamError {
+        let perfrom_authenticate = move || -> Fido2LuksResult<()> {
+            let user = match pamh.get_cached_user() {
+                Err(e) => Err(AskPassError::Pam(e))?,
+                Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
+            };
+            let mut password = match pamh.get_authtok(None) {
+                Err(e) => Err(AskPassError::Pam(e))?,
+                Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
+            };
+            if let Some(user) = user {
+                PamFido2Luks.open(
+                    user,
+                    move |q: &str| match password.take() {
+                        Some(pass) => Ok(pass),
+                        None => pamh
+                            .conv(Some(q), PamMsgStyle::PROMPT_ECHO_OFF)
+                            .map(|s| s.map(|s| s.to_str().unwrap()).unwrap_or("").to_string()),
+                    },
+                    args,
+                )
+            } else {
+                Err(AskPassError::Pam(PamError::AUTH_ERR))?
+            }
+        };
+        match perfrom_authenticate() {
+            Ok(_) => PamError::SUCCESS,
+            Err(e) => {
+                eprintln!("{}", e);
+                PamError::AUTH_ERR
+            }
+        }
+    }
+}
+
+pam_module!(PamFido2Luks);

src/main.rs

@@ -4,15 +4,13 @@ extern crate ctap_hmac as ctap;
 #[macro_use]
 extern crate serde_derive;
 use crate::cli::*;
-use crate::config::*;
 use crate::device::*;
 use crate::error::*;
 use std::io;
-use std::path::PathBuf;
 use std::process::exit;
 
 mod cli;
-mod config;
+pub mod cli_args;
 mod device;
 mod error;
 mod luks;
@@ -21,10 +19,7 @@ mod util;
 fn main() -> Fido2LuksResult<()> {
     match run_cli() {
         Err(e) => {
-            #[cfg(debug_assertions)]
             eprintln!("{:?}", e);
-            #[cfg(not(debug_assertions))]
-            eprintln!("{}", e);
             exit(e.exit_code())
         }
         _ => exit(0),