Compare commits
16 Commits
password_p
...
pam_mod
| Author | SHA1 | Date | |
|---|---|---|---|
ddaf3f9264
|
|||
|
349807a6c4
|
|||
|
4e3d799179
|
|||
|
197d9f511c
|
|||
|
11ac32d3f1
|
|||
|
f6627d887b
|
|||
|
fbbf606631
|
|||
|
7879d64e3a
|
|||
|
31ee2dcbe7
|
|||
|
79849df284
|
|||
|
f2a8e412ac
|
|||
|
985f6f664b
|
|||
|
d4094b8a6a
|
|||
|
e524996693
|
|||
|
d6f6c7c218
|
|||
|
63f29249d3
|
@@ -12,7 +12,7 @@ steps:
|
||||
environment:
|
||||
DEBIAN_FRONTEND: noninteractive
|
||||
commands:
|
||||
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
|
||||
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev
|
||||
- cargo test --locked
|
||||
- name: publish
|
||||
image: ubuntu:focal
|
||||
@@ -22,7 +22,7 @@ steps:
|
||||
from_secret: cargo_tkn
|
||||
commands:
|
||||
- grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
|
||||
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
|
||||
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev
|
||||
- cargo package --all-features
|
||||
- cargo publish --all-features
|
||||
when:
|
||||
|
||||
20
Cargo.lock
generated
20
Cargo.lock
generated
@@ -377,18 +377,20 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "fido2luks"
|
||||
version = "0.2.16"
|
||||
version = "0.2.15"
|
||||
dependencies = [
|
||||
"ctap_hmac",
|
||||
"failure",
|
||||
"hex",
|
||||
"libcryptsetup-rs",
|
||||
"pamsm",
|
||||
"ring",
|
||||
"rpassword",
|
||||
"serde",
|
||||
"serde_derive",
|
||||
"serde_json",
|
||||
"structopt",
|
||||
"sudo",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -596,6 +598,12 @@ version = "0.20.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
|
||||
|
||||
[[package]]
|
||||
name = "pamsm"
|
||||
version = "0.4.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3580ed2ebe075c74db583233318abf4b07bc8d9a40c7691d0ae9c186e19e43dd"
|
||||
|
||||
[[package]]
|
||||
name = "peeking_take_while"
|
||||
version = "0.1.2"
|
||||
@@ -980,6 +988,16 @@ dependencies = [
|
||||
"syn 1.0.40",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "sudo"
|
||||
version = "0.5.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "2a88e74edf206f281aff2820aa2066c781331044c770626dcafe19491f214e05"
|
||||
dependencies = [
|
||||
"libc",
|
||||
"log",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "syn"
|
||||
version = "0.15.44"
|
||||
|
||||
18
Cargo.toml
18
Cargo.toml
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "fido2luks"
|
||||
version = "0.2.16"
|
||||
version = "0.2.15"
|
||||
authors = ["shimunn <shimun@shimun.net>"]
|
||||
edition = "2018"
|
||||
|
||||
@@ -24,6 +24,8 @@ libcryptsetup-rs = "0.4.1"
|
||||
serde_json = "1.0.51"
|
||||
serde_derive = "1.0.106"
|
||||
serde = "1.0.106"
|
||||
pamsm = { version = "0.4.1", features = ["libpam"] }
|
||||
sudo = "0.5.0"
|
||||
|
||||
[build-dependencies]
|
||||
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
|
||||
@@ -32,6 +34,7 @@ ring = "0.13.5"
|
||||
failure = "0.1.5"
|
||||
rpassword = "4.0.1"
|
||||
libcryptsetup-rs = "0.4.1"
|
||||
pamsm = { version = "0.4.1", features = ["libpam"] }
|
||||
structopt = "0.3.2"
|
||||
|
||||
[profile.release]
|
||||
@@ -41,14 +44,23 @@ panic = 'abort'
|
||||
incremental = false
|
||||
overflow-checks = false
|
||||
|
||||
[[bin]]
|
||||
name = "fido2luks"
|
||||
path = "src/main.rs"
|
||||
|
||||
[lib]
|
||||
name = "fido2luks_pam"
|
||||
path = "src/lib.rs"
|
||||
crate-type = ["cdylib"]
|
||||
|
||||
[package.metadata.deb]
|
||||
depends = "$auto, cryptsetup"
|
||||
build-depends = "libclang-dev, libcryptsetup-dev"
|
||||
build-depends = "libclang-dev, libcryptsetup-dev, libpam-dev"
|
||||
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
|
||||
assets = [
|
||||
["target/release/fido2luks", "usr/bin/", "755"],
|
||||
["target/release/libfido2luks_pam.so", "usr/lib/x86_64-linux-gnu/security/pam_fido2luks.so", "755"],
|
||||
["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
|
||||
["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
|
||||
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
|
||||
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
|
||||
["initramfs-tools/fido2luks.conf", "etc/", "644"],
|
||||
|
||||
1
PKGBUILD
1
PKGBUILD
@@ -21,6 +21,5 @@ build() {
|
||||
|
||||
package() {
|
||||
install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
|
||||
install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
|
||||
install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
|
||||
|
||||
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
|
||||
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
|
||||
|
||||
## Setup
|
||||
|
||||
|
||||
@@ -1,220 +0,0 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# This is a rather minimal example Argbash potential
|
||||
# Example taken from http://argbash.readthedocs.io/en/stable/example.html
|
||||
#
|
||||
# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
|
||||
# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
|
||||
# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
|
||||
# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
|
||||
# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
|
||||
# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
|
||||
# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
|
||||
# ARGBASH_GO()
|
||||
# needed because of Argbash --> m4_ignore([
|
||||
### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
|
||||
# Argbash is a bash code generator used to get arguments parsing right.
|
||||
# Argbash is FREE SOFTWARE, see https://argbash.io for more info
|
||||
# Generated online by https://argbash.io/generate
|
||||
|
||||
|
||||
die()
|
||||
{
|
||||
local _ret="${2:-1}"
|
||||
test "${_PRINT_HELP:-no}" = yes && print_help >&2
|
||||
echo "$1" >&2
|
||||
exit "${_ret}"
|
||||
}
|
||||
|
||||
|
||||
begins_with_short_option()
|
||||
{
|
||||
local first_option all_short_options='cdmash'
|
||||
first_option="${1:0:1}"
|
||||
test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
|
||||
}
|
||||
|
||||
# THE DEFAULTS INITIALIZATION - POSITIONALS
|
||||
_positionals=()
|
||||
# THE DEFAULTS INITIALIZATION - OPTIONALS
|
||||
_arg_credentials_type=
|
||||
_arg_device=
|
||||
_arg_mount_point=
|
||||
_arg_ask_pin="off"
|
||||
_arg_salt=""
|
||||
|
||||
|
||||
print_help()
|
||||
{
|
||||
printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
|
||||
printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
|
||||
printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
|
||||
printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
|
||||
printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
|
||||
printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
|
||||
printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
|
||||
printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
|
||||
printf '\t%s\n' "-h, --help: Prints help"
|
||||
}
|
||||
|
||||
|
||||
parse_commandline()
|
||||
{
|
||||
_positionals_count=0
|
||||
while test $# -gt 0
|
||||
do
|
||||
_key="$1"
|
||||
case "$_key" in
|
||||
-c|--credentials-type)
|
||||
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
|
||||
_arg_credentials_type="$2"
|
||||
shift
|
||||
;;
|
||||
--credentials-type=*)
|
||||
_arg_credentials_type="${_key##--credentials-type=}"
|
||||
;;
|
||||
-c*)
|
||||
_arg_credentials_type="${_key##-c}"
|
||||
;;
|
||||
-d|--device)
|
||||
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
|
||||
_arg_device="$2"
|
||||
shift
|
||||
;;
|
||||
--device=*)
|
||||
_arg_device="${_key##--device=}"
|
||||
;;
|
||||
-d*)
|
||||
_arg_device="${_key##-d}"
|
||||
;;
|
||||
-m|--mount-point)
|
||||
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
|
||||
_arg_mount_point="$2"
|
||||
shift
|
||||
;;
|
||||
--mount-point=*)
|
||||
_arg_mount_point="${_key##--mount-point=}"
|
||||
;;
|
||||
-m*)
|
||||
_arg_mount_point="${_key##-m}"
|
||||
;;
|
||||
-a|--no-ask-pin|--ask-pin)
|
||||
_arg_ask_pin="on"
|
||||
test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
|
||||
;;
|
||||
-a*)
|
||||
_arg_ask_pin="on"
|
||||
_next="${_key##-a}"
|
||||
if test -n "$_next" -a "$_next" != "$_key"
|
||||
then
|
||||
{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
|
||||
fi
|
||||
;;
|
||||
-s|--salt)
|
||||
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
|
||||
_arg_salt="$2"
|
||||
shift
|
||||
;;
|
||||
--salt=*)
|
||||
_arg_salt="${_key##--salt=}"
|
||||
;;
|
||||
-s*)
|
||||
_arg_salt="${_key##-s}"
|
||||
;;
|
||||
-h|--help)
|
||||
print_help
|
||||
exit 0
|
||||
;;
|
||||
-h*)
|
||||
print_help
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
_last_positional="$1"
|
||||
_positionals+=("$_last_positional")
|
||||
_positionals_count=$((_positionals_count + 1))
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
handle_passed_args_count()
|
||||
{
|
||||
local _required_args_string="'operation'"
|
||||
test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
|
||||
test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
|
||||
}
|
||||
|
||||
|
||||
assign_positional_args()
|
||||
{
|
||||
local _positional_name _shift_for=$1
|
||||
_positional_names="_arg_operation "
|
||||
|
||||
shift "$_shift_for"
|
||||
for _positional_name in ${_positional_names}
|
||||
do
|
||||
test $# -gt 0 || break
|
||||
eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
parse_commandline "$@"
|
||||
handle_passed_args_count
|
||||
assign_positional_args 1 "${_positionals[@]}"
|
||||
|
||||
# OTHER STUFF GENERATED BY Argbash
|
||||
|
||||
### END OF CODE GENERATED BY Argbash (sortof) ### ])
|
||||
# [ <-- needed because of Argbash
|
||||
|
||||
if [ -z ${_arg_mount_point} ]; then
|
||||
die "Missing '--mount-point' argument"
|
||||
fi
|
||||
|
||||
if [ -z ${_arg_device} ]; then
|
||||
die "Missing '--device' argument"
|
||||
fi
|
||||
|
||||
ASK_PIN=${_arg_ask_pin}
|
||||
OPERATION=${_arg_operation}
|
||||
DEVICE=${_arg_device}
|
||||
DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
|
||||
MOUNT_POINT=${_arg_mount_point}
|
||||
CREDENTIALS_TYPE=${_arg_credentials_type}
|
||||
SALT=${_arg_salt}
|
||||
CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
|
||||
|
||||
if [ "${OPERATION}" == "mount" ]; then
|
||||
if [ "${CREDENTIALS_TYPE}" == "external" ]; then
|
||||
if [ -f ${CONF_FILE_PATH} ]; then
|
||||
if [ "${ASK_PIN}" == "on" ]; then
|
||||
read PASSWORD
|
||||
fi
|
||||
CREDENTIALS=$(<${CONF_FILE_PATH})
|
||||
else
|
||||
die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
|
||||
fi
|
||||
printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
|
||||
elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
|
||||
if [ "${ASK_PIN}" == "on" ]; then
|
||||
read PASSWORD
|
||||
fi
|
||||
printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
|
||||
else
|
||||
die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
|
||||
fi
|
||||
mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
|
||||
elif [ "${OPERATION}" == "umount" ]; then
|
||||
umount ${MOUNT_POINT}
|
||||
cryptsetup luksClose ${DEVICE_NAME}
|
||||
else
|
||||
die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
||||
# ] <-- needed because of Argbash
|
||||
10
src/cli.rs
10
src/cli.rs
@@ -25,7 +25,7 @@ fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
|
||||
if let Some(src) = ap.pin_source.as_ref() {
|
||||
let mut pin = String::new();
|
||||
File::open(src)?.read_to_string(&mut pin)?;
|
||||
Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
|
||||
Ok(pin)
|
||||
} else {
|
||||
util::read_password("Authenticator PIN", false)
|
||||
}
|
||||
@@ -177,10 +177,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
)),
|
||||
}
|
||||
};
|
||||
let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
derive_secret(
|
||||
&credentials.ids.0,
|
||||
&salt(q, verify)?,
|
||||
&salt("Password", verify)?,
|
||||
authenticator.await_time,
|
||||
pin.as_deref(),
|
||||
)
|
||||
@@ -190,7 +190,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
match &args.command {
|
||||
Command::AddKey { exclusive, .. } => {
|
||||
let (existing_secret, _) = other_secret("Current password", false)?;
|
||||
let (new_secret, cred) = secret("Password to be added", true)?;
|
||||
let (new_secret, cred) = secret(true)?;
|
||||
let added_slot = luks_dev.add_key(
|
||||
&new_secret,
|
||||
&existing_secret[..],
|
||||
@@ -215,7 +215,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Ok(())
|
||||
}
|
||||
Command::ReplaceKey { add_password, .. } => {
|
||||
let (existing_secret, _) = secret("Current password", false)?;
|
||||
let (existing_secret, _) = secret(false)?;
|
||||
let (replacement_secret, cred) = other_secret("Replacement password", true)?;
|
||||
let slot = if *add_password {
|
||||
luks_dev.add_key(
|
||||
|
||||
39
src/error.rs
39
src/error.rs
@@ -1,10 +1,10 @@
|
||||
use ctap::FidoError;
|
||||
use libcryptsetup_rs::LibcryptErr;
|
||||
use pamsm::PamError;
|
||||
use std::io;
|
||||
use std::io::ErrorKind;
|
||||
use std::string::FromUtf8Error;
|
||||
use Fido2LuksError::*;
|
||||
|
||||
pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
|
||||
|
||||
#[derive(Debug, Fail)]
|
||||
@@ -29,6 +29,10 @@ pub enum Fido2LuksError {
|
||||
WrongSecret,
|
||||
#[fail(display = "not an utf8 string")]
|
||||
StringEncodingError { cause: FromUtf8Error },
|
||||
#[fail(display = "elevated privileges required")]
|
||||
MissingPrivileges,
|
||||
#[fail(display = "{}", cause)]
|
||||
Configuration { cause: ConfigurationError },
|
||||
}
|
||||
|
||||
impl Fido2LuksError {
|
||||
@@ -50,6 +54,26 @@ pub enum AskPassError {
|
||||
IO(io::Error),
|
||||
#[fail(display = "provided passwords don't match")]
|
||||
Mismatch,
|
||||
#[fail(display = "unable to retrieve password: {}", _0)]
|
||||
Pam(PamError),
|
||||
}
|
||||
|
||||
impl From<PamError> for AskPassError {
|
||||
fn from(e: PamError) -> Self {
|
||||
AskPassError::Pam(e)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<io::Error> for AskPassError {
|
||||
fn from(e: io::Error) -> Self {
|
||||
AskPassError::IO(e)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<AskPassError> for Fido2LuksError {
|
||||
fn from(cause: AskPassError) -> Self {
|
||||
Fido2LuksError::AskPassError { cause }
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Fail)]
|
||||
@@ -112,3 +136,16 @@ impl From<FromUtf8Error> for Fido2LuksError {
|
||||
StringEncodingError { cause: e }
|
||||
}
|
||||
}
|
||||
#[derive(Debug, Fail)]
|
||||
pub enum ConfigurationError {
|
||||
#[fail(display = "config is missing some values: {:?}", _0)]
|
||||
Missing(Vec<String>),
|
||||
#[fail(display = "config attribute {} contains an invalid value: {}", _1, _0)]
|
||||
InvalidValue(String, String),
|
||||
}
|
||||
|
||||
impl From<ConfigurationError> for Fido2LuksError {
|
||||
fn from(cause: ConfigurationError) -> Fido2LuksError {
|
||||
Fido2LuksError::Configuration { cause }
|
||||
}
|
||||
}
|
||||
|
||||
183
src/lib.rs
Normal file
183
src/lib.rs
Normal file
@@ -0,0 +1,183 @@
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
extern crate ctap_hmac as ctap;
|
||||
#[macro_use]
|
||||
extern crate serde_derive;
|
||||
use crate::cli_args::{CommaSeparated, HexEncoded};
|
||||
use crate::device::*;
|
||||
use crate::error::*;
|
||||
use crate::luks::*;
|
||||
use ctap::FidoCredential;
|
||||
use failure::_core::time::Duration;
|
||||
use pamsm::PamLibExt;
|
||||
use pamsm::*;
|
||||
use std::collections::{HashMap, HashSet};
|
||||
use std::path::Path;
|
||||
use std::str::FromStr;
|
||||
use sudo::{self, RunningAs};
|
||||
|
||||
pub mod cli_args;
|
||||
pub mod device;
|
||||
pub mod error;
|
||||
pub mod luks;
|
||||
pub mod util;
|
||||
|
||||
struct PamFido2Luks;
|
||||
|
||||
impl PamFido2Luks {
|
||||
fn open(
|
||||
&self,
|
||||
user: String,
|
||||
mut password: impl FnMut(&str) -> PamResult<String>,
|
||||
args: Vec<String>,
|
||||
) -> Fido2LuksResult<()> {
|
||||
let args: HashMap<String, String> = args
|
||||
.into_iter()
|
||||
.filter_map(|arg| {
|
||||
let mut parts = arg.split("=");
|
||||
parts
|
||||
.by_ref()
|
||||
.next()
|
||||
.map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
|
||||
})
|
||||
.collect();
|
||||
|
||||
let credentials = match args.get("credentials").map(|creds| {
|
||||
<CommaSeparated<String>>::from_str(creds)
|
||||
.map(|cs| cs.0)
|
||||
.map_err(|_| ConfigurationError::InvalidValue("credentials".into(), creds.into()))
|
||||
}) {
|
||||
Some(creds) => creds?,
|
||||
_ => Vec::new(),
|
||||
};
|
||||
let pin = args.get("pin");
|
||||
let pin_prefix = args
|
||||
.get("pin-prefix")
|
||||
.map(|p| p.parse::<bool>().unwrap_or_default())
|
||||
.unwrap_or_default();
|
||||
let device = args
|
||||
.get("device")
|
||||
.map(|device| device.replace("%user%", user.as_str()));
|
||||
let name = args
|
||||
.get("name")
|
||||
.map(|name| name.replace("%user%", user.as_str()));
|
||||
|
||||
let mut attempts = args
|
||||
.get("attempts")
|
||||
.and_then(|a| a.parse::<usize>().ok())
|
||||
.unwrap_or(3);
|
||||
|
||||
if let (Some(device), Some(name)) = (device, name) {
|
||||
if !Path::new(&device).exists() || Path::new(&format!("/dev/mapper/{}", name)).exists()
|
||||
{
|
||||
return Ok(());
|
||||
}
|
||||
// root required to mount luks
|
||||
match sudo::check() {
|
||||
RunningAs::User => return Err(Fido2LuksError::MissingPrivileges),
|
||||
_ => {
|
||||
sudo::escalate_if_needed().map_err(|_| Fido2LuksError::MissingPrivileges)?;
|
||||
}
|
||||
}
|
||||
let mut device = LuksDevice::load(device)?;
|
||||
let mut additional_credentials: HashSet<String> = HashSet::new();
|
||||
if device.is_luks2()? {
|
||||
for token in device.tokens()? {
|
||||
let (_, token) = token?;
|
||||
additional_credentials.extend(token.credential.into_iter());
|
||||
}
|
||||
}
|
||||
let credentials: Vec<FidoCredential> = credentials
|
||||
.into_iter()
|
||||
.chain(additional_credentials.into_iter())
|
||||
.map(|cred| HexEncoded::from_str(cred.as_str()))
|
||||
.map(|cred| FidoCredential {
|
||||
id: cred.unwrap().0,
|
||||
public_key: None,
|
||||
})
|
||||
.collect();
|
||||
let credentials: Vec<&FidoCredential> = credentials.iter().collect();
|
||||
if !credentials.is_empty() {
|
||||
loop {
|
||||
let (pin, pass) = if pin_prefix {
|
||||
let password = password("PIN + FIDO2 salt (pin:password):")
|
||||
.map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?;
|
||||
let mut parts = password.split(":");
|
||||
(
|
||||
parts.next().map(|p| p.to_string()).or(pin.cloned()),
|
||||
parts.collect::<Vec<_>>().join(":"),
|
||||
)
|
||||
} else {
|
||||
(
|
||||
pin.cloned(),
|
||||
password("FIDO2 salt: ")
|
||||
.map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?,
|
||||
)
|
||||
};
|
||||
|
||||
let salt = util::sha256(&[pass.as_bytes()]);
|
||||
let secret = util::sha256(&[
|
||||
&salt,
|
||||
&perform_challenge(
|
||||
&credentials[..],
|
||||
&salt,
|
||||
Duration::from_secs(15),
|
||||
pin.as_ref().map(String::as_str),
|
||||
)?
|
||||
.0[..],
|
||||
]);
|
||||
match device.activate(name.as_str(), &secret[..], None) {
|
||||
Ok(_) => return Ok(()),
|
||||
_ if attempts > 0 => {
|
||||
attempts -= 1;
|
||||
continue;
|
||||
}
|
||||
Err(e) => break Err(e),
|
||||
}
|
||||
}
|
||||
} else {
|
||||
Err(ConfigurationError::Missing(vec!["credentials".into()]).into())
|
||||
}
|
||||
} else {
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl PamServiceModule for PamFido2Luks {
|
||||
fn authenticate(pamh: Pam, _flag: PamFlag, args: Vec<String>) -> PamError {
|
||||
let perfrom_authenticate = move || -> Fido2LuksResult<()> {
|
||||
let user = match pamh.get_cached_user() {
|
||||
Err(e) => Err(AskPassError::Pam(e))?,
|
||||
Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
|
||||
};
|
||||
let mut password = match pamh.get_authtok(None) {
|
||||
Err(e) => Err(AskPassError::Pam(e))?,
|
||||
Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
|
||||
};
|
||||
if let Some(user) = user {
|
||||
PamFido2Luks.open(
|
||||
user,
|
||||
move |q: &str| match password.take() {
|
||||
Some(pass) => Ok(pass),
|
||||
None => pamh
|
||||
.conv(Some(q), PamMsgStyle::PROMPT_ECHO_OFF)
|
||||
.map(|s| s.map(|s| s.to_str().unwrap()).unwrap_or("").to_string()),
|
||||
},
|
||||
args,
|
||||
)
|
||||
} else {
|
||||
Err(AskPassError::Pam(PamError::AUTH_ERR))?
|
||||
}
|
||||
};
|
||||
match perfrom_authenticate() {
|
||||
Ok(_) => PamError::SUCCESS,
|
||||
Err(e) => {
|
||||
eprintln!("{}", e);
|
||||
PamError::AUTH_ERR
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pam_module!(PamFido2Luks);
|
||||
Reference in New Issue
Block a user