Idea: Unlock remote machine via SSH #57
Conversation
| @@ -0,0 +1,6 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
Could you make shebang consistent with other ykfde-* scripts? We use #!/bin/bash -p elsewhere.
| @@ -0,0 +1,6 @@ | |||
| #!/usr/bin/env bash | |||
|
|
|||
| ncat -c 'read challenge; /bin/ykchalresp -2 "$challenge";' -l 9000 & | |||
There was a problem hiding this comment.
This ykchalresp invocation leaks challenge, see #44 and how it was fixed.
Also this line triggers following shellcheck warning:
In ykfde-ssh line 3:
ncat -c 'read challenge; /bin/ykchalresp -2 "$challenge";' -l 9000 &
^-- SC2016: Expressions don't expand in single quotes, use double quotes for that.
For more information:
https://www.shellcheck.net/wiki/SC2016 -- Expressions don't expand in singl...
There was a problem hiding this comment.
I am pretty sure that this is single quoted intentionally.
There was a problem hiding this comment.
Yes - it was to avoid expand. But if that is the case, a comment and a shellcheck disable should be added.
| @@ -149,6 +150,8 @@ ykfde_do_it() { | |||
| _rc=$? | |||
|
|
|||
| if [ "$_rc" -eq 0 ]; then | |||
| touch /.done | |||
There was a problem hiding this comment.
I think those two should depend on "$YKFDE_SSH"
|
Shall we close this PR for now? |
|
Ah, sorry, got busy for a while then completely forgot about this. I still would like to finish this feature, but I can't give you a time frame right now. Is it ok? Or I'm also happy to submit another PR when I actually manage to wrap it up. |
|
Take your time, we can wait 😄 |
|
That's absolutely alright. Just wanted to make sure it's still planned sometime in the future. |
This is a proof of concept which contains a lot of ugly hacks and it's not intended to be merged.
I would like to use yubikey-full-disk-encryption to unlock a headless machine without the hassle of unplugging/plugging YubiKey. So inspired by the
encryptsshhook from mkinitcpio-utils I'm using currently, here's a prototype that utilises SSH port forwarding to achieve this job.Server-Side Requirements
ncfrom gnu-netcatssfrom iproute2dropbear (and netconf) needs to be pre-configured according to https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp).
mkinitcpio hooks should look like:
Client-Side Requirements
ncatfrom nmapykfde-sshfrom this PRBasically what it does is
ykfde-ssh Hostnameand it:1.1 starts
ncatto listen on127.0.0.1:9000and wait for the challenge1.2 forwards
127.0.0.1:9000to Serverssto detect whether127.0.0.1:9000is openncto send the challenge to127.0.0.1:9000and obtains the responseI've tested it in a virtual machine and it seems to work pretty smoothly. However the configuration does tend to be overly complex and I actually wonder whether there is a better way of doing this rather than using SSH port forwarding. But @agherzan if you feel comfortable about this idea I can then make some time to tidy it up and submit a proper PR.