forked from cornelinux/yubikey-luks
-
Notifications
You must be signed in to change notification settings - Fork 2
/
key-script
executable file
·58 lines (54 loc) · 1.52 KB
/
key-script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#! /bin/sh
#
# This is /sbin/fido2-keyscript, which gets called when unlocking the disk
#
. /usr/share/fido2-luks/fido2-utils.sh
message()
{
if [ -x /bin/plymouth ] && plymouth --ping; then
plymouth message --text="$*"
else
echo "$@" >&2
fi
return 0
}
if [ -z "$cryptkeyscript" ]; then
if [ -x /bin/plymouth ] && plymouth --ping; then
cryptkeyscript="plymouth ask-for-password --prompt"
else
cryptkeyscript="/lib/cryptsetup/askpass"
fi
fi
# If PIN is not required, we assume that this system is intended to be unlocked
# without needing keyboard interaction, so we wait for 30s for a FIDO2 device
# to show up.
if ! fido2_is_pin_required "$DISK" && ! fido2_device > /dev/null ; then
message "Waiting up to 30 seconds for FIDO2 device..."
for i in $(seq 30 -1 1) ; do
if fido2_device > /dev/null ; then
break
fi
sleep 1
done
fi
if fido2_device > /dev/null ; then
if fido2_is_pin_required "$DISK" ; then
PW="$($cryptkeyscript "Enter the PIN of your FIDO2 token")"
else
PW=
fi
message "Accessing FIDO2 token..."
R="$(fido2_authenticate "$PW" "$CRYPTTAB_SOURCE")"
if [ -z "$R" ]; then
message "Failed to authenticate using FIDO2 token."
exit 1
else
message "Retrieved the response from token."
printf '%s' "$R"
exit 0
fi
else
PW="$($cryptkeyscript "Enter a valid disk passphrase, or insert FIDO2 token and press enter")"
printf '%s' "$PW"
exit 0
fi