dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

boot.initrd.luks: add reusePassphrases support for YubiKey 2FA

Browse Source
This commit is contained in:
Ctem 2020-12-21 06:24:14 +09:00
parent 86ff1e45ce
commit 9e8781328e
No known key found for this signature in database
GPG Key ID: 7F6702F5FC77041B
1 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
nixos/modules/system/boot/luksroot.nix
View File

@ -254,8 +254,27 @@ let
for try in $(seq 3); do for try in $(seq 3); do
${optionalString yubikey.twoFactor '' ${optionalString yubikey.twoFactor ''
echo -n "Enter two-factor passphrase: " echo -n "Enter two-factor passphrase: "
read -r k_user k_user=
echo while true; do
if [ -e /crypt-ramfs/passphrase ]; then
echo "reused"
k_user=$(cat /crypt-ramfs/passphrase)
break
else
# Try reading it from /dev/console with a timeout
IFS= read -t 1 -r k_user
if [ -n "$k_user" ]; then
${if luks.reusePassphrases then ''
# Remember it for the next device
echo -n "$k_user" > /crypt-ramfs/passphrase
'' else ''
# Don't save it to ramfs. We are very paranoid
''}
echo
break
fi
fi
done
''} ''}
if [ ! -z "$k_user" ]; then if [ ! -z "$k_user" ]; then
@ -268,6 +287,11 @@ let
if [ $? == 0 ]; then if [ $? == 0 ]; then
opened=true opened=true
${if luks.reusePassphrases then ''
# We don't rm here because we might reuse it for the next device
'' else ''
rm -f /crypt-ramfs/passphrase
''}
break break
else else
opened=false opened=false