Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not work with luks/dropbear #54

Open
alzulas opened this issue Jun 17, 2019 · 5 comments
Open

Does not work with luks/dropbear #54

alzulas opened this issue Jun 17, 2019 · 5 comments
Labels
question

Comments

@alzulas
Copy link

alzulas commented Jun 17, 2019

Is there any chance that there's a way to make it so busybox/dropbear and yubikey-luks can play nice together? I had my system set up so it would allow an ssh sign into the luks encrypted disk. Once I set up the yubikey to work for the luks disk, I can no longer use the ssh connection to unlock the disk. I can connect, and type in cryptroot-unlock, but then it will time out before anything happens. I've looked through all the initramfs hooks, but I'm not entirely sure how to fix this. Do you have any recommendations? Thanks.
@cornelinux
Copy link
Owner

Do you want to connect your yubikey to the remote sever or to your local machine?

I would not recommend plugging your yubikey to your remote server and leave it there.
If you have plugged in the yubikey to your local machine, this does not make sense. The server will not be able to send a challenge to your local yubikey.
However, you could create the YK response locally and paste it via SSH.

Did I get you right?

@alzulas
Copy link
Author

alzulas commented Oct 25, 2020

This is all being done on an atomic pi. The reason for the SSH is that a security professional would have their own laptop, and then pi with specific tool kits on it. The security professional would bring the pi with them to a customer, and when they needed to use it for testing, they would use the SSH connection to the box from their laptop to run the tests that were needed. In this way, their laptop is protected from anything malicious that might occur. However, we will also have to mail these devices cross country for various engagements, hence the Yubikey. This would make the device safe from bad actors who might intercept the device in transit.

@cornelinux
Copy link
Owner

So where do you want to plug in the yubikey?

How do you mail the yubikeys (and the devices?)

@alzulas
Copy link
Author

alzulas commented Oct 26, 2020

The pi has multiple USB ports, so the Yubikey is plugged directly into the device. The device is mailed separately from the key. First one, and then one the device has been delivered, then the other. It's not super fast, but it's very secure.

@cornelinux
Copy link
Owner

Thank you for explaining your workflow.

I can no longer use the ssh connection to unlock the disk. I can connect, and type in cryptroot-unlock, but then it will time out before anything happens.

This information is a bit sparse. Also: I think that this is out of scope here. Since: After all you could use a complete separate script that unlock and mounts the root partition with the yubikey. cryptroot-unlock sounds like a script that comes with the dropbear initramfs. So you would need to modify this script that simply uses the passphrase from the yubikey response.

The current scripts in this repository are not made to be used for this. For starters you might take a look at yubikey-luks-open.

I change the topic of this package that describes your situation better.

@cornelinux cornelinux changed the title Yubikey-luks overwrites cryptroot-unlock Does not work with luks/dropbear Oct 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cornelinux @alzulas