Re: Bug#1059745: ITP: cryptsetup-2fa -- 2FA plugin for cryptsetup
Ansgar <ansgar@43-1.org> 于2023年12月31日周日 20:51写道:
>
> On Sun, 2023-12-31 at 18:49 +0800, YunQiang Su wrote:
> > * Package name : cryptsetup-2fa
> > Version : 0.1
> > Upstream Contact: YunQiang Su <syq@debian.org>
> > * URL : https://github.com/wzssyqa/cryptsetup-2fa/
> > * License : BSD-2
> > Programming Lang: SHELL
> > Description : 2FA plugin for cryptsetup
> >
> > 2 mthods are supported for 2 FA:
> > - Yubikey Challenge
> > - TPM2 Keypair
> > PIN-less is also supported, if the PINs are present in
> > /etc/cryptsetup/2fa.conf.
> >
> > Since I am not expert of security and encrypt:
> > CODE Review is requested here, too.
>
> Is there any reason to not just use systemd-cryptenroll?
Yes. I tried to use systemd-cryptenroll, while it cannot work with
cryptsetup-suspend.
I need a way to suspend or hibernate without disks decrypted.
> It seems to be a more featureful implementation and also doesn't
> require storing PINs in plain text in configuration files like
My script doesn't *require* storing PIN.
You can just leave the config blank, it will prompt for PIN.
> /etc/cryptsetup/2fa/2fa.conf as README instructs users to do here.
> Nor does it store plain text credentials in /var/cache.
>
This is used, if a user has multi disks/partitions, and all of them have
same PIN, to ask for PIN only one time.
The passphrase is stored in /var/cache, and switch_root will clean
all of them, so I guess it won't leak.
> Ansgar
>
> PS: I also don't understand why cryptsetup-2fa-enroll(1) references
> privacyIDEA.
Thanks. Removed.
Reply to: