Re: Bug#1059745: ITP: cryptsetup-2fa -- 2FA plugin for cryptsetup
Ansgar 于2023年12月31日周日 20:51写道: > > On Sun, 2023-12-31 at 18:49 +0800, YunQiang Su wrote: > > * Package name: cryptsetup-2fa > > Version : 0.1 > > Upstream Contact: YunQiang Su > > * URL : https://github.com/wzssyqa/cryptsetup-2fa/ > > * License : BSD-2 > > Programming Lang: SHELL > > Description : 2FA plugin for cryptsetup > > > > 2 mthods are supported for 2 FA: > > - Yubikey Challenge > > - TPM2 Keypair > > PIN-less is also supported, if the PINs are present in > > /etc/cryptsetup/2fa.conf. > > > > Since I am not expert of security and encrypt: > > CODE Review is requested here, too. > > Is there any reason to not just use systemd-cryptenroll? Yes. I tried to use systemd-cryptenroll, while it cannot work with cryptsetup-suspend. I need a way to suspend or hibernate without disks decrypted. > It seems to be a more featureful implementation and also doesn't > require storing PINs in plain text in configuration files like My script doesn't *require* storing PIN. You can just leave the config blank, it will prompt for PIN. > /etc/cryptsetup/2fa/2fa.conf as README instructs users to do here. > Nor does it store plain text credentials in /var/cache. > This is used, if a user has multi disks/partitions, and all of them have same PIN, to ask for PIN only one time. The passphrase is stored in /var/cache, and switch_root will clean all of them, so I guess it won't leak. > Ansgar > > PS: I also don't understand why cryptsetup-2fa-enroll(1) references > privacyIDEA. Thanks. Removed.
Re: Bug#1059745: ITP: cryptsetup-2fa -- 2FA plugin for cryptsetup
On Sun, 2023-12-31 at 18:49 +0800, YunQiang Su wrote: > * Package name : cryptsetup-2fa > Version : 0.1 > Upstream Contact: YunQiang Su > * URL : https://github.com/wzssyqa/cryptsetup-2fa/ > * License : BSD-2 > Programming Lang: SHELL > Description : 2FA plugin for cryptsetup > > 2 mthods are supported for 2 FA: > - Yubikey Challenge > - TPM2 Keypair > PIN-less is also supported, if the PINs are present in > /etc/cryptsetup/2fa.conf. > > Since I am not expert of security and encrypt: > CODE Review is requested here, too. Is there any reason to not just use systemd-cryptenroll? It seems to be a more featureful implementation and also doesn't require storing PINs in plain text in configuration files like /etc/cryptsetup/2fa/2fa.conf as README instructs users to do here. Nor does it store plain text credentials in /var/cache. Ansgar PS: I also don't understand why cryptsetup-2fa-enroll(1) references privacyIDEA.
Bug#1059745: ITP: cryptsetup-2fa -- 2FA plugin for cryptsetup
Package: wnpp Severity: wishlist Owner: YunQiang Su X-Debbugs-Cc: debian-devel@lists.debian.org, s...@debian.org * Package name: cryptsetup-2fa Version : 0.1 Upstream Contact: YunQiang Su * URL : https://github.com/wzssyqa/cryptsetup-2fa/ * License : BSD-2 Programming Lang: SHELL Description : 2FA plugin for cryptsetup 2 mthods are supported for 2 FA: - Yubikey Challenge - TPM2 Keypair PIN-less is also supported, if the PINs are present in /etc/cryptsetup/2fa.conf. Since I am not expert of security and encrypt: CODE Review is requested here, too.