Closed tobi-wan-kenobi closed 5 years ago
Vincent43
commented
6 years ago Yeah, currently only ykfde.conf gives you a hint that YKFDE_CHALLENGE have to be set to use ykfde passphrases at all. I was thinking about getting rid of YKFDE_CHALLENGE_PASSWORD_NEEDED completely and base only on YKFDE_CHALLENGE being empty or not but then would be no fallback which can be valuable in some cases.
I will consider your idea. I also plan to improve readme a bit.
AmShaegar13
commented
6 years ago Thank you very much @tobi-wan-kenobi ! Your issue saved me last m inute from giving up on this. I had indeed not set a challenge.
@Vincent43 Also, thank you for maintaining this great package!
Vincent43
commented
6 years ago @AmShaegar13 I'm sorry for this. It's an artifact of old iteration where both the stored challenge and typed password were used at the same time (which didn't really make sense for security).
As I wrote earlier - I prefer to simplify things further but I'm still not sure how to deal with fallback.
Vincent43
commented
6 years ago @tobi-wan-kenobi @AmShaegar13 This issue should be fixed with https://github.com/agherzan/yubikey-full-disk-encryption/commit/1e1ded797f0fd57932a68f2005248c6fd000bcd7
You can empty YKFDE_CHALLENGE in /etc/ykfde.conf, rebuild initramfs and test.
I also clarified options available in ykfde config file.
AmShaegar13
commented
5 years ago Confirmed. Thank you! :)
tobi-wan-kenobi
commented
5 years ago Many thanks!
Hi,
I just successfully set up my Arch with "true" (password/SHA256-based) 2FA - thanks a lot for an awesome piece of software!
Just one small suggestion: I found it quite confusing (and not documented) that, if I use the "true" 2FA, I still need to set YKFDE_CHALLENGE to some non-empty value. Otherwise, the initrd hook goes into "fallback" mode and queries for the password only.
From your perspective, would it make sense to change the behaviour, so that the Yubikey authentication is also performed if YKFDE_CHALLENGE is empty, but YKFDE_CHALLENGE_PASSWORD_NEEDED is set?