Closed tobi-wan-kenobi closed 5 years ago
Yeah, currently only ykfde.conf gives you a hint that YKFDE_CHALLENGE
have to be set to use ykfde passphrases at all. I was thinking about getting rid of YKFDE_CHALLENGE_PASSWORD_NEEDED
completely and base only on YKFDE_CHALLENGE
being empty or not but then would be no fallback which can be valuable in some cases.
I will consider your idea. I also plan to improve readme a bit.
Thank you very much @tobi-wan-kenobi ! Your issue saved me last m inute from giving up on this. I had indeed not set a challenge.
@Vincent43 Also, thank you for maintaining this great package!
@AmShaegar13 I'm sorry for this. It's an artifact of old iteration where both the stored challenge and typed password were used at the same time (which didn't really make sense for security).
As I wrote earlier - I prefer to simplify things further but I'm still not sure how to deal with fallback.
@tobi-wan-kenobi @AmShaegar13 This issue should be fixed with https://github.com/agherzan/yubikey-full-disk-encryption/commit/1e1ded797f0fd57932a68f2005248c6fd000bcd7
You can empty YKFDE_CHALLENGE
in /etc/ykfde.conf
, rebuild initramfs and test.
I also clarified options available in ykfde config file.
Confirmed. Thank you! :)
Many thanks!
Hi,
I just successfully set up my Arch with "true" (password/SHA256-based) 2FA - thanks a lot for an awesome piece of software!
Just one small suggestion: I found it quite confusing (and not documented) that, if I use the "true" 2FA, I still need to set YKFDE_CHALLENGE to some non-empty value. Otherwise, the initrd hook goes into "fallback" mode and queries for the password only.
From your perspective, would it make sense to change the behaviour, so that the Yubikey authentication is also performed if YKFDE_CHALLENGE is empty, but YKFDE_CHALLENGE_PASSWORD_NEEDED is set?