HacKanCuBa
commented
5 years ago BTW, this code is somewhat similar to cornelinux/yubikey-luks, and thus has this same issue.
Closed HacKanCuBa closed 5 years ago
HacKanCuBa
commented
5 years ago BTW, this code is somewhat similar to cornelinux/yubikey-luks, and thus has this same issue.
Vincent43
commented
5 years ago @HacKanCuBa great find! I'll look into it.
Vincent43
commented
5 years ago @HacKanCuBa This should be fixed in https://github.com/agherzan/yubikey-full-disk-encryption/commit/6aa15b9ddc9ce3d6f2fc1aa6b79842d4afe76f83 . Thank you again for reporting this.
HacKanCuBa
commented
5 years ago Awesome! I checked the commit and seems fine.
Thank you!
agherzan
commented
5 years ago Nice report!
Hello there! I was checking your scripts and I noticed that you pass the password to the
ykchalrespbin as part of its command line, thus exposing it to the system: https://github.com/agherzan/yubikey-full-disk-encryption/blob/0e1e58b9b90eef318d17e0ceb4f267063d1d864b/src/ykfde-enroll#L149If you run
toporhtopyou will see the password shows up there. The same happens in the initram script, but on that scenario is not so dangerous. However, on the already booted up scenario, having the password shown as part of the command is VERY dangerous.I haven't used
ykchalrespbut a better approach would be to pass the password like:printf "%s" "$P1" | ykchalresp -2 -or something like that (we need to test this).