agherzan
commented
4 years ago Shall we close this PR for now?
Open Frederick888 opened 4 years ago
agherzan
commented
4 years ago Shall we close this PR for now?
Frederick888
commented
4 years ago Ah, sorry, got busy for a while then completely forgot about this. I still would like to finish this feature, but I can't give you a time frame right now. Is it ok? Or I'm also happy to submit another PR when I actually manage to wrap it up.
Vincent43
commented
4 years ago Take your time, we can wait 😄
agherzan
commented
4 years ago That's absolutely alright. Just wanted to make sure it's still planned sometime in the future.
Piraty
commented
4 years ago
This is a proof of concept which contains a lot of ugly hacks and it's not intended to be merged.
I would like to use yubikey-full-disk-encryption to unlock a headless machine without the hassle of unplugging/plugging YubiKey. So inspired by the
encryptsshhook from mkinitcpio-utils I'm using currently, here's a prototype that utilises SSH port forwarding to achieve this job.Server-Side Requirements
ncfrom gnu-netcatssfrom iproute2dropbear (and netconf) needs to be pre-configured according to https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp).
mkinitcpio hooks should look like:
Client-Side Requirements
ncatfrom nmapykfde-sshfrom this PRBasically what it does is
ykfde-ssh Hostnameand it: 1.1 startsncatto listen on127.0.0.1:9000and wait for the challenge 1.2 forwards127.0.0.1:9000to Serverssto detect whether127.0.0.1:9000is openncto send the challenge to127.0.0.1:9000and obtains the responseI've tested it in a virtual machine and it seems to work pretty smoothly. However the configuration does tend to be overly complex and I actually wonder whether there is a better way of doing this rather than using SSH port forwarding. But @agherzan if you feel comfortable about this idea I can then make some time to tidy it up and submit a proper PR.