Open alzulas opened 5 years ago
cornelinux
commented
3 years ago Do you want to connect your yubikey to the remote sever or to your local machine?
I would not recommend plugging your yubikey to your remote server and leave it there. If you have plugged in the yubikey to your local machine, this does not make sense. The server will not be able to send a challenge to your local yubikey. However, you could create the YK response locally and paste it via SSH.
Did I get you right?
alzulas
commented
3 years ago This is all being done on an atomic pi. The reason for the SSH is that a security professional would have their own laptop, and then pi with specific tool kits on it. The security professional would bring the pi with them to a customer, and when they needed to use it for testing, they would use the SSH connection to the box from their laptop to run the tests that were needed. In this way, their laptop is protected from anything malicious that might occur. However, we will also have to mail these devices cross country for various engagements, hence the Yubikey. This would make the device safe from bad actors who might intercept the device in transit.
cornelinux
commented
3 years ago So where do you want to plug in the yubikey?
How do you mail the yubikeys (and the devices?)
alzulas
commented
3 years ago The pi has multiple USB ports, so the Yubikey is plugged directly into the device. The device is mailed separately from the key. First one, and then one the device has been delivered, then the other. It's not super fast, but it's very secure.
cornelinux
commented
3 years ago Thank you for explaining your workflow.
I can no longer use the ssh connection to unlock the disk. I can connect, and type in cryptroot-unlock, but then it will time out before anything happens.
This information is a bit sparse. Also: I think that this is out of scope here. Since: After all you could use a complete separate script that unlock and mounts the root partition with the yubikey. cryptroot-unlock sounds like a script that comes with the dropbear initramfs. So you would need to modify this script that simply uses the passphrase from the yubikey response.
The current scripts in this repository are not made to be used for this. For starters you might take a look at yubikey-luks-open.
I change the topic of this package that describes your situation better.
Is there any chance that there's a way to make it so busybox/dropbear and yubikey-luks can play nice together? I had my system set up so it would allow an ssh sign into the luks encrypted disk. Once I set up the yubikey to work for the luks disk, I can no longer use the ssh connection to unlock the disk. I can connect, and type in cryptroot-unlock, but then it will time out before anything happens. I've looked through all the initramfs hooks, but I'm not entirely sure how to fix this. Do you have any recommendations? Thanks.