shimunn
commented
2 years ago Neither the dracut nor the initramfs scipts support a pin at the moment(but the next major release will). So you either have to remove the pin or adapt the script such that it'll ask for a pin and passes it into fido2luks via the --pin-source.
I have been trying to get fido2luks to work on Debian sid without much success. Currently, I am using four yubikeys and have set up the config as described in the readme. Each yubikey has a pin code assigned to it, which may or may not be the issue when trying to decrypt in initramfs. I installed dracut and then installed the dracut changes in this directory, but when I reboot the computer, I get a bunch of spam on boot that continues even as I enter in my passphrase:
When it asks for the authenticator, I assume it wants the pin, but even when I give it the pin, the yubikey never flashes for touch, and the only passphrase that works is the non-fido key (regular passphrase). Is there something I have to do with SELinux for this to work? Is there another setting I have to set in the grub config if the yubikey uses a pin? I am unsure if this is an issue running on Debian Sid or a misconfiguration on my part; what logs would help debug this issue?