From 9c6308d13313a9049c3f7a331efdf3d64f66e8f8 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Tue, 11 Jan 2022 12:19:31 -0800 Subject: [PATCH 01/18] Restructured folders to begin debian support --- Makefile => arch/Makefile | 0 PKGBUILD => arch/PKGBUILD | 0 {src => arch/src}/hooks/ykfde | 0 {src => arch/src}/initramfs-suspend | 0 {src => arch/src}/install/ykfde | 0 {src => arch/src}/ykfde-enroll | 0 {src => arch/src}/ykfde-format | 0 {src => arch/src}/ykfde-open | 0 {src => arch/src}/ykfde-suspend | 0 {src => arch/src}/ykfde-suspend.service | 0 {src => arch/src}/ykfde.conf | 0 testrun.sh => arch/testrun.sh | 0 12 files changed, 0 insertions(+), 0 deletions(-) rename Makefile => arch/Makefile (100%) rename PKGBUILD => arch/PKGBUILD (100%) rename {src => arch/src}/hooks/ykfde (100%) rename {src => arch/src}/initramfs-suspend (100%) rename {src => arch/src}/install/ykfde (100%) rename {src => arch/src}/ykfde-enroll (100%) rename {src => arch/src}/ykfde-format (100%) rename {src => arch/src}/ykfde-open (100%) rename {src => arch/src}/ykfde-suspend (100%) rename {src => arch/src}/ykfde-suspend.service (100%) rename {src => arch/src}/ykfde.conf (100%) rename testrun.sh => arch/testrun.sh (100%) diff --git a/Makefile b/arch/Makefile similarity index 100% rename from Makefile rename to arch/Makefile diff --git a/PKGBUILD b/arch/PKGBUILD similarity index 100% rename from PKGBUILD rename to arch/PKGBUILD diff --git a/src/hooks/ykfde b/arch/src/hooks/ykfde similarity index 100% rename from src/hooks/ykfde rename to arch/src/hooks/ykfde diff --git a/src/initramfs-suspend b/arch/src/initramfs-suspend similarity index 100% rename from src/initramfs-suspend rename to arch/src/initramfs-suspend diff --git a/src/install/ykfde b/arch/src/install/ykfde similarity index 100% rename from src/install/ykfde rename to arch/src/install/ykfde diff --git a/src/ykfde-enroll b/arch/src/ykfde-enroll similarity index 100% rename from src/ykfde-enroll rename to arch/src/ykfde-enroll diff --git a/src/ykfde-format b/arch/src/ykfde-format similarity index 100% rename from src/ykfde-format rename to arch/src/ykfde-format diff --git a/src/ykfde-open b/arch/src/ykfde-open similarity index 100% rename from src/ykfde-open rename to arch/src/ykfde-open diff --git a/src/ykfde-suspend b/arch/src/ykfde-suspend similarity index 100% rename from src/ykfde-suspend rename to arch/src/ykfde-suspend diff --git a/src/ykfde-suspend.service b/arch/src/ykfde-suspend.service similarity index 100% rename from src/ykfde-suspend.service rename to arch/src/ykfde-suspend.service diff --git a/src/ykfde.conf b/arch/src/ykfde.conf similarity index 100% rename from src/ykfde.conf rename to arch/src/ykfde.conf diff --git a/testrun.sh b/arch/testrun.sh similarity index 100% rename from testrun.sh rename to arch/testrun.sh From 0ef1752c141b57318977d6c215ea6e87304a32c2 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Tue, 11 Jan 2022 14:41:09 -0800 Subject: [PATCH 02/18] Moved files to updated file structure --- arch/Makefile | 20 +-- debian/Makefile | 26 +++ debian/debian/changelog | 0 debian/debian/compat | 1 + debian/debian/control | 0 debian/debian/copyright | 202 ++++++++++++++++++++++++ debian/debian/rules | 36 +++++ debian/debian/ykfde.postinst | 0 debian/testrun.sh | 60 +++++++ {arch/src => src}/hooks/ykfde | 0 {arch/src => src}/initramfs-suspend | 0 {arch/src => src}/install/ykfde | 0 {arch/src => src}/ykfde-enroll | 0 {arch/src => src}/ykfde-format | 0 {arch/src => src}/ykfde-open | 0 {arch/src => src}/ykfde-suspend | 0 {arch/src => src}/ykfde-suspend.service | 0 {arch/src => src}/ykfde.conf | 0 18 files changed, 335 insertions(+), 10 deletions(-) create mode 100644 debian/Makefile create mode 100644 debian/debian/changelog create mode 100644 debian/debian/compat create mode 100644 debian/debian/control create mode 100644 debian/debian/copyright create mode 100644 debian/debian/rules create mode 100644 debian/debian/ykfde.postinst create mode 100755 debian/testrun.sh rename {arch/src => src}/hooks/ykfde (100%) rename {arch/src => src}/initramfs-suspend (100%) rename {arch/src => src}/install/ykfde (100%) rename {arch/src => src}/ykfde-enroll (100%) rename {arch/src => src}/ykfde-format (100%) rename {arch/src => src}/ykfde-open (100%) rename {arch/src => src}/ykfde-suspend (100%) rename {arch/src => src}/ykfde-suspend.service (100%) rename {arch/src => src}/ykfde.conf (100%) diff --git a/arch/Makefile b/arch/Makefile index 672c6b7..114d61c 100644 --- a/arch/Makefile +++ b/arch/Makefile @@ -1,16 +1,16 @@ install: reinstall - install -v -b -Dm644 src/ykfde.conf "$(DESTDIR)/etc/ykfde.conf" + install -v -b -Dm644 ../src/ykfde.conf "$(DESTDIR)/etc/ykfde.conf" reinstall: - install -Dm644 src/hooks/ykfde "$(DESTDIR)/usr/lib/initcpio/hooks/ykfde" - install -Dm644 src/install/ykfde "$(DESTDIR)/usr/lib/initcpio/install/ykfde" - install -Dm755 src/ykfde-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/ykfde-suspend" - install -Dm755 src/initramfs-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/initramfs-suspend" - install -Dm644 src/ykfde-suspend.service "$(DESTDIR)/usr/lib/systemd/system/ykfde-suspend.service" - install -Dm755 src/ykfde-enroll "$(DESTDIR)/usr/bin/ykfde-enroll" - install -Dm755 src/ykfde-format "$(DESTDIR)/usr/bin/ykfde-format" - install -Dm755 src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open" - install -Dm644 README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md" + install -Dm644 ../src/hooks/ykfde "$(DESTDIR)/usr/lib/initcpio/hooks/ykfde" + install -Dm644 ../src/install/ykfde "$(DESTDIR)/usr/lib/initcpio/install/ykfde" + install -Dm755 ../src/ykfde-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/ykfde-suspend" + install -Dm755 ../src/initramfs-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/initramfs-suspend" + install -Dm644 ../src/ykfde-suspend.service "$(DESTDIR)/usr/lib/systemd/system/ykfde-suspend.service" + install -Dm755 ../src/ykfde-enroll "$(DESTDIR)/usr/bin/ykfde-enroll" + install -Dm755 ../src/ykfde-format "$(DESTDIR)/usr/bin/ykfde-format" + install -Dm755 ../src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open" + install -Dm644 ../README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md" test: ./testrun.sh diff --git a/debian/Makefile b/debian/Makefile new file mode 100644 index 0000000..b3db4da --- /dev/null +++ b/debian/Makefile @@ -0,0 +1,26 @@ +info: + @echo "builddeb [NO_SIGN=1] - build deb package for Ubuntu LTS [NO_SIGN disables signing]" + @echo "clean - clean build directory DEBUILD" + +VERSION=0.1 +SRC_DIR = yubikey-fde-${VERSION} + +debianize: + rm -fr DEBUILD + mkdir -p DEBUILD/${SRC_DIR} + cp -r * DEBUILD/${SRC_DIR} || true + (cd DEBUILD; tar -zcf yubikey-fde_${VERSION}.orig.tar.gz --exclude=${SRC_DIR}/debian ${SRC_DIR}) + +builddeb: + make debianize +ifndef NO_SIGN + (cd DEBUILD/${SRC_DIR}; debuild) +else + (cd DEBUILD/${SRC_DIR}; debuild -uc -us) +endif + +clean: + rm -fr DEBUILD + +test: + ./testrun.sh diff --git a/debian/debian/changelog b/debian/debian/changelog new file mode 100644 index 0000000..e69de29 diff --git a/debian/debian/compat b/debian/debian/compat new file mode 100644 index 0000000..b4de394 --- /dev/null +++ b/debian/debian/compat @@ -0,0 +1 @@ +11 diff --git a/debian/debian/control b/debian/debian/control new file mode 100644 index 0000000..e69de29 diff --git a/debian/debian/copyright b/debian/debian/copyright new file mode 100644 index 0000000..ee8be5a --- /dev/null +++ b/debian/debian/copyright @@ -0,0 +1,202 @@ + +Apache License +Version 2.0, January 2004 +http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, +and distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by +the copyright owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all +other entities that control, are controlled by, or are under common +control with that entity. For the purposes of this definition, +"control" means (i) the power, direct or indirect, to cause the +direction or management of such entity, whether by contract or +otherwise, or (ii) ownership of fifty percent (50%) or more of the +outstanding shares, or (iii) beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity +exercising permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, +including but not limited to software source code, documentation +source, and configuration files. + +"Object" form shall mean any form resulting from mechanical +transformation or translation of a Source form, including but +not limited to compiled object code, generated documentation, +and conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or +Object form, made available under the License, as indicated by a +copyright notice that is included in or attached to the work +(an example is provided in the Appendix below). + +"Derivative Works" shall mean any work, whether in Source or Object +form, that is based on (or derived from) the Work and for which the +editorial revisions, annotations, elaborations, or other modifications +represent, as a whole, an original work of authorship. For the purposes +of this License, Derivative Works shall not include works that remain +separable from, or merely link (or bind by name) to the interfaces of, +the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including +the original version of the Work and any modifications or additions +to that Work or Derivative Works thereof, that is intentionally +submitted to Licensor for inclusion in the Work by the copyright owner +or by an individual or Legal Entity authorized to submit on behalf of +the copyright owner. For the purposes of this definition, "submitted" +means any form of electronic, verbal, or written communication sent +to the Licensor or its representatives, including but not limited to +communication on electronic mailing lists, source code control systems, +and issue tracking systems that are managed by, or on behalf of, the +Licensor for the purpose of discussing and improving the Work, but +excluding communication that is conspicuously marked or otherwise +designated in writing by the copyright owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity +on behalf of whom a Contribution has been received by Licensor and +subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of +this License, each Contributor hereby grants to You a perpetual, +worldwide, non-exclusive, no-charge, royalty-free, irrevocable +copyright license to reproduce, prepare Derivative Works of, +publicly display, publicly perform, sublicense, and distribute the +Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of +this License, each Contributor hereby grants to You a perpetual, +worldwide, non-exclusive, no-charge, royalty-free, irrevocable +(except as stated in this section) patent license to make, have made, +use, offer to sell, sell, import, and otherwise transfer the Work, +where such license applies only to those patent claims licensable +by such Contributor that are necessarily infringed by their +Contribution(s) alone or by combination of their Contribution(s) +with the Work to which such Contribution(s) was submitted. If You +institute patent litigation against any entity (including a +cross-claim or counterclaim in a lawsuit) alleging that the Work +or a Contribution incorporated within the Work constitutes direct +or contributory patent infringement, then any patent licenses +granted to You under this License for that Work shall terminate +as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the +Work or Derivative Works thereof in any medium, with or without +modifications, and in Source or Object form, provided that You +meet the following conditions: + +(a) You must give any other recipients of the Work or +Derivative Works a copy of this License; and + +(b) You must cause any modified files to carry prominent notices +stating that You changed the files; and + +(c) You must retain, in the Source form of any Derivative Works +that You distribute, all copyright, patent, trademark, and +attribution notices from the Source form of the Work, +excluding those notices that do not pertain to any part of +the Derivative Works; and + +(d) If the Work includes a "NOTICE" text file as part of its +distribution, then any Derivative Works that You distribute must +include a readable copy of the attribution notices contained +within such NOTICE file, excluding those notices that do not +pertain to any part of the Derivative Works, in at least one +of the following places: within a NOTICE text file distributed +as part of the Derivative Works; within the Source form or +documentation, if provided along with the Derivative Works; or, +within a display generated by the Derivative Works, if and +wherever such third-party notices normally appear. The contents +of the NOTICE file are for informational purposes only and +do not modify the License. You may add Your own attribution +notices within Derivative Works that You distribute, alongside +or as an addendum to the NOTICE text from the Work, provided +that such additional attribution notices cannot be construed +as modifying the License. + +You may add Your own copyright statement to Your modifications and +may provide additional or different license terms and conditions +for use, reproduction, or distribution of Your modifications, or +for any such Derivative Works as a whole, provided Your use, +reproduction, and distribution of the Work otherwise complies with +the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, +any Contribution intentionally submitted for inclusion in the Work +by You to the Licensor shall be under the terms and conditions of +this License, without any additional terms or conditions. +Notwithstanding the above, nothing herein shall supersede or modify +the terms of any separate license agreement you may have executed +with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade +names, trademarks, service marks, or product names of the Licensor, +except as required for reasonable and customary use in describing the +origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or +agreed to in writing, Licensor provides the Work (and each +Contributor provides its Contributions) on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +implied, including, without limitation, any warranties or conditions +of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A +PARTICULAR PURPOSE. You are solely responsible for determining the +appropriateness of using or redistributing the Work and assume any +risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, +whether in tort (including negligence), contract, or otherwise, +unless required by applicable law (such as deliberate and grossly +negligent acts) or agreed to in writing, shall any Contributor be +liable to You for damages, including any direct, indirect, special, +incidental, or consequential damages of any character arising as a +result of this License or out of the use or inability to use the +Work (including but not limited to damages for loss of goodwill, +work stoppage, computer failure or malfunction, or any and all +other commercial damages or losses), even if such Contributor +has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing +the Work or Derivative Works thereof, You may choose to offer, +and charge a fee for, acceptance of support, warranty, indemnity, +or other liability obligations and/or rights consistent with this +License. However, in accepting such obligations, You may act only +on Your own behalf and on Your sole responsibility, not on behalf +of any other Contributor, and only if You agree to indemnify, +defend, and hold each Contributor harmless for any liability +incurred by, or claims asserted against, such Contributor by reason +of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +To apply the Apache License to your work, attach the following +boilerplate notice, with the fields enclosed by brackets "{}" +replaced with your own identifying information. (Don't include +the brackets!) The text should be enclosed in the appropriate +comment syntax for the file format. We also recommend that a +file or class name and description of purpose be included on the +same "printed page" as the copyright notice for easier +identification within third-party archives. + +Copyright {yyyy} {name of copyright owner} + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/debian/debian/rules b/debian/debian/rules new file mode 100644 index 0000000..63e1d62 --- /dev/null +++ b/debian/debian/rules @@ -0,0 +1,36 @@ +#! /usr/bin/make -f + +%: + dh $@ + +override_dh_auto_build: + # nothing to build + +override_dh_installsystemd: + dh_installsystemd -pykfde \ + --no-enable --no-start --no-restart-after-upgrade --no-stop-on-upgrade \ + ykfde-suspend.service + +override_dh_install: + dh_install + install -D -o root -g root -m755 ../src/hooks/ykfde debian/yubikey-full-disk-encryption/usr/share/initramfs-tools/hooks/ykfde + + # install -D -o root -g root -m755 ../src/key-script debian/yubikey-full-disk-encryption/usr/share/yubikey-full-disk-encryption/ykfde-keyscript + + install -D -o root -g root -m755 ../src/ykfde-open debian/ykfde/usr/bin/ykfde-open + + install -D -o root -g root -m755 ../src/ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll + + install -D -o root -g root -m755 ../src/ykfde-format debian/ykfde/usr/bin/ykfde-format + + # install -D -o root -g root -m644 ../src/yubikey-luks-enroll.1 debian/ykfde/usr/man/man1/yubikey-luks-enroll.1 + + install -D -o root -g root -m644 ../README.md debian/ykfde/usr/share/doc/ykfde/README.md + + install -D -o root -g root -m644 ../src/ykfde.conf debian/ykfde/etc/ykfde.conf + + install -D -o root -g root -m755 ../src/ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend + + install -D -o root -g root -m755 ../src/initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend + + install -D -o root -g root -m644 ../src/ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service diff --git a/debian/debian/ykfde.postinst b/debian/debian/ykfde.postinst new file mode 100644 index 0000000..e69de29 diff --git a/debian/testrun.sh b/debian/testrun.sh new file mode 100755 index 0000000..5894e26 --- /dev/null +++ b/debian/testrun.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +set -euo pipefail + +# set default values: +YKFDE_CONFIG_FILE="/etc/ykfde.conf" +YKFDE_CHALLENGE="" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_CHALLENGE_SLOT="" + +if [ "$(id -u)" -ne 0 ]; then + echo "ERROR: Please run this script as 'root'." + exit 1 +fi + +# shellcheck source=src/ykfde.conf +. "$YKFDE_CONFIG_FILE" +[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + +if [ -z "$YKFDE_CHALLENGE" ] && [ -z "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + printf '%s\n' "ERROR: No ykfde mode enabled. Please enable 'Automatic mode with stored challenge (1FA)' or 'Manual mode with secret challenge (2FA)' in '$YKFDE_CONFIG_FILE'." + exit 1 +elif [ "$YKFDE_CHALLENGE" ]; then + echo "INFO: 'Automatic mode with stored challenge (1FA)' is enabled." +elif [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + echo "INFO: 'Manual mode with secret challenge (2FA)' is enabled." +fi + +if [ -z "$YKFDE_CHALLENGE_SLOT" ]; then + echo "WARNING: YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode is not selected. Falling back to slot '2'." +fi + +umask 0077 +YKFDE_TMPFILE="" +YKFDE_TMPFILE="$(mktemp /dev/shm/ykfde-XXXXXX)" +truncate -s 20M "$YKFDE_TMPFILE" + +cleanup() { + rm -f "$YKFDE_TMPFILE" +} +trap cleanup EXIT + +echo "INFO: Testing 'ykfde-format' script." +DBG=1 ykfde-format "$YKFDE_TMPFILE" +echo "Test 'ykfde-format' script successfully passed." + +echo "INFO: Testing 'ykfde-enroll' script." +printf '%s\n' "test" | cryptsetup luksFormat "$YKFDE_TMPFILE" +echo "INFO: Old LUKS passphrase is 'test'." +ykfde-enroll -d "$YKFDE_TMPFILE" -s 7 -v +echo "Test 'ykfde-enroll' script successfully passed." + +echo "INFO: Testing 'ykfde-open' script." +ykfde-open -d "$YKFDE_TMPFILE" -n ykfde-test -v +cryptsetup close ykfde-test +echo "Test 'ykfde-open' script successfully passed." + +echo "All tests successfully passed." + +exit 0 diff --git a/arch/src/hooks/ykfde b/src/hooks/ykfde similarity index 100% rename from arch/src/hooks/ykfde rename to src/hooks/ykfde diff --git a/arch/src/initramfs-suspend b/src/initramfs-suspend similarity index 100% rename from arch/src/initramfs-suspend rename to src/initramfs-suspend diff --git a/arch/src/install/ykfde b/src/install/ykfde similarity index 100% rename from arch/src/install/ykfde rename to src/install/ykfde diff --git a/arch/src/ykfde-enroll b/src/ykfde-enroll similarity index 100% rename from arch/src/ykfde-enroll rename to src/ykfde-enroll diff --git a/arch/src/ykfde-format b/src/ykfde-format similarity index 100% rename from arch/src/ykfde-format rename to src/ykfde-format diff --git a/arch/src/ykfde-open b/src/ykfde-open similarity index 100% rename from arch/src/ykfde-open rename to src/ykfde-open diff --git a/arch/src/ykfde-suspend b/src/ykfde-suspend similarity index 100% rename from arch/src/ykfde-suspend rename to src/ykfde-suspend diff --git a/arch/src/ykfde-suspend.service b/src/ykfde-suspend.service similarity index 100% rename from arch/src/ykfde-suspend.service rename to src/ykfde-suspend.service diff --git a/arch/src/ykfde.conf b/src/ykfde.conf similarity index 100% rename from arch/src/ykfde.conf rename to src/ykfde.conf From 0482ba2f8e40eebb9783960291fa675feee5fa97 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Tue, 11 Jan 2022 21:05:20 -0800 Subject: [PATCH 03/18] Added initial support for Debian/Ubuntu systems --- debian/debian/rules | 17 ++--------- debian/key-script | 72 +++++++++++++++++++++++++++++++++++++++++++++ src/hooks/ykfde-deb | 38 ++++++++++++++++++++++++ 3 files changed, 113 insertions(+), 14 deletions(-) create mode 100755 debian/key-script create mode 100755 src/hooks/ykfde-deb diff --git a/debian/debian/rules b/debian/debian/rules index 63e1d62..cd188e5 100644 --- a/debian/debian/rules +++ b/debian/debian/rules @@ -13,24 +13,13 @@ override_dh_installsystemd: override_dh_install: dh_install - install -D -o root -g root -m755 ../src/hooks/ykfde debian/yubikey-full-disk-encryption/usr/share/initramfs-tools/hooks/ykfde - - # install -D -o root -g root -m755 ../src/key-script debian/yubikey-full-disk-encryption/usr/share/yubikey-full-disk-encryption/ykfde-keyscript - + install -D -o root -g root -m755 ../src/hooks/ykfde debian/ykfde/usr/share/initramfs-tools/hooks/ykfde + install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript install -D -o root -g root -m755 ../src/ykfde-open debian/ykfde/usr/bin/ykfde-open - install -D -o root -g root -m755 ../src/ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll - - install -D -o root -g root -m755 ../src/ykfde-format debian/ykfde/usr/bin/ykfde-format - - # install -D -o root -g root -m644 ../src/yubikey-luks-enroll.1 debian/ykfde/usr/man/man1/yubikey-luks-enroll.1 - + install -D -o root -g root -m755 ../src/ykfde-format debian/ykfde/usr/bin/ykfde-format install -D -o root -g root -m644 ../README.md debian/ykfde/usr/share/doc/ykfde/README.md - install -D -o root -g root -m644 ../src/ykfde.conf debian/ykfde/etc/ykfde.conf - install -D -o root -g root -m755 ../src/ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend - install -D -o root -g root -m755 ../src/initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend - install -D -o root -g root -m644 ../src/ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service diff --git a/debian/key-script b/debian/key-script new file mode 100755 index 0000000..0c41a52 --- /dev/null +++ b/debian/key-script @@ -0,0 +1,72 @@ +#! /bin/sh +# +# This is /sbin/ykluks-keyscript, which gets called when unlocking the disk +# +# set defualt values: +DBG="" +YKFDE_CONFIG_FILE="/etc/ykfde.conf" +YKFDE_NFC="" +YKFDE_DISK_UUID="" +YKFDE_LUKS_NAME="" +YKFDE_LUKS_DEV="" +YKFDE_LUKS_OPTIONS="" +YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" +YKFDE_CRYPTSETUP_TRIALS="5" +YKFDE_CHALLENGE_SLOT="2" +YKFDE_CHALLENGE="" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" +YKFDE_USE_PLYMOUTH="" + +. /etc/ykfde.conf + +if [ -z "$WELCOME_TEXT" ]; then + WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase" +fi + +message() +{ + if [ -x /bin/plymouth ] && plymouth --ping; then + plymouth message --text="$*" + else + echo "$@" >&2 + fi + return 0 +} + +check_yubikey_present="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" + +if [ -z "$YKFDE_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then + if [ -z "$cryptkeyscript" ]; then + if [ -x /bin/plymouth ] && plymouth --ping; then + cryptkeyscript="plymouth ask-for-password --prompt" + else + cryptkeyscript="/lib/cryptsetup/askpass" + fi + fi + PW="$($cryptkeyscript "$WELCOME_TEXT")" +else + PW="$YKFDE_CHALLENGE" +fi + +if [ "$check_yubikey_present" = "1" ]; then + message "Accessing yubikey..." + #if [ "$HASH" = "1" ]; then + # PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') + #fi + R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)" + if [ "$R" ]; then + message "Retrieved the response from the Yubikey" + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" = "1" ]; then + printf '%s' "$PW$R" + else + printf '%s' "$R" + fi + else + message "Failed to retrieve the response from the Yubikey" + fi +else + printf '%s' "$PW" +fi + +exit 0 diff --git a/src/hooks/ykfde-deb b/src/hooks/ykfde-deb new file mode 100755 index 0000000..9602d84 --- /dev/null +++ b/src/hooks/ykfde-deb @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /etc/ykfde.conf + +copy_exec /usr/bin/ykchalresp +copy_exec /usr/bin/ykinfo +copy_exec /usr/bin/sha256sum +cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript" +cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf + +#if [ "$SUSPEND" = "1" ]; then +# echo "YKFDE: adding yubikey authentication to suspend." +# cp -pnL /usr/lib/ykfde/initramfs-suspend "${DESTDIR}/suspend" +# chmod 755 "${DESTDIR}/suspend" +# systemctl enable ykfde-suspend.service +#else +# echo "YKFDE: removing yubikey authentication to suspend." +# systemctl disable ykfde-suspend.service +#fi + +exit 0 From e31f138040e3cb79099dd51d4c1d7665839399d2 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Tue, 11 Jan 2022 22:20:53 -0800 Subject: [PATCH 04/18] Debian/Ubuntu support partially working --- debian/DEBUILD/ykfde-0.1/Makefile | 28 ++ debian/DEBUILD/ykfde-0.1/README.md | 273 ++++++++++++++++++ .../generated/ykfde/installed-by-dh_install | 0 .../ykfde/installed-by-dh_installdocs | 0 .../generated/ykfde/postinst.service | 17 ++ .../.debhelper/generated/ykfde/prerm.service | 5 + debian/DEBUILD/ykfde-0.1/debian/changelog | 5 + debian/DEBUILD/ykfde-0.1/debian/compat | 1 + debian/DEBUILD/ykfde-0.1/debian/control | 16 + debian/DEBUILD/ykfde-0.1/debian/copyright | 7 + .../ykfde-0.1/debian/debhelper-build-stamp | 1 + debian/DEBUILD/ykfde-0.1/debian/files | 2 + debian/DEBUILD/ykfde-0.1/debian/rules | 25 ++ .../ykfde-0.1/debian/ykfde.debhelper.log | 1 + .../DEBUILD/ykfde-0.1/debian/ykfde.postinst | 22 ++ .../ykfde-0.1/debian/ykfde.postrm.debhelper | 19 ++ .../DEBUILD/ykfde-0.1/debian/ykfde.substvars | 2 + .../ykfde-0.1/debian/ykfde/DEBIAN/conffiles | 1 + .../ykfde-0.1/debian/ykfde/DEBIAN/control | 14 + .../ykfde-0.1/debian/ykfde/DEBIAN/md5sums | 11 + .../ykfde-0.1/debian/ykfde/DEBIAN/postinst | 39 +++ .../ykfde-0.1/debian/ykfde/DEBIAN/postrm | 21 ++ .../ykfde-0.1/debian/ykfde/DEBIAN/prerm | 7 + .../ykfde-0.1/debian/ykfde/etc/ykfde.conf | 53 ++++ .../lib/systemd/system/ykfde-suspend.service | 21 ++ .../debian/ykfde/usr/bin/ykfde-enroll | 228 +++++++++++++++ .../debian/ykfde/usr/bin/ykfde-format | 81 ++++++ .../ykfde-0.1/debian/ykfde/usr/bin/ykfde-open | 207 +++++++++++++ .../ykfde/usr/lib/ykfde/initramfs-suspend | 29 ++ .../ykfde/usr/lib/ykfde/yubikey-luks-suspend | 128 ++++++++ .../ykfde/usr/share/doc/ykfde/README.md.gz | Bin 0 -> 4379 bytes .../ykfde/usr/share/doc/ykfde/changelog.gz | Bin 0 -> 172 bytes .../ykfde/usr/share/doc/ykfde/copyright | 7 + .../usr/share/initramfs-tools/hooks/ykfde | 38 +++ .../ykfde/usr/share/ykfde/ykfde-keyscript | 72 +++++ debian/DEBUILD/ykfde-0.1/hooks/ykfde | 258 +++++++++++++++++ debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb | 38 +++ debian/DEBUILD/ykfde-0.1/initramfs-suspend | 29 ++ debian/DEBUILD/ykfde-0.1/install/ykfde | 84 ++++++ debian/DEBUILD/ykfde-0.1/key-script | 72 +++++ debian/DEBUILD/ykfde-0.1/testrun.sh | 60 ++++ debian/DEBUILD/ykfde-0.1/ykfde-enroll | 228 +++++++++++++++ debian/DEBUILD/ykfde-0.1/ykfde-format | 81 ++++++ debian/DEBUILD/ykfde-0.1/ykfde-open | 207 +++++++++++++ debian/DEBUILD/ykfde-0.1/ykfde-suspend | 128 ++++++++ .../DEBUILD/ykfde-0.1/ykfde-suspend.service | 21 ++ debian/DEBUILD/ykfde-0.1/ykfde.conf | 53 ++++ debian/DEBUILD/ykfde_0.1.diff.gz | Bin 0 -> 1463 bytes debian/DEBUILD/ykfde_0.1.dsc | 20 ++ debian/DEBUILD/ykfde_0.1.orig.tar.gz | Bin 0 -> 14121 bytes debian/DEBUILD/ykfde_0.1_all.deb | Bin 0 -> 13564 bytes debian/DEBUILD/ykfde_0.1_amd64.build | 94 ++++++ debian/DEBUILD/ykfde_0.1_amd64.buildinfo | 167 +++++++++++ debian/DEBUILD/ykfde_0.1_amd64.changes | 34 +++ debian/Makefile | 10 +- debian/debian/changelog | 5 + debian/debian/control | 16 + debian/debian/copyright | 201 +------------ debian/debian/rules | 18 +- debian/debian/ykfde.postinst | 22 ++ src/hooks/ykfde-deb | 2 +- src/initramfs-suspend | 2 +- 62 files changed, 3018 insertions(+), 213 deletions(-) create mode 100644 debian/DEBUILD/ykfde-0.1/Makefile create mode 100644 debian/DEBUILD/ykfde-0.1/README.md create mode 100644 debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_install create mode 100644 debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_installdocs create mode 100644 debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/postinst.service create mode 100644 debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/prerm.service create mode 100644 debian/DEBUILD/ykfde-0.1/debian/changelog create mode 100644 debian/DEBUILD/ykfde-0.1/debian/compat create mode 100644 debian/DEBUILD/ykfde-0.1/debian/control create mode 100644 debian/DEBUILD/ykfde-0.1/debian/copyright create mode 100644 debian/DEBUILD/ykfde-0.1/debian/debhelper-build-stamp create mode 100644 debian/DEBUILD/ykfde-0.1/debian/files create mode 100755 debian/DEBUILD/ykfde-0.1/debian/rules create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde.debhelper.log create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde.postinst create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde.postrm.debhelper create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde.substvars create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/conffiles create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/control create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/md5sums create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postinst create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postrm create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/prerm create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/etc/ykfde.conf create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/lib/systemd/system/ykfde-suspend.service create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-enroll create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-format create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-open create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/lib/ykfde/initramfs-suspend create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/README.md.gz create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/changelog.gz create mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/copyright create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/initramfs-tools/hooks/ykfde create mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/ykfde/ykfde-keyscript create mode 100644 debian/DEBUILD/ykfde-0.1/hooks/ykfde create mode 100755 debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb create mode 100644 debian/DEBUILD/ykfde-0.1/initramfs-suspend create mode 100644 debian/DEBUILD/ykfde-0.1/install/ykfde create mode 100755 debian/DEBUILD/ykfde-0.1/key-script create mode 100755 debian/DEBUILD/ykfde-0.1/testrun.sh create mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-enroll create mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-format create mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-open create mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-suspend create mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-suspend.service create mode 100644 debian/DEBUILD/ykfde-0.1/ykfde.conf create mode 100644 debian/DEBUILD/ykfde_0.1.diff.gz create mode 100644 debian/DEBUILD/ykfde_0.1.dsc create mode 100644 debian/DEBUILD/ykfde_0.1.orig.tar.gz create mode 100644 debian/DEBUILD/ykfde_0.1_all.deb create mode 100644 debian/DEBUILD/ykfde_0.1_amd64.build create mode 100644 debian/DEBUILD/ykfde_0.1_amd64.buildinfo create mode 100644 debian/DEBUILD/ykfde_0.1_amd64.changes diff --git a/debian/DEBUILD/ykfde-0.1/Makefile b/debian/DEBUILD/ykfde-0.1/Makefile new file mode 100644 index 0000000..8a38efa --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/Makefile @@ -0,0 +1,28 @@ +info: + @echo "builddeb [NO_SIGN=1] - build deb package for Ubuntu LTS [NO_SIGN disables signing]" + @echo "clean - clean build directory DEBUILD" + +VERSION=0.1 +SRC_DIR = ykfde-${VERSION} + +debianize: + rm -fr DEBUILD + mkdir -p DEBUILD/${SRC_DIR} + cp -r * DEBUILD/${SRC_DIR} || true + cp -r ../src/* DEBUILD/${SRC_DIR} || true + cp ../README.md DEBUILD/${SRC_DIR} || true + (cd DEBUILD; tar -zcf ykfde_${VERSION}.orig.tar.gz --exclude=${SRC_DIR}/debian ${SRC_DIR}) + +builddeb: + make debianize +ifndef NO_SIGN + (cd DEBUILD/${SRC_DIR}; debuild) +else + (cd DEBUILD/${SRC_DIR}; debuild -uc -us) +endif + +clean: + rm -fr DEBUILD + +#test: +# ./testrun.sh diff --git a/debian/DEBUILD/ykfde-0.1/README.md b/debian/DEBUILD/ykfde-0.1/README.md new file mode 100644 index 0000000..54329f5 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/README.md @@ -0,0 +1,273 @@ +# YubiKey Full Disk Encryption + +This project leverages a [YubiKey](https://wiki.archlinux.org/index.php/Yubikey) [HMAC-SHA1 Challenge-Response](https://wiki.archlinux.org/index.php/Yubikey#Challenge-Response) mode for creating strong [LUKS](https://gitlab.com/cryptsetup/cryptsetup) encrypted volume passphrases. It can be used in intramfs stage during boot process as well as on running system. + +Be aware that this was only tested and intended for: + +* [Arch Linux](https://www.archlinux.org/) and its derivatives +* [YubiKey (version 4 or later)](https://www.yubico.com/products/yubikey-5-overview/) + +There is similar project targeting [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems: [yubikey-luks](https://github.com/cornelinux/yubikey-luks) + +Table of Contents +================= + + * [YubiKey Full Disk Encryption](#yubikey-full-disk-encryption) + * [Table of Contents](#table-of-contents) + * [Design](#design) + * [Automatic mode with stored challenge (1FA)](#automatic-mode-with-stored-challenge-1fa) + * [Manual mode with secret challenge (2FA)](#manual-mode-with-secret-challenge-2fa) + * [Install](#install) + * [From Arch Linux official repository](#from-arch-linux-official-repository) + * [From Github using 'makepkg'](#from-github-using-makepkg) + * [From Github using 'make'](#from-github-using-make) + * [Configure](#configure) + * [Configure HMAC-SHA1 Challenge-Response slot in YubiKey](#configure-hmac-sha1-challenge-response-slot-in-yubikey) + * [Edit /etc/ykfde.conf file](#edit-etcykfdeconf-file) + * [Usage](#usage) + * [Format new LUKS encrypted volume using ykfde passphrase](#format-new-luks-encrypted-volume-using-ykfde-passphrase) + * [Enroll ykfde passphrase to existing LUKS encrypted volume](#enroll-ykfde-passphrase-to-existing-luks-encrypted-volume) + * [Enroll new ykfde passphrase to existing LUKS encrypted volume protected by old ykfde passphrase](#enroll-new-ykfde-passphrase-to-existing-luks-encrypted-volume-protected-by-old-ykfde-passphrase) + * [Unlock LUKS encrypted volume protected by ykfde passphrase](#unlock-luks-encrypted-volume-protected-by-ykfde-passphrase) + * [Kill ykfde passphrase for existing LUKS encrypted volume](#kill-ykfde-passphrase-for-existing-luks-encrypted-volume) + * [Enable ykfde initramfs hook](#enable-ykfde-initramfs-hook) + * [Enable NFC support in ykfde initramfs hook (experimental)](#enable-nfc-support-in-ykfde-initramfs-hook-experimental) + * [Enable ykfde suspend service (experimental)](#enable-ykfde-suspend-service-experimental) + * [License](#license) + +# Design + +The passphrase for unlocking *LUKS* encrypted volumes can be created in two ways: + +## Automatic mode with stored challenge (1FA) + +In *Automatic mode* you create custom *challenge* with 0-64 byte length and store it in cleartext in */etc/ykfde.conf* and inside the initramfs image. + +Example *challenge*:`123456abcdef` + +The *YubiKey* *response* is a *HMAC-SHA1* 40 byte length string created from your provided challenge and 20 byte length secret key stored inside the token. It will be used as your *LUKS* encrypted volume passphrase. + +Example *response* (ykfde passphrase): `bd438575f4e8df965c80363f8aa6fe1debbe9ea9` + +In this mode possession of your *YubiKey* is enough to unlock a *LUKS* encrypted volume (1FA). It allows for the easy unlocking of encrypted volumes when *YubiKey* is present without need for user action. + + +## Manual mode with secret challenge (2FA) + +In *Secret mode* you will be asked to provide a custom *challenge* every time you want to unlock your *LUKS* encrypted volume as it will never be stored anywhere on system. + +Example *challenge*: `123456abcdef` + +It will be hashed using the *SHA256* algorithm to achieve constant byte length (64) for any given *challenge*. It's also the maximum length that *YubiKey* can take as input. The hash will be used as the final *challenge* provided for *YubiKey*. + +Hashing function: + +``` +printf 123456abcdef | sha256sum | awk '{print $1}' +``` + +Example hashed *challenge*: `8fa0acf6233b92d2d48a30a315cd213748d48f28eaa63d7590509392316b3016` + + The *YubiKey* *response* is a *HMAC-SHA1* 40 byte length string created from your provided *challenge* and 20 byte length secret key stored inside the token. It will be concatenated with the *challenge* and used as your *LUKS* encrypted volume passphrase for a total length of 104 (64+40) bytes. + +Example response: `bd438575f4e8df965c80363f8aa6fe1debbe9ea9` + +Example ykfde passphrase: `8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92bd438575f4e8df965c80363f8aa6fe1debbe9ea9` + +This strong passphrase cannot be broken by brute force. To recreate it one would need both your passphrase (something you know) and your *YubiKey* (something you have) which means it works like 2FA. + +Keep in mind that the above doesn't protect you from physical tampering like *evil maid attack* and from *malware* running after you unlock and boot your system. Use security tools designed to prevent those attacks. + +# Install + +## From Arch Linux official repository + +The easiest way is to install package from [official Arch Linux repository](https://www.archlinux.org/packages/community/any/yubikey-full-disk-encryption/). + +``` +sudo pacman -Syu yubikey-full-disk-encryption +``` + +## From Github using 'makepkg' + +``` +wget https://raw.githubusercontent.com/agherzan/yubikey-full-disk-encryption/master/PKGBUILD +makepkg -srci +``` + +## From Github using 'make' + +``` +git clone https://github.com/agherzan/yubikey-full-disk-encryption.git +cd yubikey-full-disk-encryption +sudo make install +``` + +When installing by using `make` you also need to install [yubikey-personalization](https://www.archlinux.org/packages/community/x86_64/yubikey-personalization/) and [expect](https://www.archlinux.org/packages/extra/x86_64/expect/) packages. + +# Configure + + +## Configure HMAC-SHA1 Challenge-Response slot in YubiKey + +First of all you need to [setup a configuration slot](https://wiki.archlinux.org/index.php/Yubikey#Setup_the_slot) for *YubiKey HMAC-SHA1 Challenge-Response* mode using a command similar to: + +``` +ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig +``` + +Above arguments mean: + +* Verbose output (`-v`) +* Use slot 2 (`-2`) +* Set Challenge-Response mode (`-ochal-resp`) +* Generate HMAC-SHA1 challenge responses (`-ochal-hmac`) +* Calculate HMAC on less than 64 bytes input (`-ohmac-lt64`) +* Allow YubiKey serial number to be read using an API call (`-oserial-api-visible`) +* Require touching YubiKey before issue response (`-ochal-btn-trig`) *(optional)* + +This command will enable *HMAC-SHA1 Challenge-Response* mode on a chosen slot and write random 20 byte length secret key to your YubiKey which will be used for creating ykfde passphrases. + +**Warning: choosing YubiKey slot already configured for *HMAC-SHA1 Challenge-Response* mode will overwrite secret key with the new one which means ykfde passphrases created with the old key will be unrecoverable.** + +You may instead enable *HMAC-SHA1 Challenge-Response* mode using graphical interface through [yubikey-personalization-gui](https://www.archlinux.org/packages/community/x86_64/yubikey-personalization-gui/) package. It allows for customization of the secret key, creation of secret key backup and writing the same secret key to multiple YubiKeys which allows for using them interchangeably for creating same ykfde passphrases. + +## Edit /etc/ykfde.conf file + +Open the [/etc/ykfde.conf](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde.conf) file and adjust it for your needs. Alternatively to setting `YKFDE_DISK_UUID` and `YKFDE_LUKS_NAME`, you can use `cryptdevice` kernel parameter. The [syntax](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Configuring_the_kernel_parameters) is compatible with Arch's `encrypt` hook. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): + +``` +sudo mkinitcpio -P +``` + + +# Usage +You can list existing LUKS key slots with `cryptsetup luksDump /dev/`. + +## Format new LUKS encrypted volume using ykfde passphrase + +To format new *LUKS* encrypted volume, you can use [ykfde-format](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-format) script which is wrapper over `cryptsetup luksFormat` command: + +``` +ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/ +``` + +## Enroll ykfde passphrase to existing LUKS encrypted volume + +To enroll new ykfde passphrase to existing *LUKS* encrypted volume you can use [ykfde-enroll](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-enroll) script, see `ykfde-enroll -h` for help: + +``` +ykfde-enroll -d /dev/ -s +``` + +**Warning: having a weaker non-ykfde passphrase(s) on the same *LUKS* encrypted volume undermines the ykfde passphrase value as potential attacker will always try to break the weaker passphrase. Make sure the other non-ykfde passphrases are similarly strong or remove them.** + +## Enroll new ykfde passphrase to existing LUKS encrypted volume protected by old ykfde passphrase + +To enroll new ykfde passphrase to existing *LUKS* encrypted volume protected by old ykfde passphrase you can use [ykfde-enroll](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-enroll) script, see `ykfde-enroll -h` for help: + +``` +ykfde-enroll -d /dev/ -s -o +``` + +## Unlock LUKS encrypted volume protected by ykfde passphrase + +To unlock *LUKS* encrypted volume on a running system, you can use [ykfde-open](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-open) script, see `ykfde-open -h` for help. + +As unprivileged user using udisksctl (recommended): + +``` +ykfde-open -d /dev/ +``` + +As root using cryptsetup (when [udisks2](https://www.archlinux.org/packages/extra/x86_64/udisks2/) or [expect](https://www.archlinux.org/packages/extra/x86_64/expect/) aren't available): + +``` +ykfde-open -d /dev/ -n +``` + +To print only the ykfde passphrase to the console without unlocking any volumes: + +``` +ykfde-open -p +``` + +To test only a passphrase for a specific key slot: + +``` +ykfde-open -d /dev/ -s -t +``` + +To use optional parameters, example, use an external luks header: + +``` +ykfde-open -d /dev/ -- --header /mnt/luks-header.img +``` + +## Kill ykfde passphrase for existing LUKS encrypted volume + +To kill a ykfde passphrase for existing *LUKS* encrypted volume you can use [ykfde-enroll](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-enroll) script, see `ykfde-enroll -h` for help: + +``` +ykfde-enroll -d /dev/ -s -k +``` + +## Enable ykfde initramfs hook + +**Warning: It's recommended to have already working [encrypted system setup](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system) with `encrypt` hook and non-ykfde passphrase before starting to use `ykfde` hook with ykfde passphrase to avoid potential misconfigurations.** + +Edit `/etc/mkinitcpio.conf` and add the `ykfde` hook before or instead of `encrypt` hook as provided in [example](https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Examples). Adding `ykfde` hook before `encrypt` hook will allow for a safe fallback in case of ykfde misconfiguration. You can remove `encrypt` hook later when you confim that everything is working correctly. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): + +``` +sudo mkinitcpio -P +``` + +Reboot and test your configuration. + +## Enable NFC support in ykfde initramfs hook (experimental) + +**Warning: Currently NFC support is implemented only in initramfs hook. All ykfde manipulations on booted system have to be done through USB.** + +NFC support is provided through [libnfc](https://www.archlinux.org/packages/community/x86_64/libnfc/) and [ykchalresp-nfc](https://aur.archlinux.org/packages/ykchalresp-nfc/) tools. Make sure you have both packages installed. Edit `/etc/ykfde.conf` and uncomment `YKFDE_NFC="1"`setting. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): + +``` +sudo mkinitcpio -P +``` + +Reboot and test your configuration. + +## Enable ykfde suspend service (experimental) + +You can enable the `ykfde-suspend` service which allows for automatically locking encrypted *LUKS* volumes and wiping keys from memory on suspend and unlocking them on resume by using `cryptsetup luksSuspend` and `cryptsetup luksResume` commands. + +**Warning: RAM storage stays unencrypted in that case.** + +Edit `/etc/mkinitcpio.conf` and add `shutdown` hook as the last in `HOOKS` array. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): + +``` +sudo mkinitcpio -P +``` + +Enable related systemd service: + +``` +systemctl enable ykfde-suspend.service +``` + +Reboot and test your configuration. + +# License + +Copyright 2017 Andrei Gherzan + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0) + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_install b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_install new file mode 100644 index 0000000..e69de29 diff --git a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_installdocs b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_installdocs new file mode 100644 index 0000000..e69de29 diff --git a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/postinst.service b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/postinst.service new file mode 100644 index 0000000..6418dae --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/postinst.service @@ -0,0 +1,17 @@ +# Automatically added by dh_installsystemd/12.10ubuntu1 +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then + if deb-systemd-helper debian-installed 'ykfde-suspend.service'; then + # This will only remove masks created by d-s-h on package removal. + deb-systemd-helper unmask 'ykfde-suspend.service' >/dev/null || true + + if deb-systemd-helper --quiet was-enabled 'ykfde-suspend.service'; then + # Create new symlinks, if any. + deb-systemd-helper enable 'ykfde-suspend.service' >/dev/null || true + fi + fi + + # Update the statefile to add new symlinks (if any), which need to be cleaned + # up on purge. Also remove old symlinks. + deb-systemd-helper update-state 'ykfde-suspend.service' >/dev/null || true +fi +# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/prerm.service b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/prerm.service new file mode 100644 index 0000000..701f7fb --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/prerm.service @@ -0,0 +1,5 @@ +# Automatically added by dh_installsystemd/12.10ubuntu1 +if [ -d /run/systemd/system ] && [ "$1" = remove ]; then + deb-systemd-invoke stop 'ykfde-suspend.service' >/dev/null || true +fi +# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/changelog b/debian/DEBUILD/ykfde-0.1/debian/changelog new file mode 100644 index 0000000..82aa37b --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/changelog @@ -0,0 +1,5 @@ +ykfde (0.1) UNRELEASED; urgency=medium + + * Added Debian/Ubuntu support + + -- crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Tue, 11 Jan 2022 21:28:25 -0800 diff --git a/debian/DEBUILD/ykfde-0.1/debian/compat b/debian/DEBUILD/ykfde-0.1/debian/compat new file mode 100644 index 0000000..b4de394 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/compat @@ -0,0 +1 @@ +11 diff --git a/debian/DEBUILD/ykfde-0.1/debian/control b/debian/DEBUILD/ykfde-0.1/debian/control new file mode 100644 index 0000000..5c17a55 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/control @@ -0,0 +1,16 @@ +Source: ykfde +Section: admin +Priority: optional +Maintainer: Andrei Gherzan +Build-Depends: debhelper (>= 11), dh-exec +Standards-Version: 4.1.4 +Homepage: https://github.com/agherzan/yubikey-full-disk-encryption + +Package: ykfde +Architecture: all +Depends: cryptsetup, initramfs-tools, yubikey-personalization (>= 1.5), udisks2, expect, ${misc:Depends} +Description: This project leverages a YubiKey HMAC-SHA1 Challenge-Response + mode for creating strong LUKS encrypted volume passphrases. + It can be used in intramfs stage during boot process as well as on running system. + . + Requires Yubikey 4 or newer. diff --git a/debian/DEBUILD/ykfde-0.1/debian/copyright b/debian/DEBUILD/ykfde-0.1/debian/copyright new file mode 100644 index 0000000..1488d56 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/copyright @@ -0,0 +1,7 @@ +Copyright 2017 Andrei Gherzan + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. diff --git a/debian/DEBUILD/ykfde-0.1/debian/debhelper-build-stamp b/debian/DEBUILD/ykfde-0.1/debian/debhelper-build-stamp new file mode 100644 index 0000000..2074761 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/debhelper-build-stamp @@ -0,0 +1 @@ +ykfde diff --git a/debian/DEBUILD/ykfde-0.1/debian/files b/debian/DEBUILD/ykfde-0.1/debian/files new file mode 100644 index 0000000..250e7c6 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/files @@ -0,0 +1,2 @@ +ykfde_0.1_all.deb admin optional +ykfde_0.1_amd64.buildinfo admin optional diff --git a/debian/DEBUILD/ykfde-0.1/debian/rules b/debian/DEBUILD/ykfde-0.1/debian/rules new file mode 100755 index 0000000..1a2a680 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/rules @@ -0,0 +1,25 @@ +#! /usr/bin/make -f + +%: + dh $@ + +override_dh_auto_build: + # nothing to build + +override_dh_installsystemd: + dh_installsystemd -pykfde \ + --no-enable --no-start --no-restart-after-upgrade --no-stop-on-upgrade \ + ykfde-suspend.service + +override_dh_install: + dh_install + install -D -o root -g root -m755 hooks/ykfde-deb debian/ykfde/usr/share/initramfs-tools/hooks/ykfde + install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript + install -D -o root -g root -m755 ykfde-open debian/ykfde/usr/bin/ykfde-open + install -D -o root -g root -m755 ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll + install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format + install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md + install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf + install -D -o root -g root -m755 ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend + install -D -o root -g root -m755 initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend + install -D -o root -g root -m644 ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde.debhelper.log b/debian/DEBUILD/ykfde-0.1/debian/ykfde.debhelper.log new file mode 100644 index 0000000..e15a197 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde.debhelper.log @@ -0,0 +1 @@ +dh_installsystemd diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde.postinst b/debian/DEBUILD/ykfde-0.1/debian/ykfde.postinst new file mode 100644 index 0000000..25baaae --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde.postinst @@ -0,0 +1,22 @@ +#! /bin/sh + +set -e + +case "$1" in + configure) + if [ -x /usr/sbin/update-initramfs ]; then + echo + update-initramfs -u + fi + ;; + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde.postrm.debhelper b/debian/DEBUILD/ykfde-0.1/debian/ykfde.postrm.debhelper new file mode 100644 index 0000000..4fb406a --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde.postrm.debhelper @@ -0,0 +1,19 @@ +# Automatically added by dh_installsystemd/12.10ubuntu1 +if [ -d /run/systemd/system ]; then + systemctl --system daemon-reload >/dev/null || true +fi +# End automatically added section +# Automatically added by dh_installsystemd/12.10ubuntu1 +if [ "$1" = "remove" ]; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper mask 'ykfde-suspend.service' >/dev/null || true + fi +fi + +if [ "$1" = "purge" ]; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper purge 'ykfde-suspend.service' >/dev/null || true + deb-systemd-helper unmask 'ykfde-suspend.service' >/dev/null || true + fi +fi +# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde.substvars b/debian/DEBUILD/ykfde-0.1/debian/ykfde.substvars new file mode 100644 index 0000000..978fc8b --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde.substvars @@ -0,0 +1,2 @@ +misc:Depends= +misc:Pre-Depends= diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/conffiles b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/conffiles new file mode 100644 index 0000000..b7ecc75 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/conffiles @@ -0,0 +1 @@ +/etc/ykfde.conf diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/control b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/control new file mode 100644 index 0000000..757d05d --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/control @@ -0,0 +1,14 @@ +Package: ykfde +Version: 0.1 +Architecture: all +Maintainer: Andrei Gherzan +Installed-Size: 60 +Depends: cryptsetup, initramfs-tools, yubikey-personalization (>= 1.5), udisks2, expect +Section: admin +Priority: optional +Homepage: https://github.com/agherzan/yubikey-full-disk-encryption +Description: This project leverages a YubiKey HMAC-SHA1 Challenge-Response + mode for creating strong LUKS encrypted volume passphrases. + It can be used in intramfs stage during boot process as well as on running system. + . + Requires Yubikey 4 or newer. diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/md5sums b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/md5sums new file mode 100644 index 0000000..5fbca7d --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/md5sums @@ -0,0 +1,11 @@ +769bca98716ca774ed0ae9f33de61835 lib/systemd/system/ykfde-suspend.service +d3ed38318a7a12a8fd5bbf81fcb016d2 usr/bin/ykfde-enroll +642e792c052c34be5585db29a0284457 usr/bin/ykfde-format +4242ca31405f4d4b6541cfa0a3b3cc1b usr/bin/ykfde-open +f9416699896f40db5b8edf24871ab100 usr/lib/ykfde/initramfs-suspend +b0f4f822744695d27bead9e971f8a820 usr/lib/ykfde/yubikey-luks-suspend +904c0ee018481e06a9f1dd9feae72ccc usr/share/doc/ykfde/README.md.gz +3c74a9d70ac8577c9285386b947103de usr/share/doc/ykfde/changelog.gz +263720abf7536bd50db10f7f16ae4ef8 usr/share/doc/ykfde/copyright +c032a821f9750aab07bc3044d6258685 usr/share/initramfs-tools/hooks/ykfde +07d9cd251e02f64b4099b644324cbd1b usr/share/ykfde/ykfde-keyscript diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postinst b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postinst new file mode 100755 index 0000000..e2cb5d0 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postinst @@ -0,0 +1,39 @@ +#! /bin/sh + +set -e + +case "$1" in + configure) + if [ -x /usr/sbin/update-initramfs ]; then + echo + update-initramfs -u + fi + ;; + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# Automatically added by dh_installsystemd/12.10ubuntu1 +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then + if deb-systemd-helper debian-installed 'ykfde-suspend.service'; then + # This will only remove masks created by d-s-h on package removal. + deb-systemd-helper unmask 'ykfde-suspend.service' >/dev/null || true + + if deb-systemd-helper --quiet was-enabled 'ykfde-suspend.service'; then + # Create new symlinks, if any. + deb-systemd-helper enable 'ykfde-suspend.service' >/dev/null || true + fi + fi + + # Update the statefile to add new symlinks (if any), which need to be cleaned + # up on purge. Also remove old symlinks. + deb-systemd-helper update-state 'ykfde-suspend.service' >/dev/null || true +fi +# End automatically added section + diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postrm b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postrm new file mode 100755 index 0000000..96262eb --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postrm @@ -0,0 +1,21 @@ +#!/bin/sh +set -e +# Automatically added by dh_installsystemd/12.10ubuntu1 +if [ -d /run/systemd/system ]; then + systemctl --system daemon-reload >/dev/null || true +fi +# End automatically added section +# Automatically added by dh_installsystemd/12.10ubuntu1 +if [ "$1" = "remove" ]; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper mask 'ykfde-suspend.service' >/dev/null || true + fi +fi + +if [ "$1" = "purge" ]; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper purge 'ykfde-suspend.service' >/dev/null || true + deb-systemd-helper unmask 'ykfde-suspend.service' >/dev/null || true + fi +fi +# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/prerm b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/prerm new file mode 100755 index 0000000..bf05e60 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/prerm @@ -0,0 +1,7 @@ +#!/bin/sh +set -e +# Automatically added by dh_installsystemd/12.10ubuntu1 +if [ -d /run/systemd/system ] && [ "$1" = remove ]; then + deb-systemd-invoke stop 'ykfde-suspend.service' >/dev/null || true +fi +# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/etc/ykfde.conf b/debian/DEBUILD/ykfde-0.1/debian/ykfde/etc/ykfde.conf new file mode 100644 index 0000000..84d9d5c --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/etc/ykfde.conf @@ -0,0 +1,53 @@ +### Configuration for 'yubikey-full-disk-encryption'. +### Remove hash (#) symbol and set non-empty ("") value for chosen options to +### enable them. + +### *REQUIRED* ### + +# Set to non-empty value to use 'Automatic mode with stored challenge (1FA)'. +#YKFDE_CHALLENGE="" + +# Use 'Manual mode with secret challenge (2FA)'. +#YKFDE_CHALLENGE_PASSWORD_NEEDED="1" + +# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode. +# Possible values are "1" or "2". Defaults to "2". +#YKFDE_CHALLENGE_SLOT="2" + +### OPTIONAL ### + +# Enable communication with YubiKey via NFC (Experimental). +#YKFDE_NFC="1" + +# UUID of device to unlock with 'cryptsetup'. +# Leave empty to use 'cryptdevice' boot parameter. +#YKFDE_DISK_UUID="" + +# LUKS encrypted volume name after unlocking. +# Leave empty to use 'cryptdevice' boot parameter. +#YKFDE_LUKS_NAME="" + +# Device to unlock with 'cryptsetup'. If left empty and 'YKFDE_DISK_UUID' +# is enabled this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID". +# Leave empty to use 'cryptdevice' boot parameter. +#YKFDE_LUKS_DEV="" + +# Optionally pass '--allow-discards' to 'cryptsetup' for TRIM +# support. Leave empty to use 'cryptdevice' boot parameter. +#YKFDE_LUKS_OPTIONS="--allow-discards" + +# Number of times to try assemble 'ykfde passphrase' and run 'cryptsetup'. +# Defaults to "5". +#YKFDE_CRYPTSETUP_TRIALS="5" + +# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'. +# Defaults to "30". +#YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" + +# Number of seconds to wait after successful decryption. +# Defaults to empty, meaning NO wait. +#YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" + +# Verbose output. It will print all secrets to terminal. +# Use only for debugging. +#DBG="1" diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/lib/systemd/system/ykfde-suspend.service b/debian/DEBUILD/ykfde-0.1/debian/ykfde/lib/systemd/system/ykfde-suspend.service new file mode 100644 index 0000000..6277ee7 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/lib/systemd/system/ykfde-suspend.service @@ -0,0 +1,21 @@ +# This file has been adapted from systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Suspend +Documentation=man:systemd-suspend.service(8) +DefaultDependencies=no +Requires=sleep.target +After=sleep.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/openvt -ws -- /usr/lib/ykfde-suspend/ykfde-suspend +Nice=-20 + +[Install] +Alias=systemd-suspend.service diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-enroll b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-enroll new file mode 100755 index 0000000..da4b5fb --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-enroll @@ -0,0 +1,228 @@ +#!/bin/bash -p + +set -euo pipefail + +# sanitize environment +PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +YKFDE_LUKS_DEV="" +YKFDE_LUKS_KEYSLOT="" +YKFDE_CHANGE_KEYSLOT="" +YKFDE_OLD_YUBIKEY="" +DBG="" +YKFDE_SLOT_CHECK="" +YKFDE_SLOT_KILL="" +YKFDE_CHALLENGE_SLOT="2" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_CHALLENGE="" +YKFDE_RESPONSE="" +YKFDE_PASSPHRASE="" +YKFDE_OLD_CHALLENGE="" +YKFDE_OLD_RESPONSE="" +YKFDE_OLD_PASSPHRASE="" + +if [ -r /etc/ykfde.conf ]; then + # shellcheck source=ykfde.conf + . /etc/ykfde.conf +else + echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." +fi + +while getopts ":d:s:ckovh" opt; do + case "$opt" in + d) + YKFDE_LUKS_DEV="$OPTARG" + printf '%s\n' "INFO: Setting device to '$OPTARG'." + ;; + s) + if [ "$OPTARG" -gt -8 ] && [ "$OPTARG" -lt 8 ]; then + YKFDE_LUKS_KEYSLOT="$OPTARG" + printf '%s\n' "INFO: Setting LUKS keyslot to '$OPTARG'." + else + printf '%s\n' "ERROR: Chosen LUKS keyslot '$OPTARG' is invalid. Please choose valid LUKS keyslot number between '0-7'." + exit 1 + fi + ;; + c) + YKFDE_CHANGE_KEYSLOT=1 + echo "INFO: Changing existing LUKS keyslot" + ;; + k) + YKFDE_SLOT_KILL=1 + echo "WARNING: Killing existing LUKS keyslot. If it's the last configured keyslot, the device will be inaccessible!" + ;; + o) + YKFDE_OLD_YUBIKEY=1 + echo "INFO: Using old YubiKey for passphrase" + ;; + v) + DBG=1 + echo "INFO: Debugging enabled" + ;; + h) + echo + echo " -d : select an existing device" + echo " -s : select the LUKS keyslot" + echo " -c : change an existing keyslot" + echo " -k : killing an existing keyslot" + echo " -o : use old YubiKey for passphrase" + echo " -v : show input/output in cleartext" + echo + exit 0 + ;; + \?) + printf '%s\n' "ERROR: Invalid option: '-$OPTARG'" >&2 + echo + echo " -d : select an existing device" + echo " -s : select the LUKS keyslot" + echo " -c : change an existing keyslot" + echo " -k : killing an existing keyslot" + echo " -o : use old YubiKey for passphrase" + echo " -v : show input/output in cleartext" + echo + exit 1 + ;; + esac +done + +YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" +[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" + +if [ "$YKFDE_SLOT_CHECK" != 1 ]; then + printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" + exit 1 +fi + +if [ -z "$YKFDE_LUKS_DEV" ]; then + echo "ERROR: Device not selected. Please select an existing device using '-d' option, see 'ykfde-enroll -h' for help." + exit 1 +fi + +if [ ! -e "$YKFDE_LUKS_DEV" ]; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' doesn't exist. Please select an existing device." + exit 1 +fi + +if [ ! -r "$YKFDE_LUKS_DEV" ] || [ ! -w "$YKFDE_LUKS_DEV" ]; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't accessible for current user '$(whoami)'. Please execute this script as 'root'." + exit 1 +fi + +if ! cryptsetup isLuks "$YKFDE_LUKS_DEV"; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." + exit 1 +fi + +if [ -z "$YKFDE_LUKS_KEYSLOT" ]; then + echo "ERROR: LUKS keyslot not selected. Please select LUKS keyslot using '-s' option, see 'ykfde-enroll -h' for help." + exit 1 +fi + +printf '%s\n' "WARNING: This script will utilize LUKS keyslot '$YKFDE_LUKS_KEYSLOT' on device '$YKFDE_LUKS_DEV'. If this is not what you intended, please abort." + +[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 +[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + +while [ -z "$YKFDE_CHALLENGE" ]; do + echo " > Please provide the challenge." + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi + printf "\\n > Please repeat the challenge.\\n" + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_CHALLENGE2; else read -r -s YKFDE_CHALLENGE2; fi + if [ "$YKFDE_CHALLENGE" != "$YKFDE_CHALLENGE2" ]; then + echo "WARNING: Challenges do not match. Try again." + YKFDE_CHALLENGE="" + fi + [ "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "$DBG" ] || echo +done + +if [ -z "$YKFDE_CHALLENGE" ]; then + echo "ERROR: ykfde challenge is empty. Operation aborted." + exit 1 +fi + +while [ -z "$YKFDE_RESPONSE" ]; do + [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + echo " Remember to touch the device if necessary." + YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" +done + +if [ "$YKFDE_RESPONSE" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" + else + YKFDE_PASSPHRASE="$YKFDE_RESPONSE" + fi +fi + +if [ "$YKFDE_SLOT_KILL" ]; then + [ "$DBG" ] && printf '%s\n' " > Killing with 'cryptsetup luksKillSlot $YKFDE_LUKS_DEV $YKFDE_LUKS_KEYSLOT'..." || echo " > Killing slot with 'cryptsetup'..." + printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksKillSlot "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_KEYSLOT" 2>&1 + printf '%s\n' " LUKS key slot $YKFDE_LUKS_KEYSLOT successfully killed" + exit 0 +fi + +if [ "$YKFDE_OLD_YUBIKEY" ]; then + echo "Please insert old YubiKey for existing keyslot." + + while [ -z "$YKFDE_OLD_CHALLENGE" ]; do + echo " > Please provide the old challenge." + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_OLD_CHALLENGE; else read -r -s YKFDE_OLD_CHALLENGE; fi + printf "\\n > Please repeat the old challenge.\\n" + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_OLD_CHALLENGE2; else read -r -s YKFDE_OLD_CHALLENGE2; fi + if [ "$YKFDE_OLD_CHALLENGE" != "$YKFDE_OLD_CHALLENGE2" ]; then + echo "WARNING: Challenges do not match. Try again." + YKFDE_OLD_CHALLENGE="" + fi + [ "$YKFDE_OLD_CHALLENGE" ] && YKFDE_OLD_CHALLENGE="$(printf %s "$YKFDE_OLD_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "$DBG" ] || echo + done + + if [ -z "$YKFDE_OLD_CHALLENGE" ]; then + echo "ERROR: ykfde old challenge is empty. Operation aborted." + exit 1 + fi + + while [ -z "$YKFDE_OLD_RESPONSE" ]; do + [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_OLD_CHALLENGE'..." + echo " Remember to touch the old device if necessary." + YKFDE_OLD_RESPONSE="$(printf %s "$YKFDE_OLD_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_OLD_RESPONSE'" + done + + if [ "$YKFDE_OLD_RESPONSE" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + YKFDE_OLD_PASSPHRASE="$YKFDE_OLD_CHALLENGE$YKFDE_OLD_RESPONSE" + else + YKFDE_OLD_PASSPHRASE="$YKFDE_OLD_RESPONSE" + fi + fi +else + echo "Please provide the old LUKS passphrase for the existing keyslot." + printf " Enter passphrase: " + if [ "$DBG" ]; then read -r YKFDE_OLD_PASSPHRASE; else read -r -s YKFDE_OLD_PASSPHRASE; fi +fi + +if [ "$YKFDE_PASSPHRASE" ]; then + [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" + if [ "$YKFDE_CHANGE_KEYSLOT" ]; then + [ "$DBG" ] && printf '%s\n' " > Changing LUKS passphrase with 'cryptsetup --key-slot=$YKFDE_LUKS_KEYSLOT luksChangeKey $YKFDE_LUKS_DEV'..." || echo " > Changing LUKS passphrase with 'cryptsetup'..." + printf '%s\n' "$YKFDE_OLD_PASSPHRASE" "$YKFDE_PASSPHRASE" "$YKFDE_PASSPHRASE" | cryptsetup --key-slot="$YKFDE_LUKS_KEYSLOT" luksChangeKey "$YKFDE_LUKS_DEV" 2>&1 + printf '%s\n' " LUKS passphrase for key slot $YKFDE_LUKS_KEYSLOT successfully changed" + else + [ "$DBG" ] && printf '%s\n' " > Adding new LUKS passphrase with 'cryptsetup --key-slot=$YKFDE_LUKS_KEYSLOT luksAddKey $YKFDE_LUKS_DEV'..." || echo " > Adding new LUKS passphrase with 'cryptsetup'..." + printf '%s\n' "$YKFDE_OLD_PASSPHRASE" "$YKFDE_PASSPHRASE" "$YKFDE_PASSPHRASE" | cryptsetup --key-slot="$YKFDE_LUKS_KEYSLOT" luksAddKey "$YKFDE_LUKS_DEV" 2>&1 + printf '%s\n' " New LUKS passphrase successfully added" + fi +else + echo "ERROR: ykfde passphrase is empty. Operation aborted." + exit 1 +fi + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-format b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-format new file mode 100755 index 0000000..2371be0 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-format @@ -0,0 +1,81 @@ +#!/bin/bash -p + +set -euo pipefail + +# sanitize environment +PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +YKFDE_SLOT_CHECK="" +YKFDE_CHALLENGE_SLOT="2" +#DBG="" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_CHALLENGE="" +YKFDE_RESPONSE="" +YKFDE_PASSPHRASE="" + +if [ -r /etc/ykfde.conf ]; then + # shellcheck source=ykfde.conf + . /etc/ykfde.conf +else + echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." +fi + +YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" +[ "${DBG:-}" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" + +if [ "$YKFDE_SLOT_CHECK" != 1 ]; then + printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" + exit 1 +fi + +printf '%s\n' "WARNING: This script will run 'cryptsetup luksFormat $*'. If this is not what you intended, please abort." + +[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 +[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + +while [ -z "$YKFDE_CHALLENGE" ]; do + echo " > Please provide the challenge." + printf " Enter challenge: " + if [ "${DBG:-}" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi + printf "\\n > Please repeat the challenge.\\n" + printf " Enter challenge: " + if [ "${DBG:-}" ]; then read -r YKFDE_CHALLENGE2; else read -r -s YKFDE_CHALLENGE2; fi + if [ "$YKFDE_CHALLENGE" != "$YKFDE_CHALLENGE2" ]; then + echo "WARNING: Challenges do not match. Try again." + YKFDE_CHALLENGE="" + fi + [ "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "${DBG:-}" ] || echo +done + +if [ -z "$YKFDE_CHALLENGE" ]; then + echo "ERROR: ykfde challenge is empty. Operation aborted." + exit 1 +fi + +while [ -z "$YKFDE_RESPONSE" ]; do + [ "${DBG:-}" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + echo " Remember to touch the device if necessary." + YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + [ "${DBG:-}" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" +done + +if [ "$YKFDE_RESPONSE" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" + else + YKFDE_PASSPHRASE="$YKFDE_RESPONSE" + fi +fi + +if [ "$YKFDE_PASSPHRASE" ]; then + [ "${DBG:-}" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" + printf '%s\n' "$YKFDE_PASSPHRASE" | cryptsetup luksFormat "$@" +else + echo "ERROR: ykfde passphrase is empty. Operation aborted." + exit 1 +fi + +echo " New LUKS device successfully formatted" + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-open b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-open new file mode 100755 index 0000000..c87e15f --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-open @@ -0,0 +1,207 @@ +#!/bin/bash -p + +set -euo pipefail + +# sanitize environment +PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +YKFDE_LUKS_DEV="" +YKFDE_LUKS_KEYSLOT="" +YKFDE_LUKS_NAME="" +YKFDE_PRINT_ONLY="" +YKFDE_MOUNT="0" +DBG="" +YKFDE_SLOT_CHECK="" +YKFDE_CHALLENGE_SLOT="2" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_CHALLENGE="" +YKFDE_RESPONSE="" +YKFDE_PASSPHRASE="" +YKFDE_LUKS_OPTIONS="" +YKFDE_TEST_PASSPHRASE="" + +if [ -r /etc/ykfde.conf ]; then + # shellcheck source=ykfde.conf + . /etc/ykfde.conf +else + echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." +fi + +while getopts ":d:s:n:pmtvh" opt; do + case "$opt" in + d) + YKFDE_LUKS_DEV="$OPTARG" + printf '%s\n' "INFO: Setting device to '$OPTARG'." + ;; + s) + if [ "$OPTARG" -gt -8 ] && [ "$OPTARG" -lt 8 ]; then + YKFDE_LUKS_KEYSLOT="$OPTARG" + printf '%s\n' "INFO: Setting LUKS keyslot to '$OPTARG'." + else + printf '%s\n' "ERROR: Chosen LUKS keyslot '$OPTARG' is invalid. Please choose valid LUKS keyslot number between '0-7'." + exit 1 + fi + ;; + n) + YKFDE_LUKS_NAME="$OPTARG" + printf '%s\n' "INFO: Setting name to '$OPTARG'." + ;; + p) + YKFDE_PRINT_ONLY=1 + echo "INFO: Showing cleartext ykfde passphrase without unlocking" + ;; + m) + YKFDE_MOUNT=1 + echo "INFO: Mounting device" + ;; + t) + YKFDE_TEST_PASSPHRASE="--test-passphrase" + echo "INFO: Testing LUKS passphrase" + ;; + v) + DBG=1 + echo "INFO: Debugging enabled" + ;; + h) + echo + echo " -d : select an existing device" + echo " -s : select the LUKS keyslot" + echo " -n : set the new encrypted volume name" + echo " -p : show cleartext ykfde passphrase without unlocking" + echo " -m : mount unlocked device (non root user only)" + echo " -t : test LUKS passphrase" + echo " -v : show input/output in cleartext" + echo " [ -- --params ] : pass optional cryptsetup luksOpen parameters" + echo + exit 0 + ;; + \?) + printf '%s\n' "ERROR: Invalid option: '-$OPTARG'" >&2 + echo + echo " -d : select an existing device" + echo " -s : select the LUKS keyslot" + echo " -n : set the new encrypted volume name" + echo " -p : show cleartext ykfde passphrase without unlocking" + echo " -m : mount unlocked device (non root user only)" + echo " -t : test LUKS passphrase" + echo " -v : show input/output in cleartext" + echo " [ -- --params ] : pass optional cryptsetup luksOpen parameters" + echo + exit 1 + ;; + esac +done + +shift "$((OPTIND - 1))" + +YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" +[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" + +if [ "$YKFDE_SLOT_CHECK" != 1 ]; then + printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" + exit 1 +fi + +if [ -z "$YKFDE_PRINT_ONLY" ]; then + if [ -z "$YKFDE_LUKS_DEV" ]; then + echo "ERROR: Device not selected. Please select an existing device using '-d' option, see 'ykfde-open -h' for help." + exit 1 + fi + if [ ! -e "$YKFDE_LUKS_DEV" ]; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' doesn't exist. Please select an existing device." + exit 1 + fi + if [ "$(id -u)" -eq 0 ]; then + if ! cryptsetup isLuks "$YKFDE_LUKS_DEV" "$@"; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." + exit 1 + fi + if [ -z "$YKFDE_LUKS_NAME" ]; then + printf '%s\n' "ERROR: Please set the new encrypted volume name using '-n' option, see 'ykfde-open -h' for help." + exit 1 + fi + fi + printf '%s\n' "WARNING: This script will try to open the '$YKFDE_LUKS_NAME' LUKS encrypted volume on drive '$YKFDE_LUKS_DEV' . If this is not what you intended, please abort." +fi + +if [ "$YKFDE_LUKS_KEYSLOT" ]; then + YKFDE_LUKS_KEYSLOT="--key-slot=$YKFDE_LUKS_KEYSLOT" +fi + +[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 +[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + +while [ -z "$YKFDE_CHALLENGE" ]; do + echo " > Please provide the challenge." + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi + YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "$DBG" ] || echo +done + +while [ -z "$YKFDE_RESPONSE" ]; do + [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + echo " Remember to touch the device if necessary." + YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" +done + +if [ "$YKFDE_RESPONSE" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" + else + YKFDE_PASSPHRASE="$YKFDE_RESPONSE" + fi +fi + +if [ "$YKFDE_PRINT_ONLY" ]; then + printf '%s\n' " > ykfde passphrase: $YKFDE_PASSPHRASE" + exit 0 +fi + +if [ "$YKFDE_TEST_PASSPHRASE" ]; then + [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" + [ "$DBG" ] && printf '%s\n' " > Decrypting with 'cryptsetup luksOpen $YKFDE_TEST_PASSPHRASE $YKFDE_LUKS_DEV $YKFDE_LUKS_KEYSLOT $*'..." || echo " > Decrypting with 'cryptsetup'..." + printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksOpen "$YKFDE_TEST_PASSPHRASE" "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_KEYSLOT" "$*" 2>&1 + printf '%s\n' " Device successfully opened" + exit 0 +fi + +if [ "$(id -u)" -eq 0 ]; then + [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" + [ "$DBG" ] && printf '%s\n' " > Decrypting with 'cryptsetup luksOpen $YKFDE_LUKS_DEV $YKFDE_LUKS_NAME $YKFDE_LUKS_OPTIONS $YKFDE_LUKS_KEYSLOT $*'..." || echo " > Decrypting with 'cryptsetup'..." + printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksOpen "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_NAME" "$YKFDE_LUKS_OPTIONS" "$YKFDE_LUKS_KEYSLOT" "$*" 2>&1 + printf '%s\n' " Device successfully opened as '/dev/mapper/$YKFDE_LUKS_NAME'" +elif ! command -v udisksctl >/dev/null 2>&1 || ! command -v expect >/dev/null 2>&1; then + printf '%s\n' "ERROR: At least one of required tools 'udisksctl' or 'expect' cannot be found. Please install 'udisks2' and 'expect' packages or use 'cryptsetup' by executing this script as 'root'." + exit 1 +elif [ ! -b "$YKFDE_LUKS_DEV" ]; then + # udisks doesn't work with regular file based devies + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a block device file. Please open it with 'cryptsetup' by executing this script as 'root'." + exit 1 +elif ! udisksctl info -b "$YKFDE_LUKS_DEV" | grep -iq 'crypto_LUKS'; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." + exit 1 +else + [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'udisksctl'" + [ "$DBG" ] && printf '%s\n' " > Decrypting with 'udisksctl unlock -b '$YKFDE_LUKS_DEV''..." || echo " > Decrypting with 'udisksctl'..." + expect <( + cat </sys/power/state + +# Resume root device +export YKFDE_RESUME=1 + +# shellcheck source=/dev/null +. /init_functions +parse_cmdline Dvrgu zHVg444U1J?>MZSazRa}|d6E4^g{6qqohsx^86m}uTleSPd0FP>^U1VdS!DQe^Zxqss@Y(s%UDkOVU`T|v__Rx-uksGl!ZY>;x3D;M2TD) zlg|rjlM5@qtK<7>wTJBX~7veP#yEqg8FqWk%y6Xg2m>Fh_8qO3|VQB^{D~;eN z$guuStL30eilcB4oWSTr$FiuEsFcM_v0!e_)kMp5eTRs@S$+pM*OMwOtMwTbe`6lH zVj>BBi=cTeZagz_wJ>YKo>xxTS&=HnWYC^V9Lq_pL^c&?83A0H&Yw2_>2!n;Ex@+f z%%696JmD#Zg9yWcs)xId#Dm?iuB2~4HVs1e%}+j8M$d?H#J})oJ91i;SprFhR`HiO zDD*EY07~esL+tLqJ%u25q@NtnQIA;Lgks!;1^D3XNp+?>36`w4E(I1 znYBstSJnd9D=FX0L@rdmn7#D0td0ac8o0r4Q+Ry2KPu!q)w8OAbK431?=8ahxcHi9 z6eflrftRV>ZbK}XCo&AoT<*8PF5JR^76v*EoKm)SeiP|Z3{)8oR*Pw*`b1DnbxfQp zj0G6t5gG_+z@O>bz{6oyML*jhWd-z0q-rV1+dg!m7C9!`a;JnLuMDt~%`vD~26m+b zmRAPN%Jyl}B7-$<(iUYV)V((Baker=r{%Q|s0U>h__f>FdbmHG{rNnQcP!x@@nNzO zSsZP{$Z<&+J)hH{-XWN*0_^ZLEU(iz3l~pebqkvnFMbLaU*X_VZ<8g(^=}Gup|^<= zOP?c4_Re;HooW}@=UKL3Ik2C$ThyZgjXtFD@$H!~Ri0-Bo9{M~VprYgh{y?CzKpxg z4(SwTZP&5|Z`m+dTl&ZeOl5Lp4Dj6u&!KvBKf8gO9k|&KcL4eK7~p(uC$_&Ke(nex zra1O*O3f+-iLFO+>pc*h@#z%jZ8oDSml+bEl|hoTvm>4!>N=f^RP@&8_rxlz9B~m= zSeS@jy{>1;?FFMlXfz^&l0~WR`H$X)@9eqk%;<%8%^Xu{c@Zj)hBqw2{relj<&$;=Y=y^xpqhv~oUL7TR;&5+`StPmyum_OB z5*?aTuR9&B;Y6GcH3bsSAkMn~cC-ofZ#dMxE=s`il~PSlB#Cu5c~r^&1li2F#*Ie|r9 zW%;Uc#3Yqw)of1A*lHu8`3T>vMtocVmMsnIFyWx2S+$fI`#ef5*gamX^l)*OHTeFhq|=crubr0^IO_Amu3!HHeVp%dr<$eu-{hb-O*u}Q3gk1hGHjeZ%@*F35$wN#v3H^UME%J7jp^L2$7sq ziL8zfp5|5A7i6cz<^zi$YEzv;ifyoKBP5P$!hq%-XwWIARmzG0Z#N!~J2{NGoQgI? z;%@?39#Amg^KYmX7vkmr@I3Kv`~Ulrm(@r+1lIvSp2|HLPDjIogUQJ-8b*i5@?cLM z>>q{EaR1<^!()7z4v!T~?I8N;=w$C`@8sZQc(6a39PI6nKwta={ZkvSzu!YaDMIX& z@@{NPtVkPsJkyU^g~D!#hMq5Yf&INh(zky<-0L#Srls>9q35|azk1U{k`$wp(TP&i zkqTvW5Drh|fgBA_hR1tqbUX^Dd*Q+KC_0kIBRQQOgmQnlH{1&$MHz)7{Cox%-2ZVM zlokjuhZOY)K%NwYJEek?qAD4lP{BAd9NR@(IEpNVH_IyIwe0#P8BnvLZ)onCEKwz! z0(qlFnk{X|V#AYf%$v(Q)rHU1C>RqZQ|p+rVqrv#f=9qxLKc@wnO!~6)i7iuQ<;>?RqeIBKgeVj%FO%%4I}H~tH58{TWw@}K#A|wqjH!pytJ^zr zTEagPQ6F~F$hL*}V9rH~Ybx?oSi!f!CudnqZ5qm_yd#I7BmX?lFwt&HO12|hEzQy6 z3AM9LFc8PIG9{%~WVhJB72=RcxS;+OpXR0}&?4Hd!yoT9IXY$#W=T>Z6Iu=6hX-Hl zjSRYd>-$U-* zZ>anT%O{aWUS3E~)~*8;Kg`BbcUx?>^?l8kPUo#IU_9{q1P9^dA-dt_F{N9MGM|MB zJhQodMTBnQrEY0)cP(xBDz`nGJX%o_BT2$#jO)XenM*KMiw1Eef;$lmMUYW+4OHYZLH*DpBmQ%FMR8M63b}_!Um>@mviEaHR7Gu(5hAYhJss+01yza(lhsWkKQe zHF1%dHXxRtm>^!&cIOlAC!CErp}Pxvo)+hI(nwuB&S6?<#sfC%%(h-ejXX=ooi#;L zL^~1g{T_t!2Yg3DF&M6uROA^VvD!2%WIpF4g|3B)sSGI{F1XTt%uffiO8-z_O#~ZH zyID8e%F|6Hr%BK>D8F)&w_`2zCm=_@)M=Wp1dUA8hI%DcTxv>|ok|!ds1_4-C7D>D zU@O2BV6QfA3yJzR4Menfv|--qe9BeI+}&)9Z@q+iT81%+vx!eLkW{pYc6nDuMn-=D zyp;3OG1$&17MVVr5*DU>%NH|B2u*y%@gJ9O&)?jhUtC?@USD6FkC~ABN(IpE$I}mQ z#;7s#d}CH=Des>c=+2XXX%5br=xuZI9Uqp# zEk{7R-EF;{=?d%1avYEBg)NR!R8;h1M`+B=Rp7w+H&Pl`F%-he-iVt*&3wG5dv#Cb z{=y`KxVBS(o=Z^pEzHX(oNxet}zu6dxoP=*v*b@-gv4%L;o7@ZM z$i8zWs$Kn0pi`aWVz{MVa>|*Qx$@UqCV5>WSA!k98=v$ikBR;j*w~y)0hAt-w39heR+Rvp1Tn zIA25Ek4NheqGl35gA3B}TbnjHSX*Hqb-qn#mkQMhyj`H5@`xvoHR7b_K&)4{2?m&&0YTGlon-B?GC>G4wb=o zy`smk<$Qeo0nt`}oFOmy;b0Qctx(dy8jy%Xrv_)q3w?)-WyURi<+HJhwliUgI*9V( zB;jXG-8J+r$!MF;1?7U;XqH&Z`S0=#%#9^Ke17Y|Eks6(WBmOM2$(gs7v-IVWg}a8 z!U08)il42hZ&P?Ocj7P92c&kteG<0Kb(QuugDyleml)BFQ*&iSmm%(^Y6~BEy%9Y) zv-`-0?Qesl>8TFu)Z{5g+Ga0hy&oy9FISty(!7G7;YRo?o&oI!$duQ{9OI#762AN? z+XocIdA1lNX*u9W0QN&)C$rjczxU|@pJKt$;Ty~Uzr=76ELz#oqfaWX#{b;n!#~_Zr6JQ>3igG%wFJ8^-CnCFxK`R0zI|WDl(Mk3 zs?})=t6R(jx7n<`%XHLAHxg~uI*5h?KNp~5t}vTYf-AzYD+VLB{wrc^o-~72ykY1^6ij zAxHQ8jOHd@ec|gVmppCI=f|z~rk<^i)+Y91h;PO1{Ss9ePTj(+fL50A>Yu%!{H*wH ziPV8zxMgq+o3=qd|9#S$xt>*kB?T<&gy_W!WKJufQ5;41g>;)Nbtt@}MSZ4oYQK`I zQ*uLRXe^r@fNi8k)Q0m7uIsB`*e*8qu2s2igvEN2PQ&l(dD*r8I%2h;E-STNgEfk> zDjuV_z66B$cCTF-_3Yk@WunC_|CIxq92^VO)7`xka}z_?Z{i4UUaI`RCIQ{7ix_bD>8o%EOyO z(DOR-cH~B%99za_UX@X{Oq;Ml$i~vJ^BBMT^y%^n(~Cm>)B8!MPKAnP<7sMz@{9Q^ zRVb>ZeO`z9Zt`>VSh%N?oz7X7uL?bzmtwfL|C2aPqe5x%t4-=U9XBts%?if(6rKS; z+{i1sM&s9R!~UMwr3o+G(2MSWbXM+WA>|55*>`f>Hdgnc%I$N;3|?BxG*r!p_i-!Hzr`*i(9{C@iR^XbPg7jLe_r_bW-)5r6RFBhLa;;*;j^y44m z^5Ww;$`#Em9{8hzc&D_BK!y|VTq(7-xqnnxS5q;}qau5qQA3k!`-iH}+D+pb;1zHOoWr#- aAeay!crIivG9XMcmiz$zj$P@r0001E15Dxo literal 0 HcmV?d00001 diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/copyright b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/copyright new file mode 100644 index 0000000..1488d56 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/copyright @@ -0,0 +1,7 @@ +Copyright 2017 Andrei Gherzan + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/initramfs-tools/hooks/ykfde b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/initramfs-tools/hooks/ykfde new file mode 100755 index 0000000..d015c1d --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/initramfs-tools/hooks/ykfde @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /etc/ykfde.conf + +copy_exec /usr/bin/ykchalresp +copy_exec /usr/bin/ykinfo +copy_exec /usr/bin/sha256sum +cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript" +cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf" + +#if [ "$SUSPEND" = "1" ]; then +# echo "YKFDE: adding yubikey authentication to suspend." +# cp -pnL /usr/lib/ykfde/initramfs-suspend "${DESTDIR}/suspend" +# chmod 755 "${DESTDIR}/suspend" +# systemctl enable ykfde-suspend.service +#else +# echo "YKFDE: removing yubikey authentication to suspend." +# systemctl disable ykfde-suspend.service +#fi + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/ykfde/ykfde-keyscript b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/ykfde/ykfde-keyscript new file mode 100755 index 0000000..0c41a52 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/ykfde/ykfde-keyscript @@ -0,0 +1,72 @@ +#! /bin/sh +# +# This is /sbin/ykluks-keyscript, which gets called when unlocking the disk +# +# set defualt values: +DBG="" +YKFDE_CONFIG_FILE="/etc/ykfde.conf" +YKFDE_NFC="" +YKFDE_DISK_UUID="" +YKFDE_LUKS_NAME="" +YKFDE_LUKS_DEV="" +YKFDE_LUKS_OPTIONS="" +YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" +YKFDE_CRYPTSETUP_TRIALS="5" +YKFDE_CHALLENGE_SLOT="2" +YKFDE_CHALLENGE="" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" +YKFDE_USE_PLYMOUTH="" + +. /etc/ykfde.conf + +if [ -z "$WELCOME_TEXT" ]; then + WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase" +fi + +message() +{ + if [ -x /bin/plymouth ] && plymouth --ping; then + plymouth message --text="$*" + else + echo "$@" >&2 + fi + return 0 +} + +check_yubikey_present="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" + +if [ -z "$YKFDE_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then + if [ -z "$cryptkeyscript" ]; then + if [ -x /bin/plymouth ] && plymouth --ping; then + cryptkeyscript="plymouth ask-for-password --prompt" + else + cryptkeyscript="/lib/cryptsetup/askpass" + fi + fi + PW="$($cryptkeyscript "$WELCOME_TEXT")" +else + PW="$YKFDE_CHALLENGE" +fi + +if [ "$check_yubikey_present" = "1" ]; then + message "Accessing yubikey..." + #if [ "$HASH" = "1" ]; then + # PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') + #fi + R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)" + if [ "$R" ]; then + message "Retrieved the response from the Yubikey" + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" = "1" ]; then + printf '%s' "$PW$R" + else + printf '%s' "$R" + fi + else + message "Failed to retrieve the response from the Yubikey" + fi +else + printf '%s' "$PW" +fi + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/hooks/ykfde b/debian/DEBUILD/ykfde-0.1/hooks/ykfde new file mode 100644 index 0000000..f621280 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/hooks/ykfde @@ -0,0 +1,258 @@ +#!/usr/bin/ash +# shellcheck shell=dash + +# set default values: +DBG="" +YKFDE_CONFIG_FILE="/etc/ykfde.conf" +YKFDE_NFC="" +YKFDE_DISK_UUID="" +YKFDE_LUKS_NAME="" +YKFDE_LUKS_DEV="" +YKFDE_LUKS_OPTIONS="" +YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" +YKFDE_CRYPTSETUP_TRIALS="5" +YKFDE_CHALLENGE_SLOT="2" +YKFDE_CHALLENGE="" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" +YKFDE_USE_PLYMOUTH="" + +message() { + if [ "$YKFDE_USE_PLYMOUTH" ]; then + plymouth display-message --text="$*" + else + echo "$@" >&2 + fi + return 0 +} + +run_hook() { + local _tmp + _tmp="" + local cryptopt cryptoptions + + [ -x /bin/plymouth ] && [ "$splash" ] && plymouth --ping && YKFDE_USE_PLYMOUTH=1 + + [ "$DBG" ] && message "$0:" + + [ "$DBG" ] && message " > Reading YKFDE configuration file." + # shellcheck source=../ykfde.conf + . "$YKFDE_CONFIG_FILE" || { + ykfde_err 001 "Failed to read the YKFDE configuration file '$YKFDE_CONFIG_FILE'" + return 1 + } + + # if no settings in config, try to pull it from kernel cmdline (analog to encrypt hook) + if [ -z "$YKFDE_DISK_UUID" ] || [ -z "$YKFDE_LUKS_NAME" ]; then + # shellcheck disable=SC2154 + if [ "$cryptdevice" ]; then + IFS=: read -r YKFDE_LUKS_DEV YKFDE_LUKS_NAME cryptoptions < modprobing dm-crypt" + _tmp="$(modprobe -a -q dm-crypt >/dev/null 2>&1)" + + local trial_nr + trial_nr=1 + while [ "$trial_nr" -le "$YKFDE_CRYPTSETUP_TRIALS" ]; do + message "Attempt #$trial_nr/$YKFDE_CRYPTSETUP_TRIALS: cryptsetup of $YKFDE_LUKS_DEV" + ykfde_do_it && return 0 + trial_nr=$((trial_nr + 1)) + done + + # if we get here, we did NOT succeed: + ykfde_err 000 "$0 Failed!" + return 1 +} + +ykfde_err() { + local _rc + _rc="$?" + local code + code="$1" + local msg + msg="$2" + [ "$msg" ] && msg="ERROR $code [rc=$_rc]: $msg" || msg="ERROR $code [rc=$_rc]" + message "$msg" #exit 1; +} + +# assemble passphrase and run 'cryptsetup luksOpen' +ykfde_do_it() { + # key used to 'cryptsetup luksOpen' + local _ykfde_passphrase + _ykfde_passphrase="" + local _tmp + _tmp="" + local _rc + _rc="" + + # if we have a challenge + [ "$YKFDE_CHALLENGE" ] || [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && ykfde_challenge_response + + if [ -z "$_ykfde_passphrase" ]; then + if [ "$YKFDE_CHALLENGE" ] || [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + message " > Challenge-Response failed. Falling back to manual passphrase." + [ "$trial_nr" -le "$YKFDE_CRYPTSETUP_TRIALS" ] && message " Press ENTER to skip and retry Challenge-Response." + else + message " > Passphrase needed to unlock device." + fi + + printf " Enter passphrase: " + if [ "$YKFDE_USE_PLYMOUTH" ]; then + _ykfde_passphrase="$(plymouth ask-for-password --prompt="Enter passphrase" --dont-pause-progress)" + else + # shellcheck disable=SC2169 + if [ "$DBG" ]; then read -r _ykfde_passphrase; else read -r -s _ykfde_passphrase; fi + fi + # if /NOT/ DBG, we need to output \n here. + [ "$DBG" ] || echo + fi + + [ "$DBG" ] && message " > Passing '$_ykfde_passphrase' to 'cryptsetup'" + if [ "$YKFDE_RESUME" ]; then + # shellcheck disable=SC2154 + if [ "$DBG" ]; then message " > Decrypting with 'cryptsetup luksResume $cryptname'..."; else message " > Decrypting with 'cryptsetup'..."; fi + _tmp="$(printf %s "$_ykfde_passphrase" | cryptsetup luksResume "$cryptname" 2>&1)" + else + if [ "$DBG" ]; then message " > Decrypting with 'cryptsetup luksOpen $YKFDE_LUKS_DEV $YKFDE_LUKS_NAME $YKFDE_LUKS_OPTIONS'..."; else message " > Decrypting with 'cryptsetup'..."; fi + _tmp="$(printf %s "$_ykfde_passphrase" | cryptsetup luksOpen "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_NAME" "$YKFDE_LUKS_OPTIONS" 2>&1)" + fi + _rc=$? + + if [ "$_rc" -eq 0 ]; then + message " Decryption was successful." + if [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" ] && [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" -gt 0 ]; then + [ "$DBG" ] && message " > Making $YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP sleep." + sleep "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" + fi + else + message " FAILED! [$_rc] $_tmp" + fi + + return "$_rc" +} + +ykfde_challenge_response() { + local _yubikey_timeout + _yubikey_timeout="$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT" + local _yubikey_timeout_str + _yubikey_timeout_str="" + local _yubikey_detected + _yubikey_detected="" + local _yubikey_nfc_detected + _yubikey_nfc_detected="" + local _ykfde_response + _ykfde_response="" + # to determine if a timeout occurred + local _starttime + _starttime="" + local _endtime + _endtime="" + local _usedtime + _usedtime="" + local _tmp + _tmp="" + local _rc + _rc="" + + [ "$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT" -gt 0 ] && _yubikey_timeout_str="$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT seconds" + + _starttime="$(date +%s)" + message " > Waiting $_yubikey_timeout_str for YubiKey..." + + while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do + _endtime="$(date +%s)" + _usedtime=$((_endtime - _starttime)) + [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykinfo -$YKFDE_CHALLENGE_SLOT': " + _tmp="$(ykinfo -"$YKFDE_CHALLENGE_SLOT" 2>&1)" + _rc=$? + [ "$DBG" ] && message "[$_rc] '$_tmp'" + if [ "$_rc" -eq 0 ]; then + _yubikey_detected=1 + elif [ "$YKFDE_NFC" ]; then + [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykchalresp-nfc -n': " + _tmp="$(ykchalresp-nfc -n 2>&1)" + _rc=$? + [ "$_rc" -eq 0 ] && _yubikey_nfc_detected=1 + fi + if [ "$_yubikey_timeout" -eq -1 ] || [ "$_usedtime" -le "$_yubikey_timeout" ]; then + sleep 0.5 + else + message " Timeout - Challenge-Response aborted." + # timeout + return 1 + fi + done + + [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + while [ -z "$YKFDE_CHALLENGE" ]; do + message " > Please provide the challenge." + printf " Enter challenge: " + # shellcheck disable=SC2169 + if [ "$YKFDE_USE_PLYMOUTH" ]; then + YKFDE_CHALLENGE="$(plymouth ask-for-password --prompt="Enter challenge" --dont-pause-progress)" + elif [ "$DBG" ]; then + read -r YKFDE_CHALLENGE + else + read -r -s YKFDE_CHALLENGE + fi + YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "$DBG" ] || echo + done + + if [ "$_yubikey_detected" ]; then + while [ -z "$_ykfde_response" ]; do + [ "$DBG" ] && message " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + message " Remember to touch the device if necessary." + _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" + [ "$DBG" ] && message " Received response: '$_ykfde_response'" + done + fi + + if [ -n "$_yubikey_nfc_detected" ]; then + while [ -z "$_ykfde_response" ]; do + [ "$DBG" ] && message " Running: 'ykchalresp-nfc -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + message " Remember to touch the device if necessary." + _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp-nfc -"$YKFDE_CHALLENGE_SLOT" | tr -d '\n')" + [ "$DBG" ] && message " Received response: '$_ykfde_response'" + done + fi + + if [ "$_ykfde_response" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + _ykfde_passphrase="$YKFDE_CHALLENGE$_ykfde_response" + else + _ykfde_passphrase="$_ykfde_response" + fi + fi +} diff --git a/debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb b/debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb new file mode 100755 index 0000000..d015c1d --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /etc/ykfde.conf + +copy_exec /usr/bin/ykchalresp +copy_exec /usr/bin/ykinfo +copy_exec /usr/bin/sha256sum +cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript" +cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf" + +#if [ "$SUSPEND" = "1" ]; then +# echo "YKFDE: adding yubikey authentication to suspend." +# cp -pnL /usr/lib/ykfde/initramfs-suspend "${DESTDIR}/suspend" +# chmod 755 "${DESTDIR}/suspend" +# systemctl enable ykfde-suspend.service +#else +# echo "YKFDE: removing yubikey authentication to suspend." +# systemctl disable ykfde-suspend.service +#fi + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/initramfs-suspend b/debian/DEBUILD/ykfde-0.1/initramfs-suspend new file mode 100644 index 0000000..fce7a9e --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/initramfs-suspend @@ -0,0 +1,29 @@ +#!/usr/bin/bash +# shellcheck shell=dash + +cryptname="${1}" + +# Start udev from initramfs +/usr/lib/systemd/systemd-udevd --daemon --resolve-names=never + +# Synchronize filesystems before luksSuspend +sync + +# Suspend root device +[ -z "$cryptname" ] || cryptsetup luksSuspend "$cryptname" + +# Suspend the system +echo mem >/sys/power/state + +# Resume root device +export YKFDE_RESUME=1 + +# shellcheck source=/dev/null +. /init_functions +parse_cmdline &2 + fi + return 0 +} + +check_yubikey_present="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" + +if [ -z "$YKFDE_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then + if [ -z "$cryptkeyscript" ]; then + if [ -x /bin/plymouth ] && plymouth --ping; then + cryptkeyscript="plymouth ask-for-password --prompt" + else + cryptkeyscript="/lib/cryptsetup/askpass" + fi + fi + PW="$($cryptkeyscript "$WELCOME_TEXT")" +else + PW="$YKFDE_CHALLENGE" +fi + +if [ "$check_yubikey_present" = "1" ]; then + message "Accessing yubikey..." + #if [ "$HASH" = "1" ]; then + # PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') + #fi + R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)" + if [ "$R" ]; then + message "Retrieved the response from the Yubikey" + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" = "1" ]; then + printf '%s' "$PW$R" + else + printf '%s' "$R" + fi + else + message "Failed to retrieve the response from the Yubikey" + fi +else + printf '%s' "$PW" +fi + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/testrun.sh b/debian/DEBUILD/ykfde-0.1/testrun.sh new file mode 100755 index 0000000..5894e26 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/testrun.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +set -euo pipefail + +# set default values: +YKFDE_CONFIG_FILE="/etc/ykfde.conf" +YKFDE_CHALLENGE="" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_CHALLENGE_SLOT="" + +if [ "$(id -u)" -ne 0 ]; then + echo "ERROR: Please run this script as 'root'." + exit 1 +fi + +# shellcheck source=src/ykfde.conf +. "$YKFDE_CONFIG_FILE" +[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + +if [ -z "$YKFDE_CHALLENGE" ] && [ -z "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + printf '%s\n' "ERROR: No ykfde mode enabled. Please enable 'Automatic mode with stored challenge (1FA)' or 'Manual mode with secret challenge (2FA)' in '$YKFDE_CONFIG_FILE'." + exit 1 +elif [ "$YKFDE_CHALLENGE" ]; then + echo "INFO: 'Automatic mode with stored challenge (1FA)' is enabled." +elif [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + echo "INFO: 'Manual mode with secret challenge (2FA)' is enabled." +fi + +if [ -z "$YKFDE_CHALLENGE_SLOT" ]; then + echo "WARNING: YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode is not selected. Falling back to slot '2'." +fi + +umask 0077 +YKFDE_TMPFILE="" +YKFDE_TMPFILE="$(mktemp /dev/shm/ykfde-XXXXXX)" +truncate -s 20M "$YKFDE_TMPFILE" + +cleanup() { + rm -f "$YKFDE_TMPFILE" +} +trap cleanup EXIT + +echo "INFO: Testing 'ykfde-format' script." +DBG=1 ykfde-format "$YKFDE_TMPFILE" +echo "Test 'ykfde-format' script successfully passed." + +echo "INFO: Testing 'ykfde-enroll' script." +printf '%s\n' "test" | cryptsetup luksFormat "$YKFDE_TMPFILE" +echo "INFO: Old LUKS passphrase is 'test'." +ykfde-enroll -d "$YKFDE_TMPFILE" -s 7 -v +echo "Test 'ykfde-enroll' script successfully passed." + +echo "INFO: Testing 'ykfde-open' script." +ykfde-open -d "$YKFDE_TMPFILE" -n ykfde-test -v +cryptsetup close ykfde-test +echo "Test 'ykfde-open' script successfully passed." + +echo "All tests successfully passed." + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/ykfde-enroll b/debian/DEBUILD/ykfde-0.1/ykfde-enroll new file mode 100644 index 0000000..da4b5fb --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/ykfde-enroll @@ -0,0 +1,228 @@ +#!/bin/bash -p + +set -euo pipefail + +# sanitize environment +PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +YKFDE_LUKS_DEV="" +YKFDE_LUKS_KEYSLOT="" +YKFDE_CHANGE_KEYSLOT="" +YKFDE_OLD_YUBIKEY="" +DBG="" +YKFDE_SLOT_CHECK="" +YKFDE_SLOT_KILL="" +YKFDE_CHALLENGE_SLOT="2" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_CHALLENGE="" +YKFDE_RESPONSE="" +YKFDE_PASSPHRASE="" +YKFDE_OLD_CHALLENGE="" +YKFDE_OLD_RESPONSE="" +YKFDE_OLD_PASSPHRASE="" + +if [ -r /etc/ykfde.conf ]; then + # shellcheck source=ykfde.conf + . /etc/ykfde.conf +else + echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." +fi + +while getopts ":d:s:ckovh" opt; do + case "$opt" in + d) + YKFDE_LUKS_DEV="$OPTARG" + printf '%s\n' "INFO: Setting device to '$OPTARG'." + ;; + s) + if [ "$OPTARG" -gt -8 ] && [ "$OPTARG" -lt 8 ]; then + YKFDE_LUKS_KEYSLOT="$OPTARG" + printf '%s\n' "INFO: Setting LUKS keyslot to '$OPTARG'." + else + printf '%s\n' "ERROR: Chosen LUKS keyslot '$OPTARG' is invalid. Please choose valid LUKS keyslot number between '0-7'." + exit 1 + fi + ;; + c) + YKFDE_CHANGE_KEYSLOT=1 + echo "INFO: Changing existing LUKS keyslot" + ;; + k) + YKFDE_SLOT_KILL=1 + echo "WARNING: Killing existing LUKS keyslot. If it's the last configured keyslot, the device will be inaccessible!" + ;; + o) + YKFDE_OLD_YUBIKEY=1 + echo "INFO: Using old YubiKey for passphrase" + ;; + v) + DBG=1 + echo "INFO: Debugging enabled" + ;; + h) + echo + echo " -d : select an existing device" + echo " -s : select the LUKS keyslot" + echo " -c : change an existing keyslot" + echo " -k : killing an existing keyslot" + echo " -o : use old YubiKey for passphrase" + echo " -v : show input/output in cleartext" + echo + exit 0 + ;; + \?) + printf '%s\n' "ERROR: Invalid option: '-$OPTARG'" >&2 + echo + echo " -d : select an existing device" + echo " -s : select the LUKS keyslot" + echo " -c : change an existing keyslot" + echo " -k : killing an existing keyslot" + echo " -o : use old YubiKey for passphrase" + echo " -v : show input/output in cleartext" + echo + exit 1 + ;; + esac +done + +YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" +[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" + +if [ "$YKFDE_SLOT_CHECK" != 1 ]; then + printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" + exit 1 +fi + +if [ -z "$YKFDE_LUKS_DEV" ]; then + echo "ERROR: Device not selected. Please select an existing device using '-d' option, see 'ykfde-enroll -h' for help." + exit 1 +fi + +if [ ! -e "$YKFDE_LUKS_DEV" ]; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' doesn't exist. Please select an existing device." + exit 1 +fi + +if [ ! -r "$YKFDE_LUKS_DEV" ] || [ ! -w "$YKFDE_LUKS_DEV" ]; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't accessible for current user '$(whoami)'. Please execute this script as 'root'." + exit 1 +fi + +if ! cryptsetup isLuks "$YKFDE_LUKS_DEV"; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." + exit 1 +fi + +if [ -z "$YKFDE_LUKS_KEYSLOT" ]; then + echo "ERROR: LUKS keyslot not selected. Please select LUKS keyslot using '-s' option, see 'ykfde-enroll -h' for help." + exit 1 +fi + +printf '%s\n' "WARNING: This script will utilize LUKS keyslot '$YKFDE_LUKS_KEYSLOT' on device '$YKFDE_LUKS_DEV'. If this is not what you intended, please abort." + +[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 +[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + +while [ -z "$YKFDE_CHALLENGE" ]; do + echo " > Please provide the challenge." + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi + printf "\\n > Please repeat the challenge.\\n" + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_CHALLENGE2; else read -r -s YKFDE_CHALLENGE2; fi + if [ "$YKFDE_CHALLENGE" != "$YKFDE_CHALLENGE2" ]; then + echo "WARNING: Challenges do not match. Try again." + YKFDE_CHALLENGE="" + fi + [ "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "$DBG" ] || echo +done + +if [ -z "$YKFDE_CHALLENGE" ]; then + echo "ERROR: ykfde challenge is empty. Operation aborted." + exit 1 +fi + +while [ -z "$YKFDE_RESPONSE" ]; do + [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + echo " Remember to touch the device if necessary." + YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" +done + +if [ "$YKFDE_RESPONSE" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" + else + YKFDE_PASSPHRASE="$YKFDE_RESPONSE" + fi +fi + +if [ "$YKFDE_SLOT_KILL" ]; then + [ "$DBG" ] && printf '%s\n' " > Killing with 'cryptsetup luksKillSlot $YKFDE_LUKS_DEV $YKFDE_LUKS_KEYSLOT'..." || echo " > Killing slot with 'cryptsetup'..." + printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksKillSlot "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_KEYSLOT" 2>&1 + printf '%s\n' " LUKS key slot $YKFDE_LUKS_KEYSLOT successfully killed" + exit 0 +fi + +if [ "$YKFDE_OLD_YUBIKEY" ]; then + echo "Please insert old YubiKey for existing keyslot." + + while [ -z "$YKFDE_OLD_CHALLENGE" ]; do + echo " > Please provide the old challenge." + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_OLD_CHALLENGE; else read -r -s YKFDE_OLD_CHALLENGE; fi + printf "\\n > Please repeat the old challenge.\\n" + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_OLD_CHALLENGE2; else read -r -s YKFDE_OLD_CHALLENGE2; fi + if [ "$YKFDE_OLD_CHALLENGE" != "$YKFDE_OLD_CHALLENGE2" ]; then + echo "WARNING: Challenges do not match. Try again." + YKFDE_OLD_CHALLENGE="" + fi + [ "$YKFDE_OLD_CHALLENGE" ] && YKFDE_OLD_CHALLENGE="$(printf %s "$YKFDE_OLD_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "$DBG" ] || echo + done + + if [ -z "$YKFDE_OLD_CHALLENGE" ]; then + echo "ERROR: ykfde old challenge is empty. Operation aborted." + exit 1 + fi + + while [ -z "$YKFDE_OLD_RESPONSE" ]; do + [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_OLD_CHALLENGE'..." + echo " Remember to touch the old device if necessary." + YKFDE_OLD_RESPONSE="$(printf %s "$YKFDE_OLD_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_OLD_RESPONSE'" + done + + if [ "$YKFDE_OLD_RESPONSE" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + YKFDE_OLD_PASSPHRASE="$YKFDE_OLD_CHALLENGE$YKFDE_OLD_RESPONSE" + else + YKFDE_OLD_PASSPHRASE="$YKFDE_OLD_RESPONSE" + fi + fi +else + echo "Please provide the old LUKS passphrase for the existing keyslot." + printf " Enter passphrase: " + if [ "$DBG" ]; then read -r YKFDE_OLD_PASSPHRASE; else read -r -s YKFDE_OLD_PASSPHRASE; fi +fi + +if [ "$YKFDE_PASSPHRASE" ]; then + [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" + if [ "$YKFDE_CHANGE_KEYSLOT" ]; then + [ "$DBG" ] && printf '%s\n' " > Changing LUKS passphrase with 'cryptsetup --key-slot=$YKFDE_LUKS_KEYSLOT luksChangeKey $YKFDE_LUKS_DEV'..." || echo " > Changing LUKS passphrase with 'cryptsetup'..." + printf '%s\n' "$YKFDE_OLD_PASSPHRASE" "$YKFDE_PASSPHRASE" "$YKFDE_PASSPHRASE" | cryptsetup --key-slot="$YKFDE_LUKS_KEYSLOT" luksChangeKey "$YKFDE_LUKS_DEV" 2>&1 + printf '%s\n' " LUKS passphrase for key slot $YKFDE_LUKS_KEYSLOT successfully changed" + else + [ "$DBG" ] && printf '%s\n' " > Adding new LUKS passphrase with 'cryptsetup --key-slot=$YKFDE_LUKS_KEYSLOT luksAddKey $YKFDE_LUKS_DEV'..." || echo " > Adding new LUKS passphrase with 'cryptsetup'..." + printf '%s\n' "$YKFDE_OLD_PASSPHRASE" "$YKFDE_PASSPHRASE" "$YKFDE_PASSPHRASE" | cryptsetup --key-slot="$YKFDE_LUKS_KEYSLOT" luksAddKey "$YKFDE_LUKS_DEV" 2>&1 + printf '%s\n' " New LUKS passphrase successfully added" + fi +else + echo "ERROR: ykfde passphrase is empty. Operation aborted." + exit 1 +fi + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/ykfde-format b/debian/DEBUILD/ykfde-0.1/ykfde-format new file mode 100644 index 0000000..2371be0 --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/ykfde-format @@ -0,0 +1,81 @@ +#!/bin/bash -p + +set -euo pipefail + +# sanitize environment +PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +YKFDE_SLOT_CHECK="" +YKFDE_CHALLENGE_SLOT="2" +#DBG="" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_CHALLENGE="" +YKFDE_RESPONSE="" +YKFDE_PASSPHRASE="" + +if [ -r /etc/ykfde.conf ]; then + # shellcheck source=ykfde.conf + . /etc/ykfde.conf +else + echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." +fi + +YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" +[ "${DBG:-}" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" + +if [ "$YKFDE_SLOT_CHECK" != 1 ]; then + printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" + exit 1 +fi + +printf '%s\n' "WARNING: This script will run 'cryptsetup luksFormat $*'. If this is not what you intended, please abort." + +[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 +[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + +while [ -z "$YKFDE_CHALLENGE" ]; do + echo " > Please provide the challenge." + printf " Enter challenge: " + if [ "${DBG:-}" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi + printf "\\n > Please repeat the challenge.\\n" + printf " Enter challenge: " + if [ "${DBG:-}" ]; then read -r YKFDE_CHALLENGE2; else read -r -s YKFDE_CHALLENGE2; fi + if [ "$YKFDE_CHALLENGE" != "$YKFDE_CHALLENGE2" ]; then + echo "WARNING: Challenges do not match. Try again." + YKFDE_CHALLENGE="" + fi + [ "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "${DBG:-}" ] || echo +done + +if [ -z "$YKFDE_CHALLENGE" ]; then + echo "ERROR: ykfde challenge is empty. Operation aborted." + exit 1 +fi + +while [ -z "$YKFDE_RESPONSE" ]; do + [ "${DBG:-}" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + echo " Remember to touch the device if necessary." + YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + [ "${DBG:-}" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" +done + +if [ "$YKFDE_RESPONSE" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" + else + YKFDE_PASSPHRASE="$YKFDE_RESPONSE" + fi +fi + +if [ "$YKFDE_PASSPHRASE" ]; then + [ "${DBG:-}" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" + printf '%s\n' "$YKFDE_PASSPHRASE" | cryptsetup luksFormat "$@" +else + echo "ERROR: ykfde passphrase is empty. Operation aborted." + exit 1 +fi + +echo " New LUKS device successfully formatted" + +exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/ykfde-open b/debian/DEBUILD/ykfde-0.1/ykfde-open new file mode 100644 index 0000000..c87e15f --- /dev/null +++ b/debian/DEBUILD/ykfde-0.1/ykfde-open @@ -0,0 +1,207 @@ +#!/bin/bash -p + +set -euo pipefail + +# sanitize environment +PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +YKFDE_LUKS_DEV="" +YKFDE_LUKS_KEYSLOT="" +YKFDE_LUKS_NAME="" +YKFDE_PRINT_ONLY="" +YKFDE_MOUNT="0" +DBG="" +YKFDE_SLOT_CHECK="" +YKFDE_CHALLENGE_SLOT="2" +YKFDE_CHALLENGE_PASSWORD_NEEDED="" +YKFDE_CHALLENGE="" +YKFDE_RESPONSE="" +YKFDE_PASSPHRASE="" +YKFDE_LUKS_OPTIONS="" +YKFDE_TEST_PASSPHRASE="" + +if [ -r /etc/ykfde.conf ]; then + # shellcheck source=ykfde.conf + . /etc/ykfde.conf +else + echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." +fi + +while getopts ":d:s:n:pmtvh" opt; do + case "$opt" in + d) + YKFDE_LUKS_DEV="$OPTARG" + printf '%s\n' "INFO: Setting device to '$OPTARG'." + ;; + s) + if [ "$OPTARG" -gt -8 ] && [ "$OPTARG" -lt 8 ]; then + YKFDE_LUKS_KEYSLOT="$OPTARG" + printf '%s\n' "INFO: Setting LUKS keyslot to '$OPTARG'." + else + printf '%s\n' "ERROR: Chosen LUKS keyslot '$OPTARG' is invalid. Please choose valid LUKS keyslot number between '0-7'." + exit 1 + fi + ;; + n) + YKFDE_LUKS_NAME="$OPTARG" + printf '%s\n' "INFO: Setting name to '$OPTARG'." + ;; + p) + YKFDE_PRINT_ONLY=1 + echo "INFO: Showing cleartext ykfde passphrase without unlocking" + ;; + m) + YKFDE_MOUNT=1 + echo "INFO: Mounting device" + ;; + t) + YKFDE_TEST_PASSPHRASE="--test-passphrase" + echo "INFO: Testing LUKS passphrase" + ;; + v) + DBG=1 + echo "INFO: Debugging enabled" + ;; + h) + echo + echo " -d : select an existing device" + echo " -s : select the LUKS keyslot" + echo " -n : set the new encrypted volume name" + echo " -p : show cleartext ykfde passphrase without unlocking" + echo " -m : mount unlocked device (non root user only)" + echo " -t : test LUKS passphrase" + echo " -v : show input/output in cleartext" + echo " [ -- --params ] : pass optional cryptsetup luksOpen parameters" + echo + exit 0 + ;; + \?) + printf '%s\n' "ERROR: Invalid option: '-$OPTARG'" >&2 + echo + echo " -d : select an existing device" + echo " -s : select the LUKS keyslot" + echo " -n : set the new encrypted volume name" + echo " -p : show cleartext ykfde passphrase without unlocking" + echo " -m : mount unlocked device (non root user only)" + echo " -t : test LUKS passphrase" + echo " -v : show input/output in cleartext" + echo " [ -- --params ] : pass optional cryptsetup luksOpen parameters" + echo + exit 1 + ;; + esac +done + +shift "$((OPTIND - 1))" + +YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" +[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" + +if [ "$YKFDE_SLOT_CHECK" != 1 ]; then + printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" + exit 1 +fi + +if [ -z "$YKFDE_PRINT_ONLY" ]; then + if [ -z "$YKFDE_LUKS_DEV" ]; then + echo "ERROR: Device not selected. Please select an existing device using '-d' option, see 'ykfde-open -h' for help." + exit 1 + fi + if [ ! -e "$YKFDE_LUKS_DEV" ]; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' doesn't exist. Please select an existing device." + exit 1 + fi + if [ "$(id -u)" -eq 0 ]; then + if ! cryptsetup isLuks "$YKFDE_LUKS_DEV" "$@"; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." + exit 1 + fi + if [ -z "$YKFDE_LUKS_NAME" ]; then + printf '%s\n' "ERROR: Please set the new encrypted volume name using '-n' option, see 'ykfde-open -h' for help." + exit 1 + fi + fi + printf '%s\n' "WARNING: This script will try to open the '$YKFDE_LUKS_NAME' LUKS encrypted volume on drive '$YKFDE_LUKS_DEV' . If this is not what you intended, please abort." +fi + +if [ "$YKFDE_LUKS_KEYSLOT" ]; then + YKFDE_LUKS_KEYSLOT="--key-slot=$YKFDE_LUKS_KEYSLOT" +fi + +[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 +[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + +while [ -z "$YKFDE_CHALLENGE" ]; do + echo " > Please provide the challenge." + printf " Enter challenge: " + if [ "$DBG" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi + YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" + # if /NOT/ DBG, we need to output \n here. + [ "$DBG" ] || echo +done + +while [ -z "$YKFDE_RESPONSE" ]; do + [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + echo " Remember to touch the device if necessary." + YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" +done + +if [ "$YKFDE_RESPONSE" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" + else + YKFDE_PASSPHRASE="$YKFDE_RESPONSE" + fi +fi + +if [ "$YKFDE_PRINT_ONLY" ]; then + printf '%s\n' " > ykfde passphrase: $YKFDE_PASSPHRASE" + exit 0 +fi + +if [ "$YKFDE_TEST_PASSPHRASE" ]; then + [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" + [ "$DBG" ] && printf '%s\n' " > Decrypting with 'cryptsetup luksOpen $YKFDE_TEST_PASSPHRASE $YKFDE_LUKS_DEV $YKFDE_LUKS_KEYSLOT $*'..." || echo " > Decrypting with 'cryptsetup'..." + printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksOpen "$YKFDE_TEST_PASSPHRASE" "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_KEYSLOT" "$*" 2>&1 + printf '%s\n' " Device successfully opened" + exit 0 +fi + +if [ "$(id -u)" -eq 0 ]; then + [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" + [ "$DBG" ] && printf '%s\n' " > Decrypting with 'cryptsetup luksOpen $YKFDE_LUKS_DEV $YKFDE_LUKS_NAME $YKFDE_LUKS_OPTIONS $YKFDE_LUKS_KEYSLOT $*'..." || echo " > Decrypting with 'cryptsetup'..." + printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksOpen "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_NAME" "$YKFDE_LUKS_OPTIONS" "$YKFDE_LUKS_KEYSLOT" "$*" 2>&1 + printf '%s\n' " Device successfully opened as '/dev/mapper/$YKFDE_LUKS_NAME'" +elif ! command -v udisksctl >/dev/null 2>&1 || ! command -v expect >/dev/null 2>&1; then + printf '%s\n' "ERROR: At least one of required tools 'udisksctl' or 'expect' cannot be found. Please install 'udisks2' and 'expect' packages or use 'cryptsetup' by executing this script as 'root'." + exit 1 +elif [ ! -b "$YKFDE_LUKS_DEV" ]; then + # udisks doesn't work with regular file based devies + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a block device file. Please open it with 'cryptsetup' by executing this script as 'root'." + exit 1 +elif ! udisksctl info -b "$YKFDE_LUKS_DEV" | grep -iq 'crypto_LUKS'; then + printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." + exit 1 +else + [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'udisksctl'" + [ "$DBG" ] && printf '%s\n' " > Decrypting with 'udisksctl unlock -b '$YKFDE_LUKS_DEV''..." || echo " > Decrypting with 'udisksctl'..." + expect <( + cat <*z6p&I&TM zfsl&j=^}`^N$eyDWp)B^ZCM>!E%=2BXgAw!Xt%oUqi*{U@gFst6|$WRndQ`MA;Pb% zSSUDXwVre*jFRa#e|~X|*4E3y=U7@5vaa8PQx+O7MHgt4aZ#y#P#lApMHgi57AOXI zPq{GoWvUB35h=#u=Y*-R$iVBwm|S-ojTJ`?8vDhQO6{%XX+-)gXUJ?95M092oGEyI z@&-vfs6&(xcE>^lVvv2RB29ip?h8mA%(zpjoy&~nG)Bx%1ZynpgwNQ5Ol_Kyi0c_a znW#mPgp_V}%*nd&x?Kl$mt%lB?Ejr{9d=9q|GG#THJ5wluM@5zSMpD^g_M0^3UO+n zaEp=Nu?3vJ@12qHd9MX$2?AwUGGxSbE``QKAd@KOsZ zzR1*O405VTj&6f zZpu@JM;)@HV*G)EjEogliD&K>tORt(pSbU5c&=6Gmz z&~j?#RN+B$6b_$Q^MIfwD$I1<04YM%RC{9>j;rvtHy)1b@Nsy3esyyVAA6%w@A7&$ z7{k>F&aN)|!|UPICC+|=-sLU48(#LYJdhp?f>oj%b_B>Bbu0>C%-DnAPTp>=v7q>r zhnSIwty5<#v0w`IVL@VShk9!t3R8lzgVv$j=kk9-YaaQ&i%Tz_TfyZrXE! z#h9kP!Xoc>;~|jTUz(qA^%)^TVhb#ezxa)&%J`p1x0?_;HB1qk$BIVxRx&42+&?UQ zc^b6Uu73r1H-149w;+574JYLb<_J1y4b~-Q`^!o1y0g7%5nUM_3XZNPN_${{J#V)1~9Wzt9E7o>Ty437rlqsJq z54^n3Q#;d3`&|O8^teNiN5(sou~~KxqqqoV`Ilqk+r_%Q+j&}Zsf`2l?Y6gJv)=#O z_x;ZaNhhu?;HwjmqCtfCngP}QRu$aKCE&-MACK{+>%h-2BSa!C5{7kV7n^-xC*gCq^X8-HO!9xU4 zT@r#XQ21IF`TO3AnUHh59aW64Tf)GnKlWQcR^jA__S*hCZlJY_z%&hAoW1_w?fKy1 R!(g;m`46E>p>S3W001;)(qI4p literal 0 HcmV?d00001 diff --git a/debian/DEBUILD/ykfde_0.1.dsc b/debian/DEBUILD/ykfde_0.1.dsc new file mode 100644 index 0000000..53e48fa --- /dev/null +++ b/debian/DEBUILD/ykfde_0.1.dsc @@ -0,0 +1,20 @@ +Format: 1.0 +Source: ykfde +Binary: ykfde +Architecture: all +Version: 0.1 +Maintainer: Andrei Gherzan +Homepage: https://github.com/agherzan/yubikey-full-disk-encryption +Standards-Version: 4.1.4 +Build-Depends: debhelper (>= 11), dh-exec +Package-List: + ykfde deb admin optional arch=all +Checksums-Sha1: + e2c140d2c771a17b383edc362e9ec398ff2692d4 14121 ykfde_0.1.orig.tar.gz + eaa145143495e32579e2faab0beac5ce664d0823 1463 ykfde_0.1.diff.gz +Checksums-Sha256: + 532afcc745f33a88369702a933911fbcee52f91b6b7ceb7d9bbeb43bf6193da6 14121 ykfde_0.1.orig.tar.gz + f393949e5dac05027b7135f6f06206f06c5462b0f56afd241d95cc900158aafe 1463 ykfde_0.1.diff.gz +Files: + b5ff19097aad01c168678bd7630c412f 14121 ykfde_0.1.orig.tar.gz + d3eaa050adf4cc317cb89b330ab7b38d 1463 ykfde_0.1.diff.gz diff --git a/debian/DEBUILD/ykfde_0.1.orig.tar.gz b/debian/DEBUILD/ykfde_0.1.orig.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..fc49dcb42b357e6133e845ee39b110e1234a2296 GIT binary patch literal 14121 zcmV+^H`d4>iwFP!000001MFORa~n6Z_uum=@Tk0{$o24&L>-B@ik2vwC0TNb(q>)S z6ba6NH6gF3)}iJ9xSNTkY1L`u|Nn>-t}O^@#9t{qMKn$DjKD4L-THZ@Qhc58aw) zfAuv`!R_|`7X9zF4qL1G-)rpczhaHA&dG+)A6)-C>{BvwF2sVJC$7uR964iM--;Gt z>;%4H+)f?I!YKHcuwv$l2NCg!kc_i?J@1FzX&i_0q+XvpGpEKQYw9|F@>mO^N!{^n z@mLF|VI4=$#G=CP-+$|6?k>ptrT$*7JjWTp~N6;_7J# zW)}C^NU%i05XXoA;)r`=2@8UZn4Ltp`X~ru6rd#}h)uG&05QYQz-Lk7`^4Zv#=@%^ z##_PooJWGiQy#MmF;B(lPNTq_nJ3mdn2Vi;9+-vL3fOO#YWg7f)`04r*C zESW7L=K-YiAS6ytO<)()D?#mSpMd~f9*d~5OmG1st$?Hkd$JQNmi2|whIwEHF#o|3 z^LhmhN5Dp42h#Bz7hEhgB5=2fAjRCDiIKzo}jHv9Ynq$nbeD8kz+n`1q;UPG(Z8z(s;A_F$~67L13GF=7-&# zl<*i{n>M^QMfSR)Nvy2~^J08v24mCG&(gtXLOK(qY|}6FSiR{aao~X_EoJy~*eKXv z5P?vv)H~R2^SlF!+~Mh969=0(*i?hfY_QoJ^8)=3+)ub$Brd?Q;v(^uBJR=1B4rv` zpxn}wfo#tQCvjbv=BVEaOP)u8$8w7X8I2vw0VX052GRk3A?WOkVU&sXZIUw0bd;Ho zTBZ4ptN{EKjj!zSnFwc-a!O0th)Hiv{qpk^wogyD3i=&8lO%%RwqvEg7YJwX*;A2` zNf+V>M42q?=ETgY$1PJ%d9xtwNKZ6zqUrdiHp;@vUE7ISUBs5cd^IG<#*T}e3V3J2 zD|&-3Oni~<=}tm~gHZ|oED9-zz`mF-<_x3ldI(jLBcg?HiZY~`Cd?#vG_#qenyCe= z;7UHTxEntTz#CU-vp8Vl(UBB!HZp~~rMYX=%{VaAxtrNqUmy4Wavm@`#tim?+Bn*Ry+;I|djv+DBrDq94JCeAEC z{SeNp*}SSE*D%}rVAU`JpTYwKOtc2TCgjL+1&?C!NPkpUVrNyOGwIj};fiW@JP4G4 z@VbxO3qdc1l~0Dv*53X>n~yA8jE72kRUPK5teOV$DuOA_s#%t(vi-&qvjB8az^MQ+ zE#amKdObMylAMs!*2;91*&#=yVl8YX4ran9)H_GdOkppeQ(9q*QVUj4+<l|DcDgwAp0%Y}N7$)-~mF3bYhnK*3kR!=~xM{R4|u=d6W_5nX?^YM7k;>}j0)v!Q|+_u{A^95W` z|3`OF3PJ#P@Sz?7A&(-IJ3_%xl*A++OMr6(ux*`fAy5Q9M6)0PTuY&E6oAx}>T{aA zGVnx9u7J^K<_B}tu~>=ZE90j8K~x~-I#4irg8M2k1<_107YZH*(GqlVAw-Bd+jD@R zZm)ndj{*oDb|9o*j#FSuRLMBQ=|Vad=s5;e2r^zGSrrcsglO)7;lwewX3COiPSxWs z_He3Mdxwu>h>u7#O*_7=+CsE39U|Es7J0%-AhtnF4gwe3G>E6tKn`&Zy;fQ)z$bGTT`%m-ganM^-|9J6^&P@!x6f1h`76vHAc8BJ}umaETQdzg~S&N>595$(h_6UP=hH3OW;fn~9PA;JwIj4zO z<`Z#SH1U+XR^p~J5xctBv4>RQGhGyFvP;R2#Fz?FDU*Cl`HoT*3@fa<8&Cj%y1lAX zd1?)WkyP1VfNa~X3FHB$gt<|0{xpac_rI^}aoN|2gpi^ESB=V#r)S+9RFxV!6}4T+F` ziUrW%s`H^ce62cW5U#*Q*^t<>1-1l-Aa^`P0|`YSE?7oY!}oIG$Nce`iSEoZiDvzb zhz|0d@1$uNxTOrJmK$Wt$qG}kEQIZ$zmUfvM1_ies0j_Jxe9V1{0)#sR}2wTx|i%e z5|cDvWWBm)a{pn5Gpx`Fc6!*{8>B`&0AUWWrSm|4R!$0#*2^X_^P|d&aqOo%@r7#EtqJ^ry9u@W!T_s6M02X*hIJ{IV~r14CXOhuj==S2L`m~j zXnV5{Sa-=JQeCPbMr+&1ykvOwL&J1;k#=1`j*;*XNMrIM(2yJ3uXWn^RZQ};tNhm) zEtEl7IQa52R1&`K6>XC(;qm1QL>uFA0J!9<3loWM6eYe`5+vlIj)c90k@EnEWkM}| zk)p8#my=cubr9lW&!cNil_lvblJ=&U3zQ>lqbXvA;J-^JF!zdl>*cKjJrNKsY~$Z= zK!96gdyzkI@N7UU&)6U{efFJF^}vTnrgwaceL!sYt1DrfLRYL#Gw?tp(7*^!obn?p zJPgq%RU7ySvxV@&nOcXhx4$K9%^5pZ22Gx`rA_`4XX~NSrsZl5Eahv6Gt>xwO(Vd% zLCA<}UCQxbWgKGpbCx$Ti_>UU_x!j{mjKj*n&V9}$Nkc)2egYBWrxp9|D)t^X3h%e zXzP`Vr8G~6a)oGs28}KLtiZ?CKHVP7#i!yQBj zSwRF=8M}-B^n&t6(Ag521BGzK;F4^L4*Bx?NlWf}nt)h*5X&+lyzv4$#~ENzltt)< zbdfA}DAGU+^_df5`xQ+c!42*q_iPFPs*!4A8!l~d-Syv+U#zU1nR3<$bDfbtw!WYx3w2k8O6d**Wd&SBiJ;ziBqv^!-yhYeGR`C414Wyht@l~*l z(-sa$<4vhq8tQ(}f0@BP=SrKAbyIXdH4lpE^|oO)b*)vHU6Y1q3zp)hJl*K@onH4* z?eq}GVE$7FryfKdC=T)HM{}xFl~SWdBz^}#NX-2C(c4N7qn~n1ExMJLH#9kGaIEyn zZ#p07ngkx^f*maohv%EX>vb6IFpNGsw+!VpiS1zS=V=2a>vBoKWBC61`l1iRqlo{< z$4PBYk#Kn)X)=RKC(~1`P(;D{QX8u2!7s66rms#K#%T~PB4;vMRREb4WnZ6k+>zBRL?p42Q z0-H+5&l?L~3^g>8V!sT;BHGC3f=hNvy0U+979OFF<0|0RxIink$zVF=JbgpiD-9Ed%VW-zuXT96r z^%eYe&N^40*hTN^49XRUT09VsBIF%m7YZ4IxX~A4Y4P+@VOCAK;2sJ3>jWE`RNIHx zsG>`a6lo0C@tj!a$+hj&jF*1@EC2o<+H92gH97s--!c2l_doacTZgOP|7*8ee}4b( zxA^S*PkrP-mB{7PFd(xqQzQWkoluOqgLjIss$w?$mAJ9$i^>y2;SBJA^WM9`dGE6O zrnCZ0O6i#Qoy*Ja)jJrm_Gs|2)9-(OeRDRr>UPh%XPbufFRyR$x#5i2Ju7{)3ssVt zR7%VQ7}#Jxe2eDq8;l8S8n9CL=H~k5gne`cRtI3tD(vZF14vh8>=>16C7kgH39o64 z9oi+-xh_N_s4XPKZA-jaK5;W@u=v`xOU8Zvc-yv0><9LjzpxGRP@6J;T&JPuY<{_6 zflLhg)@b>E;rq z;B`T)sJM4^etq&XX6f#?+H+~^N>533Y31i{ySOZx*;aLvnXfMh3FoSJ_3mW(ro+k& zhw@Wb1W|l14udbbcg95^r@5#Oe%N{7aK&a#)oY4ngVzMeyPGw!rcn{3AP@2%p9+e`UME_ zkm<3k`;XqOVHEXpD^zo>Ts+__YuAT;oxOecrpcC0|JD{!^pMhKG63c+{30)Q+7{Ho zA>BU3hiaD<_*n5!OuHraGuwD}xs5}$(zR==PGq5#1ez`*Nz~+OziyQnYUGfa4;!|< z%=H&+8+)*YO)ocQ*BQ}`2a|v^a8!_n<>F1T{PhNIi;F$YD|Q@^h}=31!%^eKFzR>v z$?;$Qy)s?he6=;6{`Vgm&E|e<1^*p1_YeNWf4{{C@LwXM90M*RA^i1?P1uk;5|5%F zvcXunnZbZ4dED4A}#8i^24d6H0%VpFI8-6aUv;{vT|BU~?$)`~NGS=@g$K-y0_5<8=b~beV`QC!@6+$$1&M zDKQj!8jRIeCqsEG#d-mH%IO9RLFUyd>(!)g7fD@B&ZpRQo(M=a0K7{l_K7^PX2HX> zgcm-(Wp)4y(s6F-8+cHHEJXj1ft~()2CHWB&GpCI&ds}$e!Wsrsd}WZFFUI=j9iuV zG}U*&&;Pe~^=)lj$Nul^r#N2JN}@`dtTOD{ zRx*FwRz=_Uy59mafcY9w1-h-4I>0xwg+pj5B2K?Bex`wo6v? z7j1fS%dWG%b2dP`6Lpzo=vYLeHTo!KlN5di311RugZ{`Nab%NdZc@JHpV0LmT1iS} z4=Q)`$=)gby)2#78lLiY;$Lg^sy}Zs{4REW&S>~l;a=*n!ky}$(ZNG~ z1>qo*faHH!<(oH&rf?FEV*$6K34|2)Ok=B%$d;fo@1hwvUgm8pw9a|%saR5*!r;&( z8%ERKWu0{=H!Qk{28lQ>dB$5DnfzDY-Z@gLi0=AR>dQ1A8>$+TIsn?i(*#iZ;}|f zR5ZDvY_2}2a1c!j^Xvp_gBqlqPEforLnEsp4$*Wnix=q(pl|RVMqR^Fm7Sgi`N=IL#<>q%Q3=GXjZf-L*%pAoZE#Ve*1ST~_qPEl&2g&Sy=|U+44L0HORg|#{(Nz zF^JP`ruz;3M|PhOtYQGOaWc)E-`pc0vTDXWJAZTHOX9nEQUG3bVqe;Chk7YjEIHy(W$z19Tj_c(2ZP-rc z1vu|5d9RoIGR8M$(a&?|y(6($eAt>jg}m5Ma^RZIU3Xco{8{+2)l|7l7IJ57avp~^ z=goXRof-B|=GC9XtxbYS<6%vY+_6zp<1W10>?{utwtC1%03R%Ui&0pbos*U^{ID*m za`trBGEO1*X1R&6b@GkVMB7~K9AY>cb- zy3ST5#80sGkohM53qmRW12u%z;JE$j@Z_MowN93#(+Nkm*RXpG4O6)hCV84l^Us&Z zKOc1wvJb^p^cbxrteiILt47|f*ZDl zOc=DEZ6AN%f&CVVnk58y%P&^QX^3m?(W-<&`nZRv(3Fd|Yz_U2g#@Bh;pjn=2Xmq5 zI+y_QP28)}%fb1S_CB)6g)bmPPjAN1a+sOAX8N6lA3ow%{vG^yhE5{f2$v#up#AV@ z8q9{HSu#CU18CJg#)|NY7#k3lKIp-E{oUJ-p*qPtVpPg_gr~aNFObxlBc(C1GF}y{ zU3tDs`TV0WrRKwO%8BDwDmH0D?1Ulmp2`KB{aN@gvJV~-;9Uc4uz{KIp`$`lQhe^H#2mbii=@aT1{pxHw!C&8I52x%I|sS@Qt`wS^J&D+_+l7`zL~|(eSCS2CyIQzHs!K| zteL$l#0)0&+8$iOBj6S(!RH54fx>|h3Bv9hWDazAz8;`Qx<)0S%RDF$!p%H4Y_+pJ7N}4<0e?jXy|hTD^tZeH?5E8&2oi`HSKUa$&@El^ar!XPLv_dlZ<;%4=0(X2n178CDHe~W5>yxP_1 z;uaOzITo*K@ha|6bm2I-NpT(h4}W(B+!!}O%ZCM4yui;D@itTTxZZ63MVJ*5?w?%4 zgL5d1wgHJN{qM7A0;0iWtNCwZ8Sy(PGP|v_E*u6%lV~!4vjoB)%|z%SC`#pC|2OW| z@`4=oQ4-pL*b{IEDkpgU^0_r#CAK~pO4ziWPM>t2|U1ch^YW=ty8Y}vseqa{^H0+ zs@y9m7BlA-iV9sIzTE7Wt4abO(d_i_sM{efn8(6#lZFbzs#dsTn{;lZ50BlCvLB!& ztI0@o)hcJ3?swIZt2PT|OiGW^98K{KF&t~EXfAguNrLFr>NVmf;?%i#qs<`+9rIHE;isL&QH$v4d$ z&Lga|Z^6~Ds~2Qza|$ou&b~?t*z>%~=1Cmhs^*CtbGyvXt^Iwb+4V8^VkF^of$A2K zG|eg(5jAtGnJa5%Yndx-=2fytzd7QjIB&o);Fbpt$YGv11Wqzpaff>1QXW~0oC47X#zTG78%e{mUreN2vUS*DgRJ0OB`QO zuKg@QN@oDGe<;!-bvwN~{P@t2ZbfBF5pF!$D9X*JNS%*%;Uh}8+{>#Hx z?bB}ipUyR}`DM#7#}e?;QW2CQsu5n2qh%KTB8}8dKO2;EhA50)#Fc9BK^q*@e&rKx ze02ko6C4luC8YeTRzo07M{ZMJMTw9K9dbZIT+LV%C~e|*+A~TBag%rooS&_e4i;Tv zPes#CMSR|cJ#^*+cabkdSn^iE4WXKt%r>IbI2CHSxuzF)?mx!tg117IK1$zFXmlLA z>(KrXNQ?VedLEbmwF>lqXM0?)I%|ERoZ@ zqH~Q7kaH&7=I$eiMapxjOXL+%<`3JQAACiu;18h4HVQiWsnGO`=N8lN*tII+1uSYr z)Ow-tL8Jwdp=5yKj@|iUv|U~&^#!Jf2pUIsN%%$t9n{Xfiy8-IJ4-EEb?;rKwgP>6 ziQ1FOO>CqTeP?A*t=f$SSKNedBCpF9Xr8`Q_Y)fW?#X|zk9+@*P+Iq0N5TF7)8>=M z8Tk)hE#vvos7_KjX1oA~-Km4+2x83Rfo&Y|Q&GB%$ zg!uR!LwqEju@hD(w-`LKX_+^4W4jt-#rt3{I+vqs3fCdM_Or%vnUF|Mg+seS`&PxQ z>lJE#vk(fRn5kV%W_{NP&9asUPGF;II_8333=HJ%7!tQYkx1Bcig{(^o2n?hnV?A= zt}ot@StRPL{6@5s%}wJwWJSRxCd=1>$)fps#=p1#x#a<{TSQz-2i?MUjT6Kc!nZsufQy$#GmJv~ixozJ zQY-|7LMm2EK>kvQD9(0ZI-|N%hnpU}U4U#=Yr)2^W=?XenUkg1M9?TkNfD8UM>6bu z*==PxC-N*}rcBV*EjteN+e4;gyw~y|XnaSf`MyKE@FgV6r$Mr0n)S7yh%A9UZtE<( z1orR)d-x@Xtcd1{+)DT|JOBfh3t-_K;6I~tZc%YNu?$)3$0Z@**-!N%P$jIinsv^c zQ|BGAN{Gtb&RrD11h0VeQA~s^XgOCR%glo+$rX#f;t}=^C7E8DFND7NYZ>pHVddgk z=pp>R$De=zEn7`jeiD(Q9?9sMcmmb|>y67;tR4H#O38!2yU7ZUZrf9aA_RtACu@8a z_mBd{va+h4$KT?0lrhdJN^5868$L_)X-9;QmHAp_GT~6!RG3+G%7NtO5M!i8VbDxQ zJp}-YBBmCcea_~deO5#ds-p}>SLPFJ5?{=&q6v>sc^0MOz!0aoy|wtkg1c0RWLSaf zB9fm69{i=dbigBHe(;08uQ&dWkvm^)@QbK$L?6pv3$UbM$e+67>A8BR4NvzZS8!op zW}3Xfwx!9C;vQd^&nqN!^x%N={CWGIN9~v0&dcMyqi*mG9r*^s7`1V=Cj32)t`p`X zC^NXhHv~>}I*fj0O}gC`WV3ftqx?Y8vKz=D1OtAw*SCrFuKh=A{pr&F z;~^g8Q=7pz-|-#vY&N*+_v176`rz=iv-kbMR`V@mHAe3leh@+fsk2VbV0)Oc{ccC4 zN84Y#U<7VCxWJ?N+fWrwp&Oa|)ObioS%th%VOg)K}9>5kjmJFnXHVSjGgN>6hQUK@m~t7)w`PY z<1JlagSVYA{R;MAIhvcumfoQ%Lv#=vcana5&cvWuWEf;V!yH&fl?w$$$>8YJga1-U zp7aOjBCw}tG=depaM}!3zNs5wr;Ju?!S%#{||gJ`#=1{HtwI4?DGfT z|Fh#yZ|=2@0{;J`^{vbQpR_iX{yz`$Sn=O)?Uch=jDW52*&+fXbj%TbQPhziau*TK z`Qpih!A!6Xyd!SAPPx^cG>1APoq;dHxN`&g5z#RPy3VMNe?M9h-Ys$YcwFjqh939CCr;TpxJ81n1=pM*?4-1)9kbd zKc{h}D&5`sSEwecR8t1!U-WvXX+0g)n@;a40<1)#J3P~gJ1qKQDEkG)^UN>;aqc@p zA#z`GHH*`$&U((i@ehIpO^}ThjpaDlNl!O6ct0oSJ(kYK7zWq9Sb}ZD^|VRj$pB%& z@Q!+t(mH|yau$L})tF9i8a!hoEJ!*_&va5zCsL>pk>&N7VMTB*x(O0uZ@@pI_iRf7 zr<>i>rgegU0@NU_u^Z0W4+$O3&d4g!d-zV^Xyo~_eR8Z#zqGZ%N40INXumOMfT+cC z>}8?`lue%H`gYp80J7=L$Q!EY^fH>njq_15O&i_rZeu6@PxRxg6D4VVIz6}RFlJ*x zwoFwx5f4C* zKs19{EaAUo`j5+V;ypf&{};{3`>vxv{(p?ZzU%+hda{)NAL3bASz#}2VH&R%g@49`Yabj66*5XmU15hgLKgkhDt|MReI z+&)zT`AkPt8uv@Ut#eo>@JF_K-2UH_z2o-IDns~2glCG$XGWLI3x!v7eYrh@?E>1+ z<2I;t|3ipLX1Ie&b9cLnE%4cUt*{d;=v9==_z^*t0^1VQZIsgTmy-1sYf`b6G4Ac{ zX%UI-Xe2`4aUcbT5R>S73nhfDu+DabOBQwqzR1$1T->O8`Mvt~zU-Ov&5ZQ)|3EJ@5d3$BR-;X zEDhkNG6%a=#^9<#3kw3v@!C6*jb?O?)^^IY{!?nToDiX$o#Hm4S>;uHJ{7gmCA`yw zGL(cM-U6P7?we(hVO&j7Dv+gcEjG?>YO~p(FKrf7Dd8tKOn6~JF^9r3|LTTY>X&OZ zV$!%9^rA^W%^0@OZ0;WKy+V&sE>6}zjT+@7>DEmY9&q0^L@k8LNE08eVu9Frh*P=j z8hmm42N1C`Q_xyG8^+@Cf__+a!`?7T`jitfOsNw%a0W^-V(qN4um)>&7=x6`$}mv| z!vW0EY~7F7eJgh!I>}sO_`KKVFG|1~C2rL;L~BGM5`J(Bnjozi7 zLHmCf{eKI7U+VuK;&I2H{|)Q!9_uI=|K{VT8U6p0Z<|Z`{~;cs|3~dVhkgixqvJM+ z-dkLejFxU8M(>R$@h_=@auOIzJSpMslXHKmDINPohN}68R>pJB(Pz&B^4UYsDy`Yk zx<#^jq!5KUNSH02r=2WA!bL29q8S{Tdy{hkva()PUW0NSVPAm=+z39VEyVIo` zcmbGZB?ze$2fV?|i+iA2;n=^V8WGWa?xy6=fCZ=%x3Kr}*Jc1Sms@;f5Ya(!$) z`gAp{z#Q?w zump2_7%)c#ph#+S>*mZ%>v$K-D;?Mf$5+u!%@3NWu9sc7M7r-Vp%M|z7dHp{7GgTY z*g5zQkFhFlA?RirSfl)f2UKFYz=hZ%Bs0AXy-0@IHPh;yW{@!|SEz8M_04e3XZC^} z#}RSOJX?Z#_%)j|h_O)y4djoRjBtUX&Vk}f@B-JQoA4MNP*6F6*McJUgoyXVDiNH( zM;D|6;L0^Rm_4c%m;@1@ff;@o;Wc_jWs5n~oo> za(Z%op3HfNmi>pjfmwEdFL<$D|8V7Pp&YNo(9mxc>=bi=x zekGGD1T6X33a+a4&2pcfqZG6A2v`>Rth!~Ile5Lbwo>rR7#(FrZJFG`-zB5#WQ`3j z66A#!^|=+2WH0{^CN0#F5=AP5_*DUMeRTCcJ{4-?jCVyf1NLe*;V}z+YsU4;c4jhb zL`lDqnMR`t@jEm4npiekRVkZqtViw2&o>an&BGX+F!zC5vRo_+z02wTSU}wym=Ucr zJdLB6H7)mcFW+NcS6|_gEQ%1AwmFF|rmW?6$=8<-)Os&8hJU|&B2EL+y^Sm$NXMV& z0fmv!6@CeBH||(h+#al=Mz}G`>?-f0$pAO1N?Ii>6VJS=`#0l!rUQp2n1g48&tX`a zaSmFlh|j>LBLs|*Nn8)YYN&14rf9`-nqd4q`75D+N!R+YBwyn=#`9*1j@hl@a;H<& z39}VdN+U1-rfEwxI(I!&Lt||Fqf_8R&^1cJz;BBDQl%n)XMaJ=o`9*a*2L$o31^Vt z1qgYdKj^aq8T2;p<03OB(K?C)jPu<`VPK5cZ^*tvOEwv+iWPm`VPHvlt~rzoZaFXp zLRoI&8GDv;*~Fhqbq~+3Ys1cR-aQk zRYqQxn3HM9A`#PXMT;d?nA=14?w6g@w9TS#4*C7Grc$w@+pT$fhhof$%bLC$jQLcG zQH;zISkLfdvq9R?k>El2+!A-B7I+WmmL7BzHwyd0M;ii!D~jaGx!?ZH6gYFxT{84$@m)Mgge)cgxfL#p7nwzlMLrYLUcVV~isQ^5 zw>u|yJRVq`W)f6{lpumpa!D3#0mu(n^zMQMi7cX%>z7Z(g;0G+bRa`1{XNiA4_^3C&dhypM_r1u>nJs@%j=$9r%<00YQ@IF zIZ%LJceb$nMffVBP%DcT&&W7j@dzHUc5&kL7Net|8J)Mg4bt$=Bleoa6;{G&pdAy0 zxW$J-%UoGLY>Qwrtb=gFClSMbmBkjyQTv6trJknKiKk?IZ3!y!dmm1Hh`?axk?*`2 zlJlN7llk7xNS$NYpF3}O;uVg-&5b7rnJQ9v1*2YXHknX$qD+e6g`crF^@mk$ob+V^ z@vHS25^>2_ zGwFeZQ4ax17{@IkK{_)-Z3p&ea}JotFFgVdiDu`+DM_YdHKSeCs>|6O39rIsd`P-k zQpK&w*|V8xa#drP<^h<7*5)r$=V=PmX03MWIRuL>rA&KD+1iV9c6Hy%Yzj$jzT?Tg z_nPIIQA<=$nSJG?F?+}AAC_sewKA;zB#VI=W(efP)C|3jYL+}TWV6`4#kt6OeIx$} z08dxKsQ8XIgdrLC6=Paqdb`Ibt5=hnfKNhobQWy(Fqc(@EQ0M=jP6)`Mp*cGlWEp% z4mXOdqO*-h7F9#z1*LT7LOwdBIZ1tu`9z4y`#B8B>E^B?Yu{GA;;;dWahtPh-cEBL zc$V%WydA71-$Na#<1=Af7I%ja(bA!=Y&p$xsgo;olDYi$vyU6!)PGB3$0^PmzlR(< z|3DPz;fl0vKAn(LM5bDINAs28%_HxDzIJalH~yDnFLf_<6yZNL*PlA}KO0Y*%lKap z@~kk9ElxHEml4LgC+F3Od}zpCK*WEpQ%G0&7kaClPvV%Rqx0!?G>M-PP?~yygo?=)3?D+%ndx@X5c4GVxC%r+OZY87Om;-*MTU=!WGxH*z2HWVxVZRDqcX(lMgYL~Z z-hv%8y&O%0_OEfTgU7)wW!8n*1@A!wzfKWnFvp?a`YSkqg12g|b*N^Kqr$umwyy>e z(B*H^SH8(DpWMgY|Ka2?jP5xCc)|X^@%Tx`{(pTL|NCK{uOa^9f{__lY-`ic5~1-o z6LK-zbGHa&^Z|Nuv-WWr%;>&?87&;P#b=eVOIt3Xu(R7oVEIEvNYNAcexjtvYTvv` zG?fz&&Z4P9Btk9UKb@^YLR%&fji;+Is=WKQ<%^P~w;xF{qOsFtBkbxr>!K6&MKnl+ zQo*Z3C1P@nVSIDt3xu69b~!urjBEL8&sfo4R!lMONv`o9&{ZG(rR(f)91E*$Q=M&W z4GYJ)nZGIj0b|`1cE}$!-c4={nj*e_%P1vI0gD9r5WEcCNo=XdT1bYe;w@H^n!E?` nwPgrwh4xF1XZb9joag@m&dZqW02l!P^`ocy literal 0 HcmV?d00001 diff --git a/debian/DEBUILD/ykfde_0.1_all.deb b/debian/DEBUILD/ykfde_0.1_all.deb new file mode 100644 index 0000000000000000000000000000000000000000..7e1b764b80e5d36dfa19331bf4f38eb7a6401e18 GIT binary patch literal 13564 zcmbu_Q*bU&+aBQ9w#^;mO?K=Z+qSb~TW@UJwsvgWwrxB8+WzfydeVd5vu4da2hTda zX4c%KyoQd(7W{A~rbd>AwhTs=wuX)#BqSs(9PBJy8~`?E00{~6f9C&nvoJGru(Okp z{O9~v4B%K9ncY@HqLY#5yl9U0v{|KIy89321kgaOBM%2nfXSa?>A(-W~*h z1yWEfkpG#8O?KH`>K`ahT@Y;eP68j$gNaK~ z+UiY`71X2ddau}bOl8fiylhPK~-EKXm8h4hr z5^q=On}%irtic*uOwEoY3wawZHilKj-m20EAhcGg0@vA#SWj|pcc%(vSWP9MI6 zy!xIBhGQt(f+g9ugzd=uZ{9pi?fksah>0T81y(K6T;AslaS6son;Jn6yt!5NtB70~ zN5QwcMRRTzfBURZW7UfBWjVR*8XAkyHc!D_v^~XEAAH&!a4}aGaq0|#*9{Z+;01l0 z=`@5;vjCqRf5IDrvr6(9U~3Rs^(rH&dD5PY`Q<^s!$)_00ls0PL-U%K`z{*AumG-Y zh>Nmfn!LD#jHpn4-+sUWcij&c$1h*f0@#jIj@a};MybFh{fqEb0%xrbdU}HLanb0z z@sbPJ;8X1x-lDPJaaoXmSe3}YZ=W-t`r(9O@MNgPPk>r0wZm_Hhh2|hs)9TVx66)~ ztd!MiZ_pL)@NyoI0lEbWes>#WYa`;$1K=#{QTF;ja!?##d7|xBs|A7$4lRiT2u@^3 z)$^`tglZXfSGHwtP=d~%Vyaoq`&STuv^NBB=G!K!Fs65j6ol*?Y=uVD;`Z-dIfczB zCrO(=C2$ZNDvLUL%8$36Lid^ejdy`1ZHChpFAJepeSn0AsL}H^V|(+s;sTRH-TXDJ zdspOC4)0XNfQb@fv2Y`GkC!VuWl24YJ|XmW30D>GCaBP6%RBSzzAVCBXz8h3veX3#u)!AlpUJ1W^Fz7F2cdXa2==-kk-rI+ z=mbB#`+PO_tAZ9W(iUlE9-T7)%wF=XHyKGENJ8N!oT?K$wy+c=R>gF^UY&`KNd=ZLXdkvh0QCw*0KDzp=sTH74k>HeU@a^r;_ZyHiFvXsjHVn)K z?4iqIFqQ^~5)X%uE);_|DVQFY+Ye52Vu;L!q;dBcTEqp-_lq#FMA#Zfz%g6DKLJjHH|hLfWy3HJgps zBJ4LY`k;e!S#F~_?zbYJrQ9#~G@4Dkk{82g-;7eXj(3P{ zaNdtPNx?w7oPUmc(%h4alC=OIBxb#yP*PI}t0}32Ry&HmYOy>>Xs$&&cffl(3U~7B zB<7Ho8o*R|4@-<~zcdpb$z0MAG+bb+Pdx}|v;4F6Wy?WVS*f?$h~Dele#>$DA4ZO? zErb#iQQ<*AH~wP_2uO!)+fV(V`3Km4Ck8@O%f!&x@PEVgAJzU}_OY;VGXMS``u*Q_ zeQNpdg8y&4pfyPOc5i+dod199a?vYM*ztQA5KvIjT~f`%bH4Hf!!y6rJ%Z0=Ob=l2 z8rB_I`{b8rv0r3@vKGZ%$Q?M_fu9-)0rIAIy*dx%J=OTyQjlaFLWw2WG@xXg?wJ%; zYj^?)Q+y>jV8_tmgx#(d9;&`{9V;*Vk+`FUXR4v06q5Sh{MVJGM9bwJHATu9rN(PX zgu!e{P!4O+?D!fa(u;A@zGTZ@@Rm=-se`^6Oc$IUgA3N;k^6S&^HbKg5GVSLx|>~yU%_6rqe?jVd-#7ufNsO6}{-5?`+LL4eIo$*7|SlOJb z;uu02i@%TjfG8zEUhRD=cL%rnOAvooW8-i}R~JR_rGYoed=zFb5;ddc;H8QjLRwoaA!hs|YA^+SgQqG3WseO)hCUXnHZmy*F->Z(N7_eK(ki$t${ke^q7O{oe zg_tM5f7*@e)Mi~|AoGv2Ze&LQk==vd-GdA?VIM0n(*l9a8<*|@a#*Eev31G&W?g%I zRpQ(ajh@1vngBvFBjOIKr(ZnwTSDq2(dcB+pZCC_l=ea1)V49(!>jd+w00}jafuPM z=WeTvMcL7c6~rYMK^+L{33427Z%M~CDJ1n8K*LAwiwxCMFp^eBgBon(|1ldM4ur;_ zjP}AV2gKW7LC@ma zWX=kzUg6VmyaBUxg^p=nw1i(hncYAPsoj3m1Sb3rTid6cF$ zMc!XXoK(GNo8dY>y2*|9ve8O%lg+Iz6o(_X^lnFFz8iB%gVs9!?E{j!FCN29&8u>c z193jeS}g;EO}xb+3__L|LpW7xu1wRj653FB-V?+p_cDyx^W|K7++ec!hf}DdZy=Ih zdA`FF3oIA1!M~;fzoBf3X^=a+eiDbH8mT{9z#6{LO%9KjudN9ek)`ARZg|f`73+}c zgYdBQ|7c6^b``e7+3tkb|H5%qE6fqIa-{A=1IJ5Xwu$0&h}-l(u$%b3)o)*snjA7L z`sdeWvtCjViJ&cAe8RT_Xs3qM}^3Y5@yS4PmqWrks2zQU?RNjbZjrdfSk8@ z-?JXIQrqZ}2BP$L^Sq*EoYY$`ss%_7*#d;|o9kCWwka!YWi*cmN(?9`L7m{7-ef}H z6P$~ERQxbORA55C-6jGucR4=w{S;buC^`ZH)2p{D{<11lfUx2BD?t%mx!f= zG8(q6OXwsBCgj=mab4d}2#ZfrmZ_l@I*7 zP!=T#6ZF+H;d;W-c-Y@csI^rN#Y&-aq8E*GT06?fv0v3cr(!9d^}gJv^6@An-HCj_ zq=h~b0BiXeXpkF-UJi~pzFT(GZo;1yMhK=&lIMa_OYK;^Gm7mM|J+)J>a?q_Fn(?C zrjSb-qRn2@-1;)@BZ7CUN8rDlKi0?5Vw|evzS(VJeMw|Q`H>;8jTVlB*U#ZaV<9)6 z7rdt=J@;E0-D@YhnZ(9c9N#NxQG65h5`c1YS!55B-sK}V${r~^DMrB4g1Lso;&?GZ z3k_`@!dqODzo%EjR=c5~MvmcV4&)@4@39S1F<(F9z&9&y@e@Hw*eh7JQJnE|&I^j8 z$WZ4Jo<@Lt9oJhWouY(k8RzRd5%2u{`J0!D?gZida^fDL%qo-4DHf~AS4;1BZj<2s z5Z#L}TpI+fcHQWpKT6DALdo;|PNq|( z%gvkO$)uj83Zopy6(Q`)5!$}?TH4fALRJ(pi4nv)0lt6KA$gFB6Gq)s}i63b}9+n~9Z8~(z849`Nb?PV>Ti-k@ zRW#Ar{;-O@&5TDE@ph-8nCuhpCw@NvA_t~`q$adL&t^Fb_gR#yZI5hf@*T6p&2kZ2 z!hrX~N&MUd_|Yx&@^~G__z^-;pK+)b{l!n)osz4?$I42hDR6_a_0QZhp_o<4EcjOA zkr)lO2vV0P03{ILVxZdy6psyV1-Spsxc>R8hJ$wWHRv9@fVoK1iVksBynI1HIT*o- zn!0*{GlP*IR8olycR~2k)+Zhg#t?=fRv%OtGlY|YxNY_w#p`cJ^Dr<^wh2GxeG2Qs z>bLV6%GpzVT|^_Mn^sbji`M>f)W@#W^z(z>-l$+nt20dcj@wV38YvQIusdMk3qE^j ziOvZ}`&3p#RZrT*cpr7bZTa<|=T<3m{4>t3&ZElD9(=!2TtMaO00kEq;;nBI?ra9ItUO8`I74|=gvfdyaz-J!THL+ZDUXlD3{NCL4~T5&M(FG zD|pNl^%EhfE7JOxPt)}~+xVG*p8?MDHMn2O3xu}^#t9*=Bxz?s*tzrJ6KJ=38Y+}k zaHSX9@d^{LkjcsDRJRD8!UgH(7Ir!AQ z(67VfNa&HTnjl=G22_!M_&U4z(DsZbAcd*vh){s*bWBc5_m;5_THgCA zx>iN|&Apnn^hE`dc9y3VR?7OFl*sXVEQLoCI^)D#+gji^5aC|=|3z>Nmo#Urwft`^^HzVc}epC*!GvV&qE>FL80MK=FAdxgS!rDHpZKv}xwl@GzREN_+Be2IiLLGLx8yDW$P%QY7+crA43$vmJu{k2|CdP1#F znLBeHhq5t(1RtXWsl^|2+O+uZF#{jU5f~nJzyObb`LZFi>u2-ZUD1iaP_ttQ&INh? zTQ9FKCw8peLIyP9%`{+YM89|XI^uwchgKF2eZ6{v*HDWy_@$q1HE1Izf2DP9$2cZ( z;>%0e!9oumqS^>=J;6LlTucnPE?=UX%k*w74>ssQob04;&cFWJhWW+thf%j<_R{dU z;C{^}8T-A&if8LX9bFIr(kZ$y-z2)BC&M9T=C+{3GxkcIn+1w=;YjJ6@-}5n2N_b@ zr2>P|PD4&5ZQG_gg-p}G>ZrKSk~5+vxrc${_S_)2x`4W3Sv0`6JaIp#cYg=KBdRt? z;)qGw#2Uf)B3Jy zgmd;I+7c=0|nv`0ac)OuJDoe2Mi%>`(=aGxhX z22bui_g#%jv5t2h{RZy(Xx@EQ#J@uBU;3jCG82bfvw2W1-e&7dFWT9R8DNcHf19nx$vK3G5=cY6?-O0{|H{ixTw83l(D5n;Det+ zUiIHpUVdpU0F+KNS5)3S@#>$_bjj_W0VRp}SD%!GdUS|{?_mRU8TPERu*ophh!K!P z4WSzUT*!>dV-E4#AV;S^IUyhLyGH40Dx0$9EXX7h9u~4>s5|> zCt9zWLt{&Pik7ETRoK?LSlgYsE0ER>irRx!Mn4&Q)*Ly3ne0^*fh&q$E?|$+7wJ`D zW5P%Ut%%A5OQtCb7r7LqlpFuVJ6jz_P6csIi92f-p0N2mcMEdEmVTcFGIg}`O1oW% z@Eu<_oV<0`F2?7iJT1wTrf*-VS9`1f{J=t7ULb8+7Zf#h{%RgSZ<+9GQbcn%&$=KE zeaXmg^JI$R>-5#nfM-&W211@fG@4ETL=vlladAD{Y5m?3Eg>V=*X)J7BaPFjV^rL% zT4ow7P5e9JWxoSZt?1G8T~~GUI+n9&Hi!q$}uW=p&K|jUP#5{Y1d}!i|7r>%%OwBTsIRFU3q%0It((@C7*#@p0b>N8& z{1+CN(#bP$Kk5OVe?&(1-KS();_U!0X8 zpq+iU7T-wmdZN&(B<_AucQZi^0#UYH0-SFJ+WB~CE$YDI{52RNv(eCY-GrylVpa32 z&+_jpnyon>r`aecY_9eVBMbpqqV2rOip@Q>yAs(s&Wv>qKHJ!ekPm_2Sn4G`_sA8~#*>0;^o(UBR!hyA`Zo z*iG)pWH7D7X}y*x3nKMmgkzG%SvuIQe*WKygSS#$k4h|l4u(v<+ti8KmwC?;btg3# z3rUp-#uL#y!a-W#`YsyHnF%mVL3w}*kO-XfXAE=x~}AV&cdyYDOHIt0rxs zMWqP%589>BiX2F)QaDg}IB_uFk!-}nV<`I`XsOcn8eaBex@avN&RX3gb;qr11I)d? zYCjgd{)?8{sHHl0AJ$cHr!!|W%a0eP5gH7l)-Hr7#HL-h&*R&rwuhBR=8cATz_vyGDu2?0WSo6NoR8g@Lkvnj-8F}Zi>Qj8o4G^T&4t8 z#84hq*fj{wmqvc35K)@WdtuoKsq0Wzror(=W_*^g{!mtI%HsLmIQ1CC93^I_-U7kZ zLE2Qk#hJzU8{d>d+LWA76-JC6CZvRd$Qnd0lRp*z*E=4LoB#pI6^T*dY-mC92@C4} zc?(40Fer+_xk|{}7370bi1x_E6PjJi41kndrW;l$sYD^Du$;+X?JL8f!5j9KNY?Oz z%8m!R=5T}>K@VUSHZDV}`LQXJ?thlMEPzt9QzU8d`;Svu@PY2<=nB>gFaTXYGGHG? zFHm5SCP(wlGdEdE1Zofg6Ush$E~FQB+6l8H(d~X>LFiwbKX|SO`GUU&-Ndtl2E!X$ z1~bB1E8g-+rW2!=-@e#v5c#+vzpLSOdcRW4PWoO@PsBW~#uO@ms!R9BFx|@-ffWEfP z3c)|#T3?1M+=PYU+^eYs59&A24}*B>LT($%$l7%kq( z-({(~!n-E0D>X71gHMff7bKZhM-^gFhn1**6rCgkjtc{A%4FGR{(#}wtqc>~q!4Xb z&pDh)_jgo#$}N9NNatu+clcL2wf%rmi<_kQa88Nc`py(GK2a}-((WXqw8cld=v>!| zsK_TK0zC62RZN~_1a!?n&BRcU_ts`E;>dw~jbJ3~vlry_sR;w#Yg|CLC!r<_13eaj z2(0Jqu2bWU03}L}?DT%pK<5wjO6V29%r)J0cS})M1xrp+;H~jA?#Jr{44){ zg}x<$|HN=QT_^~6FYlz*nAXKL5tXJ%1@-?lPY`W+@Dr0!i7y5Hg*R|UU;v-c$}olr zPG~OltF^|k)T#~eRFvCJUgq6wa)Ejq!|*yO*+m1$XZXv#pfHEsOA&3*q+JO&M5yCO zUJwPpFfFgABS~!IF12RNln4j5z@-fcV$vdZ2d_44$3<&MOnKl!WrLuFH974my;U|( zLvp;N1Z?4xx>gyV3bsy~@d>jUhH+iTLac3|_lxq>R(u`81ScFvj+Zgpyi9ExJLqOJ zS>sH7+@eO)4C4$Mh=p`VC@m^Suh3}gj(iQ&ll+8#HtS|^gxd0(+1nVev4T~e$SDW zC7nFvYZ3w#hn#0P=7ow;OA>M_mt1&bqG4pHwp`tzWUckLZ%GZkfVVS3T)h(+yhNUZO7&Q5pY= z!jR^0K^6A`xy)=`a+$8me#S3agt%Ln*Pwax!3&=5>=ve9mt-Qx*wk z2Mi&h>fir}p_e*$8{f}S1RSfZbIgBin&2JQA8TfpQcu$^jwC8Prt>nM-L1o*r{?t7 z#z}pP5W#*8%qR^@glbsC_nWKTM3CY@X%R!DiBy)FW&>kYc$>qGI;51Tw%2U($d2lBRS7xTjR+6rwgHm^?q*N(b_1 zYv!l?y~%M>z5#0pXm?|88ICJVz(9--Z ziFgYCIh}jx9rH%kVgJ>O7TG$Udmnf9hs%+6hR1`<8aWVQ1I#7hQL|^*;`bMkX4jYP zXjmtdt)wO5WRl~B2e?S`y?^8?K#O~QZZ79eC3phtN@V#NqBrjr}|AGqs2zS zpaYe^G5+bg1fqVfvwO)GRs$S9h}bFV;HbyV&g8Z?Aut+6krCAcJ$=|4GxK#e!z;Ri$;MkQA4YU#v>k$S1=*sCtRjqm}P3qaxxK_KYSGi}|Rz7Q0 z`YNJ=PKQx>V#mtK%=xU7$?eF*pm_FBAP7Nn)#Llu5{yC&Q`TK^mJ4rh7rzE+?`6rW zJ}X?67k3&B-@1W%<-=2}<=urZG-faY)|n(v-%Q>@mQH|M#8${HM! zddcv(oV=WC6tgqg2wUDdry4E3Ef(4T&hj^9>#A^*Ar5IBVJav>5It~CQ_vv8TO=t{ zdN*m7p^EK>N`L`Ne)me@`!`YmAC8w=^I4xs{V9&fKhn>I7G;a#12ptbSIr2txrP~^0p?M?5yQ={Ril~n_Ap2&HR z9Zp`3{RhlQWHfbXj%X>onY}121UGte`>e~pqP3!1ip?U}^I`72QwGv-f>(PrfzyNG zy;wb$=3<|Hm0i9r452l?gLx1~+*Bgn!6dxY`3d!&zO;9mpAd90%HSM`iV#dT!G#7n zhRJPo;z;Wv&U5B8q*z3Cn3rlDPT>4-C(UIu*78R`bU^Canq|}t(bKG`M<8C;S$3sS zTYtfkgzX9`zSGFswVNW~mUS5zBF*1fqzsZR)$(#m&B=M=w#C)DU-%fP60W6dx-T~% z<|K*X^?LtNc;l2ezl0mB)3*jOU)8w)K&xNgM3rNiIY`_xM`pg{U^P`v6<^*h^4!Bl z8c}22i(u1Pg&-`;*HP8p<_OnMWSP7&uDp{=%)8+%y|5j3xlb>&!BZExgpnr?7n)LQ z_D_d5LEWrdq(dFV$QcmFu9~ewUS4+XQo9?^f$ zABL$jM-ID8RKQOCUGB_iGuA2ar=25K2al|0Go9vo)GjCjvb8HF&VW1o&Otw^cbj#2 zdm-@E)4mGlm&8em3oHZGv8i1bpB)clFo;XMYDmLm|LWYd5{8?|t>b3>W0BQg^F^ zzb(R2k+z_9+lwMKZdunm=Y@YtpGt@0EQg|*67Kwf!BWk1E~JXUC?~#`t6w;VtLEAl z_M(gwNg214DwitcD0iOk$P|U$n@F(fX(drNobM|P*=r$4`%G6c>P1kgIT)gvvy69F zlAdu`vJ|E@#NdHkyM>~~*j=8YtCvHwhBGD1i9C_iBK;W5;O%U_Vo%n!9Z$*QC6E~p z@IBBAG;8?a9{}JY{g<@dj9}>s6cwRqrqj6(dBy+r&z93h5rIGu!nJAF>r)q!^<(;c zedv)0nmK>#X*SIBC68_z;+Of-b~P0Sh%-*S**H$XLgw2FVbfrP#cT88zC#^-Hz3m9^b4UFhsTbe903f`BEs^;dgIp9PMf9 z{Zrhk>C7IV^@0hxy8S!)D_o=s#YRU2bJ@1>_H@YU0@U+?-ox6M?C#)yQ#RskNU;8F z*#($E+t!;eMGW7sqGk;7DYS}5gky4gi4C&|xJ3>Te=37o3k{(PweO5Sft?bVs+dF* zkhV1RyX7b_YoVOF>|>|A<-0pc#@Q^Qz}St_q+1+i05i_6h&it>cs41$}VkMbYdg%TAMFd#*Gm>~|iH6JFBJTPwfy zwBL=d2;jzUPz%T6D8yI7Ro{PXH_EnOBqXiWfP$tAsiZ@tzEd3*6<56m7 zy$$cgK9!B%}t`8;(W$%i({*Q3KFRmGZRw(Z!R4H4A$7QxcqnO;t?qrc!5HY>> zik5wD>C(ez|{tp{iim zBO5X+>??q%Ni@%lGoy70`oI8A17*$ev62Jo1f@a_k`q*7vEr-c$OL#*jJZ%5fUcSF zeOGZOC-@N zM7+B2RZ^g|mxvdH5kYmR6)?LImHq>{;Qu%|pj?(?cMN>nYRlwHSBbF2 z_!#vmkZu0N43Gx>Chz@@{JYxU#2dk5>Kk!XaFvk{r5>oSX?2F+I)@REegyaaubNUY zc78S$-o8ipnWmm&#<3OsHaQ62`o0FnUbc{%VF5V_qLq8-HsMI$AK&8(YTBMfwh9^D zr~YKtqzfJaNr_vN?3ZE%i)-IyLXTvZ8$7 zow);cr4e-wgQ;-dQC}*(@Da3bbHFC^2a)fxQJD0g9yF9ZhHjm4;x250_VuwMmPTj9 z>Taxo)@l%dxH<=-2TNp%>EfBDJ~FeBmsPn2HPn4AhK0=Z4lHNOl0lZ`(HO2~-qVir z&f`<(gWi#nA(Y`RhH9j6uGf6nQYiuupMqeSZXmS#MNXtlN=Ec~$$`b|Wh`Z4EngUy4bX)mUQ$(;KC$ z(48TPn1of+5~qiPU9qP=W`1``LY%&e((6Y?r*l*&uaPr0SD3m8B>lZ-- zV=Xy0*MV4!@Fq`WV~XxD?&I6c;Oa*Zr%+xnxJ#vhp6nxKt5eTnR%l zm`872o^(OR;0SE5jn0WO6EZ0##G3sZY|rW;MfgXE@*ra3bVYl=I1ykNO-NfUuC%PY zHA*n)u~;kL4c*LPCTEM;zA1}55z?5oh87{e0#)@cUMW#Em@%j1LIRj>ra!Cq&64jF z%}X7Xwdc;HZ+-h;$J>mLP(MhE0Mx|-VU6% zyZkp=6TH3%Beusc^UP~D;`(eLEd z^iVkiZj>7KfOavQHyc55o@&=ivzQ!!USz@9(3h&&t`nHbw7U>KJQBGDvhUKM|4gZZ z_+P2aIt}mbQHB?%%`khXA!D!8m)nUhAZGUmo~!Q(%P-psdhzM4*}x7{m8;Rhdc?0- zQK07mXma%K{O}exu#~4n^ay24RBGA{9y%B1Htu)!993t7&L(dh3^!bagy>Y9u;`BA)P-wD^%2D0@d>o@K77 zfYF*am==p7H(ff=rDu-kZEJZ}F!%S|7C&VJ>Aib7vk&W5gC7LfPm8|zg?^;yB{Ba~ z*8t!&&&sx9Y&;$~_}U1G4Klfzk%HR1@QTp|F$eKx(1kIb%l$%ypw<~O{q zR9TvUFK82ZT_~0;HW(a6H+t%zyq3>@a1G_tcj)2y zgDk(pwBVFK!)V!3t;Qw)l-m9l*)Jc6@)*m4?nlQFa;`}H%boCQwKK(m;K!NRB(PU~ zp%t2MC#>D1RWsIiKC$E9etF4~Jt}x2e%fvk+*45fBtL3Dh>lV8AKpv;OyGad_8PJ8 z>Q1qU_UzH7p{v-|a;LHBq1dCm33bl4$fhhn^NHwyE&(Q|>Dzq@8GSB?v#%aq$D&9< zXG;(vTL)XWt1Ti(!axr#`MFTLk>HIjcJJ|~AdtSw@Kh;WplR*Swf0av_QEJAX~3o} zBz?v04&MNPT(_nHmVXP-EN(|W?U|{`Ii?bC&sE$p!aDx;08><+Bs!y8p;|i;n38QC zz!!AJax_JY>==$wd^#48qU67=|NJ_Y`(lm|6iv2E z)P^Q#q*l81yhRt-&VsO%84^~*SsnkvnS$q++4o%zLLD(gJh_$%vwILup*40`1J|h_pQ|`&!5m0n@(}+55UzMK-h44xb*(yn# z%ys(17K`aO6Ly2Rcyzbv;0DIm9ID+8i7slEgLnQxq>pq7pn7J@3wArO&Nx+i%Fa^; zWKJ*e=hdFtj3pOa6PxIZ^&^L_?c<(h-Te3xTwFjo7YGxx+?O|@vwp#mEYPp)%SUuI z5bLe@J#~k8OY~B0kx+ZCU)U!45>D#O3IY*~OUU9rUg}7o|M}yVpoV{kE|+oumFke_ z98moDJsF%92cIa{ARTl{9W4`Za6oV34u`~(kI>|N$@!+*6^x)DJMoag82wdfX-x(= zc)F8@09cD)zPCnD<1#&+J^1@!FXEy*v8ex2Ffk4??l%36?6-2!O;km(CU#xm=&zkX zo@a&>%c)C9@-Vh>uEv0K{?wo>S2QFe)aUiilWsbIe7)(vPpaM~?)TEwqym!ypspGR z{-6XB@~ literal 0 HcmV?d00001 diff --git a/debian/DEBUILD/ykfde_0.1_amd64.build b/debian/DEBUILD/ykfde_0.1_amd64.build new file mode 100644 index 0000000..a95aa58 --- /dev/null +++ b/debian/DEBUILD/ykfde_0.1_amd64.build @@ -0,0 +1,94 @@ + dpkg-buildpackage -us -uc -ui +dpkg-buildpackage: info: source package ykfde +dpkg-buildpackage: info: source version 0.1 +dpkg-buildpackage: info: source distribution UNRELEASED +dpkg-buildpackage: info: source changed by crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> + dpkg-source --before-build . +dpkg-buildpackage: info: host architecture amd64 + fakeroot debian/rules clean +dh clean + dh_auto_clean + make -j6 clean +make[1]: Entering directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' +rm -fr DEBUILD +make[1]: Leaving directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' + dh_clean + dpkg-source -b . +dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1) +dpkg-source: info: using source format '1.0' +dpkg-source: info: building ykfde using existing ykfde_0.1.orig.tar.gz +dpkg-source: info: building ykfde in ykfde_0.1.diff.gz +dpkg-source: warning: ignoring deletion of directory DEBUILD +dpkg-source: warning: ignoring deletion of directory DEBUILD/ykfde-0.1 +dpkg-source: info: building ykfde in ykfde_0.1.dsc + debian/rules build +dh build + dh_update_autotools_config + dh_autoreconf + dh_auto_configure + debian/rules override_dh_auto_build +make[1]: Entering directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' +# nothing to build +make[1]: Leaving directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' + dh_auto_test + create-stamp debian/debhelper-build-stamp + fakeroot debian/rules binary +dh binary + dh_testroot + dh_prep + dh_auto_install + debian/rules override_dh_install +make[1]: Entering directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' +dh_install +install -D -o root -g root -m755 hooks/ykfde-deb debian/ykfde/usr/share/initramfs-tools/hooks/ykfde +install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript +install -D -o root -g root -m755 ykfde-open debian/ykfde/usr/bin/ykfde-open +install -D -o root -g root -m755 ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll +install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format +install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md +install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf +install -D -o root -g root -m755 ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend +install -D -o root -g root -m755 initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend +install -D -o root -g root -m644 ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service +make[1]: Leaving directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' + dh_installdocs + dh_installchangelogs + debian/rules override_dh_installsystemd +make[1]: Entering directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' +dh_installsystemd -pykfde \ + --no-enable --no-start --no-restart-after-upgrade --no-stop-on-upgrade \ + ykfde-suspend.service +make[1]: Leaving directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' + dh_perl + dh_link + dh_strip_nondeterminism + dh_compress + dh_fixperms + dh_missing + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb +dpkg-deb: building package 'ykfde' in '../ykfde_0.1_all.deb'. + dpkg-genbuildinfo + dpkg-genchanges >../ykfde_0.1_amd64.changes +dpkg-genchanges: info: including full source code in upload + dpkg-source --after-build . +dpkg-buildpackage: info: full upload (original source is included) +Now running lintian ykfde_0.1_amd64.changes ... +E: ykfde: copyright-should-refer-to-common-license-file-for-apache-2 +E: ykfde source: maintainer-address-malformed Andrei Gherzan +E: ykfde: maintainer-address-malformed Andrei Gherzan +E: ykfde source: malformed-debian-changelog-version 0.1 (for non-native) +E: ykfde: wrong-path-for-interpreter usr/lib/ykfde/initramfs-suspend (#!/usr/bin/bash != /bin/bash) +W: ykfde: binary-without-manpage usr/bin/ykfde-enroll +W: ykfde: binary-without-manpage usr/bin/ykfde-format +W: ykfde: binary-without-manpage usr/bin/ykfde-open +W: ykfde: command-with-path-in-maintainer-script postinst:7 /usr/sbin/update-initramfs +W: ykfde: extended-description-line-too-long +W: ykfde source: missing-debian-source-format +Finished running lintian. + +WARNING generated by debuild: +Making debian/rules executable! + diff --git a/debian/DEBUILD/ykfde_0.1_amd64.buildinfo b/debian/DEBUILD/ykfde_0.1_amd64.buildinfo new file mode 100644 index 0000000..54d2a1c --- /dev/null +++ b/debian/DEBUILD/ykfde_0.1_amd64.buildinfo @@ -0,0 +1,167 @@ +Format: 1.0 +Source: ykfde +Binary: ykfde +Architecture: all source +Version: 0.1 +Checksums-Md5: + 3b4b788b9572ff0e9ed2bf586df00936 789 ykfde_0.1.dsc + f012426015db8e7ec49c180b8f512281 13564 ykfde_0.1_all.deb +Checksums-Sha1: + 8903200460a19b84d96b74576cc9c57aa4cd9e05 789 ykfde_0.1.dsc + ca95ac88d8b7163d94919f27d1ce5bdb1edc7bf1 13564 ykfde_0.1_all.deb +Checksums-Sha256: + 901570ed3da3f8d20dd83c722a3c3b93f3c1fa62a6b740c6b5e1a1929df89128 789 ykfde_0.1.dsc + adf4c43014d0969f0c3f149e0b6838d48d90ef2e6935bbd9a5bd581f1ed9d02d 13564 ykfde_0.1_all.deb +Build-Origin: Ubuntu +Build-Architecture: amd64 +Build-Date: Tue, 11 Jan 2022 22:07:12 -0800 +Build-Tainted-By: + merged-usr-via-symlinks +Installed-Build-Depends: + autoconf (= 2.69-11.1), + automake (= 1:1.16.1-4ubuntu6), + autopoint (= 0.19.8.1-10build1), + autotools-dev (= 20180224.1), + base-files (= 11ubuntu5.4+zorin1), + base-passwd (= 3.5.47), + bash (= 5.0-6ubuntu1.1), + binutils (= 2.34-6ubuntu1.3), + binutils-common (= 2.34-6ubuntu1.3), + binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3), + bsdmainutils (= 11.1.2ubuntu3), + bsdutils (= 1:2.34-0.1ubuntu9.1), + build-essential (= 12.8ubuntu1.1), + bzip2 (= 1.0.8-2), + coreutils (= 8.30-3ubuntu2), + cpp (= 4:9.3.0-1ubuntu2), + cpp-9 (= 9.3.0-17ubuntu1~20.04), + dash (= 0.5.10.2-6), + debconf (= 1.5.73), + debhelper (= 12.10ubuntu1), + debianutils (= 4.9.1), + dh-autoreconf (= 19), + dh-exec (= 0.23.2), + dh-strip-nondeterminism (= 1.7.0-1), + diffutils (= 1:3.7-3), + dpkg (= 1.19.7ubuntu3), + dpkg-dev (= 1.19.7ubuntu3), + dwz (= 0.13-5), + file (= 1:5.38-4), + findutils (= 4.7.0-1ubuntu1), + g++ (= 4:9.3.0-1ubuntu2), + g++-9 (= 9.3.0-17ubuntu1~20.04), + gcc (= 4:9.3.0-1ubuntu2), + gcc-10-base (= 10.3.0-1ubuntu1~20.04), + gcc-9 (= 9.3.0-17ubuntu1~20.04), + gcc-9-base (= 9.3.0-17ubuntu1~20.04), + gettext (= 0.19.8.1-10build1), + gettext-base (= 0.19.8.1-10build1), + grep (= 3.4-1), + groff-base (= 1.22.4-4build1), + gzip (= 1.10-0ubuntu4), + hostname (= 3.23), + init-system-helpers (= 1.57), + install-info (= 6.7.0.dfsg.2-5), + intltool-debian (= 0.35.0+20060710.5), + libacl1 (= 2.2.53-6), + libarchive-zip-perl (= 1.67-2), + libasan5 (= 9.3.0-17ubuntu1~20.04), + libatomic1 (= 10.3.0-1ubuntu1~20.04), + libattr1 (= 1:2.4.48-5), + libaudit-common (= 1:2.8.5-2ubuntu6), + libaudit1 (= 1:2.8.5-2ubuntu6), + libbinutils (= 2.34-6ubuntu1.3), + libblkid1 (= 2.34-0.1ubuntu9.1), + libbsd0 (= 0.10.0-1), + libbz2-1.0 (= 1.0.8-2), + libc-bin (= 2.31-0ubuntu9.2), + libc-dev-bin (= 2.31-0ubuntu9.2), + libc6 (= 2.31-0ubuntu9.2), + libc6-dev (= 2.31-0ubuntu9.2), + libcap-ng0 (= 0.7.9-2.1build1), + libcc1-0 (= 10.3.0-1ubuntu1~20.04), + libcroco3 (= 0.6.13-1), + libcrypt-dev (= 1:4.4.10-10ubuntu4), + libcrypt1 (= 1:4.4.10-10ubuntu4), + libctf-nobfd0 (= 2.34-6ubuntu1.3), + libctf0 (= 2.34-6ubuntu1.3), + libdb5.3 (= 5.3.28+dfsg1-0.6ubuntu2), + libdebconfclient0 (= 0.251ubuntu1), + libdebhelper-perl (= 12.10ubuntu1), + libdpkg-perl (= 1.19.7ubuntu3), + libelf1 (= 0.176-1.1build1), + libffi7 (= 3.3-4), + libfile-stripnondeterminism-perl (= 1.7.0-1), + libgcc-9-dev (= 9.3.0-17ubuntu1~20.04), + libgcc-s1 (= 10.3.0-1ubuntu1~20.04), + libgcrypt20 (= 1.8.5-5ubuntu1.1), + libgdbm-compat4 (= 1.18.1-5), + libgdbm6 (= 1.18.1-5), + libglib2.0-0 (= 2.64.6-1~ubuntu20.04.4), + libgmp10 (= 2:6.2.0+dfsg-4), + libgomp1 (= 10.3.0-1ubuntu1~20.04), + libgpg-error0 (= 1.37-1), + libicu66 (= 66.1-2ubuntu2.1), + libisl22 (= 0.22.1-1), + libitm1 (= 10.3.0-1ubuntu1~20.04), + liblsan0 (= 10.3.0-1ubuntu1~20.04), + liblz4-1 (= 1.9.2-2ubuntu0.20.04.1), + liblzma5 (= 5.2.4-1ubuntu1), + libmagic-mgc (= 1:5.38-4), + libmagic1 (= 1:5.38-4), + libmount1 (= 2.34-0.1ubuntu9.1), + libmpc3 (= 1.1.0-1), + libmpfr6 (= 4.0.2-1), + libpam-modules (= 1.3.1-5ubuntu4.3), + libpam-modules-bin (= 1.3.1-5ubuntu4.3), + libpam-runtime (= 1.3.1-5ubuntu4.3), + libpam0g (= 1.3.1-5ubuntu4.3), + libpcre2-8-0 (= 10.34-7), + libpcre3 (= 2:8.39-12build1), + libperl5.30 (= 5.30.0-9ubuntu0.2), + libpipeline1 (= 1.5.2-2build1), + libquadmath0 (= 10.3.0-1ubuntu1~20.04), + libseccomp2 (= 2.5.1-1ubuntu1~20.04.2), + libselinux1 (= 3.0-1build2), + libsigsegv2 (= 2.12-2), + libsmartcols1 (= 2.34-0.1ubuntu9.1), + libstdc++-9-dev (= 9.3.0-17ubuntu1~20.04), + libstdc++6 (= 10.3.0-1ubuntu1~20.04), + libsub-override-perl (= 0.09-2), + libsystemd0 (= 245.4-4ubuntu3.14), + libtinfo6 (= 6.2-0ubuntu2), + libtool (= 2.4.6-14), + libtsan0 (= 10.3.0-1ubuntu1~20.04), + libubsan1 (= 10.3.0-1ubuntu1~20.04), + libuchardet0 (= 0.0.6-3build1), + libudev1 (= 245.4-4ubuntu3.14), + libunistring2 (= 0.9.10-2), + libuuid1 (= 2.34-0.1ubuntu9.1), + libxml2 (= 2.9.10+dfsg-5ubuntu0.20.04.1), + libzstd1 (= 1.4.4+dfsg-3ubuntu0.1), + linux-libc-dev (= 5.4.0-94.106), + login (= 1:4.8.1-1ubuntu5.20.04.1), + lsb-base (= 11.1.0ubuntu2), + m4 (= 1.4.18-4), + make (= 4.2.1-1.2), + man-db (= 2.9.1-1), + mawk (= 1.3.4.20200120-2), + ncurses-base (= 6.2-0ubuntu2), + ncurses-bin (= 6.2-0ubuntu2), + patch (= 2.7.6-6), + perl (= 5.30.0-9ubuntu0.2), + perl-base (= 5.30.0-9ubuntu0.2), + perl-modules-5.30 (= 5.30.0-9ubuntu0.2), + po-debconf (= 1.0.21), + sed (= 4.7-1), + sensible-utils (= 0.0.12+nmu1), + sysvinit-utils (= 2.96-2.1ubuntu1), + tar (= 1.30+dfsg-7ubuntu0.20.04.1), + tzdata (= 2021e-0ubuntu0.20.04), + util-linux (= 2.34-0.1ubuntu9.1), + xz-utils (= 5.2.4-1ubuntu1), + zlib1g (= 1:1.2.11.dfsg-2ubuntu1.2) +Environment: + DEB_BUILD_OPTIONS="parallel=6" + LANG="en_US.UTF-8" + SOURCE_DATE_EPOCH="1641965305" diff --git a/debian/DEBUILD/ykfde_0.1_amd64.changes b/debian/DEBUILD/ykfde_0.1_amd64.changes new file mode 100644 index 0000000..fbaa35e --- /dev/null +++ b/debian/DEBUILD/ykfde_0.1_amd64.changes @@ -0,0 +1,34 @@ +Format: 1.8 +Date: Tue, 11 Jan 2022 21:28:25 -0800 +Source: ykfde +Binary: ykfde +Architecture: source all +Version: 0.1 +Distribution: UNRELEASED +Urgency: medium +Maintainer: Andrei Gherzan +Changed-By: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> +Description: + ykfde - This project leverages a YubiKey HMAC-SHA1 Challenge-Response +Changes: + ykfde (0.1) UNRELEASED; urgency=medium + . + * Added Debian/Ubuntu support +Checksums-Sha1: + 8903200460a19b84d96b74576cc9c57aa4cd9e05 789 ykfde_0.1.dsc + e2c140d2c771a17b383edc362e9ec398ff2692d4 14121 ykfde_0.1.orig.tar.gz + eaa145143495e32579e2faab0beac5ce664d0823 1463 ykfde_0.1.diff.gz + ca95ac88d8b7163d94919f27d1ce5bdb1edc7bf1 13564 ykfde_0.1_all.deb + 0b5a244b3323bed5044c51ef362b1a83c36a04a2 5309 ykfde_0.1_amd64.buildinfo +Checksums-Sha256: + 901570ed3da3f8d20dd83c722a3c3b93f3c1fa62a6b740c6b5e1a1929df89128 789 ykfde_0.1.dsc + 532afcc745f33a88369702a933911fbcee52f91b6b7ceb7d9bbeb43bf6193da6 14121 ykfde_0.1.orig.tar.gz + f393949e5dac05027b7135f6f06206f06c5462b0f56afd241d95cc900158aafe 1463 ykfde_0.1.diff.gz + adf4c43014d0969f0c3f149e0b6838d48d90ef2e6935bbd9a5bd581f1ed9d02d 13564 ykfde_0.1_all.deb + beaac1ca0e13c033ef62fc6c165af6452e1a14e54280aa30a347f4ea0b6696f7 5309 ykfde_0.1_amd64.buildinfo +Files: + 3b4b788b9572ff0e9ed2bf586df00936 789 admin optional ykfde_0.1.dsc + b5ff19097aad01c168678bd7630c412f 14121 admin optional ykfde_0.1.orig.tar.gz + d3eaa050adf4cc317cb89b330ab7b38d 1463 admin optional ykfde_0.1.diff.gz + f012426015db8e7ec49c180b8f512281 13564 admin optional ykfde_0.1_all.deb + 92c7f90fd67e731823fac7e0a81d5403 5309 admin optional ykfde_0.1_amd64.buildinfo diff --git a/debian/Makefile b/debian/Makefile index b3db4da..8a38efa 100644 --- a/debian/Makefile +++ b/debian/Makefile @@ -3,13 +3,15 @@ info: @echo "clean - clean build directory DEBUILD" VERSION=0.1 -SRC_DIR = yubikey-fde-${VERSION} +SRC_DIR = ykfde-${VERSION} debianize: rm -fr DEBUILD mkdir -p DEBUILD/${SRC_DIR} cp -r * DEBUILD/${SRC_DIR} || true - (cd DEBUILD; tar -zcf yubikey-fde_${VERSION}.orig.tar.gz --exclude=${SRC_DIR}/debian ${SRC_DIR}) + cp -r ../src/* DEBUILD/${SRC_DIR} || true + cp ../README.md DEBUILD/${SRC_DIR} || true + (cd DEBUILD; tar -zcf ykfde_${VERSION}.orig.tar.gz --exclude=${SRC_DIR}/debian ${SRC_DIR}) builddeb: make debianize @@ -22,5 +24,5 @@ endif clean: rm -fr DEBUILD -test: - ./testrun.sh +#test: +# ./testrun.sh diff --git a/debian/debian/changelog b/debian/debian/changelog index e69de29..82aa37b 100644 --- a/debian/debian/changelog +++ b/debian/debian/changelog @@ -0,0 +1,5 @@ +ykfde (0.1) UNRELEASED; urgency=medium + + * Added Debian/Ubuntu support + + -- crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Tue, 11 Jan 2022 21:28:25 -0800 diff --git a/debian/debian/control b/debian/debian/control index e69de29..5c17a55 100644 --- a/debian/debian/control +++ b/debian/debian/control @@ -0,0 +1,16 @@ +Source: ykfde +Section: admin +Priority: optional +Maintainer: Andrei Gherzan +Build-Depends: debhelper (>= 11), dh-exec +Standards-Version: 4.1.4 +Homepage: https://github.com/agherzan/yubikey-full-disk-encryption + +Package: ykfde +Architecture: all +Depends: cryptsetup, initramfs-tools, yubikey-personalization (>= 1.5), udisks2, expect, ${misc:Depends} +Description: This project leverages a YubiKey HMAC-SHA1 Challenge-Response + mode for creating strong LUKS encrypted volume passphrases. + It can be used in intramfs stage during boot process as well as on running system. + . + Requires Yubikey 4 or newer. diff --git a/debian/debian/copyright b/debian/debian/copyright index ee8be5a..1488d56 100644 --- a/debian/debian/copyright +++ b/debian/debian/copyright @@ -1,202 +1,7 @@ +Copyright 2017 Andrei Gherzan -Apache License -Version 2.0, January 2004 -http://www.apache.org/licenses/ - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - -"License" shall mean the terms and conditions for use, reproduction, -and distribution as defined by Sections 1 through 9 of this document. - -"Licensor" shall mean the copyright owner or entity authorized by -the copyright owner that is granting the License. - -"Legal Entity" shall mean the union of the acting entity and all -other entities that control, are controlled by, or are under common -control with that entity. For the purposes of this definition, -"control" means (i) the power, direct or indirect, to cause the -direction or management of such entity, whether by contract or -otherwise, or (ii) ownership of fifty percent (50%) or more of the -outstanding shares, or (iii) beneficial ownership of such entity. - -"You" (or "Your") shall mean an individual or Legal Entity -exercising permissions granted by this License. - -"Source" form shall mean the preferred form for making modifications, -including but not limited to software source code, documentation -source, and configuration files. - -"Object" form shall mean any form resulting from mechanical -transformation or translation of a Source form, including but -not limited to compiled object code, generated documentation, -and conversions to other media types. - -"Work" shall mean the work of authorship, whether in Source or -Object form, made available under the License, as indicated by a -copyright notice that is included in or attached to the work -(an example is provided in the Appendix below). - -"Derivative Works" shall mean any work, whether in Source or Object -form, that is based on (or derived from) the Work and for which the -editorial revisions, annotations, elaborations, or other modifications -represent, as a whole, an original work of authorship. For the purposes -of this License, Derivative Works shall not include works that remain -separable from, or merely link (or bind by name) to the interfaces of, -the Work and Derivative Works thereof. - -"Contribution" shall mean any work of authorship, including -the original version of the Work and any modifications or additions -to that Work or Derivative Works thereof, that is intentionally -submitted to Licensor for inclusion in the Work by the copyright owner -or by an individual or Legal Entity authorized to submit on behalf of -the copyright owner. For the purposes of this definition, "submitted" -means any form of electronic, verbal, or written communication sent -to the Licensor or its representatives, including but not limited to -communication on electronic mailing lists, source code control systems, -and issue tracking systems that are managed by, or on behalf of, the -Licensor for the purpose of discussing and improving the Work, but -excluding communication that is conspicuously marked or otherwise -designated in writing by the copyright owner as "Not a Contribution." - -"Contributor" shall mean Licensor and any individual or Legal Entity -on behalf of whom a Contribution has been received by Licensor and -subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of -this License, each Contributor hereby grants to You a perpetual, -worldwide, non-exclusive, no-charge, royalty-free, irrevocable -copyright license to reproduce, prepare Derivative Works of, -publicly display, publicly perform, sublicense, and distribute the -Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of -this License, each Contributor hereby grants to You a perpetual, -worldwide, non-exclusive, no-charge, royalty-free, irrevocable -(except as stated in this section) patent license to make, have made, -use, offer to sell, sell, import, and otherwise transfer the Work, -where such license applies only to those patent claims licensable -by such Contributor that are necessarily infringed by their -Contribution(s) alone or by combination of their Contribution(s) -with the Work to which such Contribution(s) was submitted. If You -institute patent litigation against any entity (including a -cross-claim or counterclaim in a lawsuit) alleging that the Work -or a Contribution incorporated within the Work constitutes direct -or contributory patent infringement, then any patent licenses -granted to You under this License for that Work shall terminate -as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the -Work or Derivative Works thereof in any medium, with or without -modifications, and in Source or Object form, provided that You -meet the following conditions: - -(a) You must give any other recipients of the Work or -Derivative Works a copy of this License; and - -(b) You must cause any modified files to carry prominent notices -stating that You changed the files; and - -(c) You must retain, in the Source form of any Derivative Works -that You distribute, all copyright, patent, trademark, and -attribution notices from the Source form of the Work, -excluding those notices that do not pertain to any part of -the Derivative Works; and - -(d) If the Work includes a "NOTICE" text file as part of its -distribution, then any Derivative Works that You distribute must -include a readable copy of the attribution notices contained -within such NOTICE file, excluding those notices that do not -pertain to any part of the Derivative Works, in at least one -of the following places: within a NOTICE text file distributed -as part of the Derivative Works; within the Source form or -documentation, if provided along with the Derivative Works; or, -within a display generated by the Derivative Works, if and -wherever such third-party notices normally appear. The contents -of the NOTICE file are for informational purposes only and -do not modify the License. You may add Your own attribution -notices within Derivative Works that You distribute, alongside -or as an addendum to the NOTICE text from the Work, provided -that such additional attribution notices cannot be construed -as modifying the License. - -You may add Your own copyright statement to Your modifications and -may provide additional or different license terms and conditions -for use, reproduction, or distribution of Your modifications, or -for any such Derivative Works as a whole, provided Your use, -reproduction, and distribution of the Work otherwise complies with -the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, -any Contribution intentionally submitted for inclusion in the Work -by You to the Licensor shall be under the terms and conditions of -this License, without any additional terms or conditions. -Notwithstanding the above, nothing herein shall supersede or modify -the terms of any separate license agreement you may have executed -with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade -names, trademarks, service marks, or product names of the Licensor, -except as required for reasonable and customary use in describing the -origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or -agreed to in writing, Licensor provides the Work (and each -Contributor provides its Contributions) on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -implied, including, without limitation, any warranties or conditions -of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A -PARTICULAR PURPOSE. You are solely responsible for determining the -appropriateness of using or redistributing the Work and assume any -risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, -whether in tort (including negligence), contract, or otherwise, -unless required by applicable law (such as deliberate and grossly -negligent acts) or agreed to in writing, shall any Contributor be -liable to You for damages, including any direct, indirect, special, -incidental, or consequential damages of any character arising as a -result of this License or out of the use or inability to use the -Work (including but not limited to damages for loss of goodwill, -work stoppage, computer failure or malfunction, or any and all -other commercial damages or losses), even if such Contributor -has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing -the Work or Derivative Works thereof, You may choose to offer, -and charge a fee for, acceptance of support, warranty, indemnity, -or other liability obligations and/or rights consistent with this -License. However, in accepting such obligations, You may act only -on Your own behalf and on Your sole responsibility, not on behalf -of any other Contributor, and only if You agree to indemnify, -defend, and hold each Contributor harmless for any liability -incurred by, or claims asserted against, such Contributor by reason -of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - -To apply the Apache License to your work, attach the following -boilerplate notice, with the fields enclosed by brackets "{}" -replaced with your own identifying information. (Don't include -the brackets!) The text should be enclosed in the appropriate -comment syntax for the file format. We also recommend that a -file or class name and description of purpose be included on the -same "printed page" as the copyright notice for easier -identification within third-party archives. - -Copyright {yyyy} {name of copyright owner} - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at +Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. +Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. diff --git a/debian/debian/rules b/debian/debian/rules index cd188e5..1a2a680 100644 --- a/debian/debian/rules +++ b/debian/debian/rules @@ -13,13 +13,13 @@ override_dh_installsystemd: override_dh_install: dh_install - install -D -o root -g root -m755 ../src/hooks/ykfde debian/ykfde/usr/share/initramfs-tools/hooks/ykfde + install -D -o root -g root -m755 hooks/ykfde-deb debian/ykfde/usr/share/initramfs-tools/hooks/ykfde install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript - install -D -o root -g root -m755 ../src/ykfde-open debian/ykfde/usr/bin/ykfde-open - install -D -o root -g root -m755 ../src/ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll - install -D -o root -g root -m755 ../src/ykfde-format debian/ykfde/usr/bin/ykfde-format - install -D -o root -g root -m644 ../README.md debian/ykfde/usr/share/doc/ykfde/README.md - install -D -o root -g root -m644 ../src/ykfde.conf debian/ykfde/etc/ykfde.conf - install -D -o root -g root -m755 ../src/ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend - install -D -o root -g root -m755 ../src/initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend - install -D -o root -g root -m644 ../src/ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service + install -D -o root -g root -m755 ykfde-open debian/ykfde/usr/bin/ykfde-open + install -D -o root -g root -m755 ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll + install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format + install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md + install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf + install -D -o root -g root -m755 ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend + install -D -o root -g root -m755 initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend + install -D -o root -g root -m644 ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service diff --git a/debian/debian/ykfde.postinst b/debian/debian/ykfde.postinst index e69de29..25baaae 100644 --- a/debian/debian/ykfde.postinst +++ b/debian/debian/ykfde.postinst @@ -0,0 +1,22 @@ +#! /bin/sh + +set -e + +case "$1" in + configure) + if [ -x /usr/sbin/update-initramfs ]; then + echo + update-initramfs -u + fi + ;; + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# diff --git a/src/hooks/ykfde-deb b/src/hooks/ykfde-deb index 9602d84..d015c1d 100755 --- a/src/hooks/ykfde-deb +++ b/src/hooks/ykfde-deb @@ -23,7 +23,7 @@ copy_exec /usr/bin/ykchalresp copy_exec /usr/bin/ykinfo copy_exec /usr/bin/sha256sum cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript" -cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf +cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf" #if [ "$SUSPEND" = "1" ]; then # echo "YKFDE: adding yubikey authentication to suspend." diff --git a/src/initramfs-suspend b/src/initramfs-suspend index 5affa55..fce7a9e 100644 --- a/src/initramfs-suspend +++ b/src/initramfs-suspend @@ -1,4 +1,4 @@ -#!/usr/bin/ash +#!/usr/bin/bash # shellcheck shell=dash cryptname="${1}" From a7c8b8d81de07bf6b449500c60ef97a495faf0f9 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Tue, 11 Jan 2022 22:21:42 -0800 Subject: [PATCH 05/18] Remove packaging files --- debian/DEBUILD/ykfde-0.1/Makefile | 28 -- debian/DEBUILD/ykfde-0.1/README.md | 273 ------------------ .../generated/ykfde/installed-by-dh_install | 0 .../ykfde/installed-by-dh_installdocs | 0 .../generated/ykfde/postinst.service | 17 -- .../.debhelper/generated/ykfde/prerm.service | 5 - debian/DEBUILD/ykfde-0.1/debian/changelog | 5 - debian/DEBUILD/ykfde-0.1/debian/compat | 1 - debian/DEBUILD/ykfde-0.1/debian/control | 16 - debian/DEBUILD/ykfde-0.1/debian/copyright | 7 - .../ykfde-0.1/debian/debhelper-build-stamp | 1 - debian/DEBUILD/ykfde-0.1/debian/files | 2 - debian/DEBUILD/ykfde-0.1/debian/rules | 25 -- .../ykfde-0.1/debian/ykfde.debhelper.log | 1 - .../DEBUILD/ykfde-0.1/debian/ykfde.postinst | 22 -- .../ykfde-0.1/debian/ykfde.postrm.debhelper | 19 -- .../DEBUILD/ykfde-0.1/debian/ykfde.substvars | 2 - .../ykfde-0.1/debian/ykfde/DEBIAN/conffiles | 1 - .../ykfde-0.1/debian/ykfde/DEBIAN/control | 14 - .../ykfde-0.1/debian/ykfde/DEBIAN/md5sums | 11 - .../ykfde-0.1/debian/ykfde/DEBIAN/postinst | 39 --- .../ykfde-0.1/debian/ykfde/DEBIAN/postrm | 21 -- .../ykfde-0.1/debian/ykfde/DEBIAN/prerm | 7 - .../ykfde-0.1/debian/ykfde/etc/ykfde.conf | 53 ---- .../lib/systemd/system/ykfde-suspend.service | 21 -- .../debian/ykfde/usr/bin/ykfde-enroll | 228 --------------- .../debian/ykfde/usr/bin/ykfde-format | 81 ------ .../ykfde-0.1/debian/ykfde/usr/bin/ykfde-open | 207 ------------- .../ykfde/usr/lib/ykfde/initramfs-suspend | 29 -- .../ykfde/usr/lib/ykfde/yubikey-luks-suspend | 128 -------- .../ykfde/usr/share/doc/ykfde/README.md.gz | Bin 4379 -> 0 bytes .../ykfde/usr/share/doc/ykfde/changelog.gz | Bin 172 -> 0 bytes .../ykfde/usr/share/doc/ykfde/copyright | 7 - .../usr/share/initramfs-tools/hooks/ykfde | 38 --- .../ykfde/usr/share/ykfde/ykfde-keyscript | 72 ----- debian/DEBUILD/ykfde-0.1/hooks/ykfde | 258 ----------------- debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb | 38 --- debian/DEBUILD/ykfde-0.1/initramfs-suspend | 29 -- debian/DEBUILD/ykfde-0.1/install/ykfde | 84 ------ debian/DEBUILD/ykfde-0.1/key-script | 72 ----- debian/DEBUILD/ykfde-0.1/testrun.sh | 60 ---- debian/DEBUILD/ykfde-0.1/ykfde-enroll | 228 --------------- debian/DEBUILD/ykfde-0.1/ykfde-format | 81 ------ debian/DEBUILD/ykfde-0.1/ykfde-open | 207 ------------- debian/DEBUILD/ykfde-0.1/ykfde-suspend | 128 -------- .../DEBUILD/ykfde-0.1/ykfde-suspend.service | 21 -- debian/DEBUILD/ykfde-0.1/ykfde.conf | 53 ---- debian/DEBUILD/ykfde_0.1.diff.gz | Bin 1463 -> 0 bytes debian/DEBUILD/ykfde_0.1.dsc | 20 -- debian/DEBUILD/ykfde_0.1.orig.tar.gz | Bin 14121 -> 0 bytes debian/DEBUILD/ykfde_0.1_all.deb | Bin 13564 -> 0 bytes debian/DEBUILD/ykfde_0.1_amd64.build | 94 ------ debian/DEBUILD/ykfde_0.1_amd64.buildinfo | 167 ----------- debian/DEBUILD/ykfde_0.1_amd64.changes | 34 --- 54 files changed, 2955 deletions(-) delete mode 100644 debian/DEBUILD/ykfde-0.1/Makefile delete mode 100644 debian/DEBUILD/ykfde-0.1/README.md delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_install delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_installdocs delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/postinst.service delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/prerm.service delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/changelog delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/compat delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/control delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/copyright delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/debhelper-build-stamp delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/files delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/rules delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde.debhelper.log delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde.postinst delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde.postrm.debhelper delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde.substvars delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/conffiles delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/control delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/md5sums delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postinst delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postrm delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/prerm delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/etc/ykfde.conf delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/lib/systemd/system/ykfde-suspend.service delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-enroll delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-format delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-open delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/lib/ykfde/initramfs-suspend delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/README.md.gz delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/changelog.gz delete mode 100644 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/copyright delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/initramfs-tools/hooks/ykfde delete mode 100755 debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/ykfde/ykfde-keyscript delete mode 100644 debian/DEBUILD/ykfde-0.1/hooks/ykfde delete mode 100755 debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb delete mode 100644 debian/DEBUILD/ykfde-0.1/initramfs-suspend delete mode 100644 debian/DEBUILD/ykfde-0.1/install/ykfde delete mode 100755 debian/DEBUILD/ykfde-0.1/key-script delete mode 100755 debian/DEBUILD/ykfde-0.1/testrun.sh delete mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-enroll delete mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-format delete mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-open delete mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-suspend delete mode 100644 debian/DEBUILD/ykfde-0.1/ykfde-suspend.service delete mode 100644 debian/DEBUILD/ykfde-0.1/ykfde.conf delete mode 100644 debian/DEBUILD/ykfde_0.1.diff.gz delete mode 100644 debian/DEBUILD/ykfde_0.1.dsc delete mode 100644 debian/DEBUILD/ykfde_0.1.orig.tar.gz delete mode 100644 debian/DEBUILD/ykfde_0.1_all.deb delete mode 100644 debian/DEBUILD/ykfde_0.1_amd64.build delete mode 100644 debian/DEBUILD/ykfde_0.1_amd64.buildinfo delete mode 100644 debian/DEBUILD/ykfde_0.1_amd64.changes diff --git a/debian/DEBUILD/ykfde-0.1/Makefile b/debian/DEBUILD/ykfde-0.1/Makefile deleted file mode 100644 index 8a38efa..0000000 --- a/debian/DEBUILD/ykfde-0.1/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -info: - @echo "builddeb [NO_SIGN=1] - build deb package for Ubuntu LTS [NO_SIGN disables signing]" - @echo "clean - clean build directory DEBUILD" - -VERSION=0.1 -SRC_DIR = ykfde-${VERSION} - -debianize: - rm -fr DEBUILD - mkdir -p DEBUILD/${SRC_DIR} - cp -r * DEBUILD/${SRC_DIR} || true - cp -r ../src/* DEBUILD/${SRC_DIR} || true - cp ../README.md DEBUILD/${SRC_DIR} || true - (cd DEBUILD; tar -zcf ykfde_${VERSION}.orig.tar.gz --exclude=${SRC_DIR}/debian ${SRC_DIR}) - -builddeb: - make debianize -ifndef NO_SIGN - (cd DEBUILD/${SRC_DIR}; debuild) -else - (cd DEBUILD/${SRC_DIR}; debuild -uc -us) -endif - -clean: - rm -fr DEBUILD - -#test: -# ./testrun.sh diff --git a/debian/DEBUILD/ykfde-0.1/README.md b/debian/DEBUILD/ykfde-0.1/README.md deleted file mode 100644 index 54329f5..0000000 --- a/debian/DEBUILD/ykfde-0.1/README.md +++ /dev/null @@ -1,273 +0,0 @@ -# YubiKey Full Disk Encryption - -This project leverages a [YubiKey](https://wiki.archlinux.org/index.php/Yubikey) [HMAC-SHA1 Challenge-Response](https://wiki.archlinux.org/index.php/Yubikey#Challenge-Response) mode for creating strong [LUKS](https://gitlab.com/cryptsetup/cryptsetup) encrypted volume passphrases. It can be used in intramfs stage during boot process as well as on running system. - -Be aware that this was only tested and intended for: - -* [Arch Linux](https://www.archlinux.org/) and its derivatives -* [YubiKey (version 4 or later)](https://www.yubico.com/products/yubikey-5-overview/) - -There is similar project targeting [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems: [yubikey-luks](https://github.com/cornelinux/yubikey-luks) - -Table of Contents -================= - - * [YubiKey Full Disk Encryption](#yubikey-full-disk-encryption) - * [Table of Contents](#table-of-contents) - * [Design](#design) - * [Automatic mode with stored challenge (1FA)](#automatic-mode-with-stored-challenge-1fa) - * [Manual mode with secret challenge (2FA)](#manual-mode-with-secret-challenge-2fa) - * [Install](#install) - * [From Arch Linux official repository](#from-arch-linux-official-repository) - * [From Github using 'makepkg'](#from-github-using-makepkg) - * [From Github using 'make'](#from-github-using-make) - * [Configure](#configure) - * [Configure HMAC-SHA1 Challenge-Response slot in YubiKey](#configure-hmac-sha1-challenge-response-slot-in-yubikey) - * [Edit /etc/ykfde.conf file](#edit-etcykfdeconf-file) - * [Usage](#usage) - * [Format new LUKS encrypted volume using ykfde passphrase](#format-new-luks-encrypted-volume-using-ykfde-passphrase) - * [Enroll ykfde passphrase to existing LUKS encrypted volume](#enroll-ykfde-passphrase-to-existing-luks-encrypted-volume) - * [Enroll new ykfde passphrase to existing LUKS encrypted volume protected by old ykfde passphrase](#enroll-new-ykfde-passphrase-to-existing-luks-encrypted-volume-protected-by-old-ykfde-passphrase) - * [Unlock LUKS encrypted volume protected by ykfde passphrase](#unlock-luks-encrypted-volume-protected-by-ykfde-passphrase) - * [Kill ykfde passphrase for existing LUKS encrypted volume](#kill-ykfde-passphrase-for-existing-luks-encrypted-volume) - * [Enable ykfde initramfs hook](#enable-ykfde-initramfs-hook) - * [Enable NFC support in ykfde initramfs hook (experimental)](#enable-nfc-support-in-ykfde-initramfs-hook-experimental) - * [Enable ykfde suspend service (experimental)](#enable-ykfde-suspend-service-experimental) - * [License](#license) - -# Design - -The passphrase for unlocking *LUKS* encrypted volumes can be created in two ways: - -## Automatic mode with stored challenge (1FA) - -In *Automatic mode* you create custom *challenge* with 0-64 byte length and store it in cleartext in */etc/ykfde.conf* and inside the initramfs image. - -Example *challenge*:`123456abcdef` - -The *YubiKey* *response* is a *HMAC-SHA1* 40 byte length string created from your provided challenge and 20 byte length secret key stored inside the token. It will be used as your *LUKS* encrypted volume passphrase. - -Example *response* (ykfde passphrase): `bd438575f4e8df965c80363f8aa6fe1debbe9ea9` - -In this mode possession of your *YubiKey* is enough to unlock a *LUKS* encrypted volume (1FA). It allows for the easy unlocking of encrypted volumes when *YubiKey* is present without need for user action. - - -## Manual mode with secret challenge (2FA) - -In *Secret mode* you will be asked to provide a custom *challenge* every time you want to unlock your *LUKS* encrypted volume as it will never be stored anywhere on system. - -Example *challenge*: `123456abcdef` - -It will be hashed using the *SHA256* algorithm to achieve constant byte length (64) for any given *challenge*. It's also the maximum length that *YubiKey* can take as input. The hash will be used as the final *challenge* provided for *YubiKey*. - -Hashing function: - -``` -printf 123456abcdef | sha256sum | awk '{print $1}' -``` - -Example hashed *challenge*: `8fa0acf6233b92d2d48a30a315cd213748d48f28eaa63d7590509392316b3016` - - The *YubiKey* *response* is a *HMAC-SHA1* 40 byte length string created from your provided *challenge* and 20 byte length secret key stored inside the token. It will be concatenated with the *challenge* and used as your *LUKS* encrypted volume passphrase for a total length of 104 (64+40) bytes. - -Example response: `bd438575f4e8df965c80363f8aa6fe1debbe9ea9` - -Example ykfde passphrase: `8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92bd438575f4e8df965c80363f8aa6fe1debbe9ea9` - -This strong passphrase cannot be broken by brute force. To recreate it one would need both your passphrase (something you know) and your *YubiKey* (something you have) which means it works like 2FA. - -Keep in mind that the above doesn't protect you from physical tampering like *evil maid attack* and from *malware* running after you unlock and boot your system. Use security tools designed to prevent those attacks. - -# Install - -## From Arch Linux official repository - -The easiest way is to install package from [official Arch Linux repository](https://www.archlinux.org/packages/community/any/yubikey-full-disk-encryption/). - -``` -sudo pacman -Syu yubikey-full-disk-encryption -``` - -## From Github using 'makepkg' - -``` -wget https://raw.githubusercontent.com/agherzan/yubikey-full-disk-encryption/master/PKGBUILD -makepkg -srci -``` - -## From Github using 'make' - -``` -git clone https://github.com/agherzan/yubikey-full-disk-encryption.git -cd yubikey-full-disk-encryption -sudo make install -``` - -When installing by using `make` you also need to install [yubikey-personalization](https://www.archlinux.org/packages/community/x86_64/yubikey-personalization/) and [expect](https://www.archlinux.org/packages/extra/x86_64/expect/) packages. - -# Configure - - -## Configure HMAC-SHA1 Challenge-Response slot in YubiKey - -First of all you need to [setup a configuration slot](https://wiki.archlinux.org/index.php/Yubikey#Setup_the_slot) for *YubiKey HMAC-SHA1 Challenge-Response* mode using a command similar to: - -``` -ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig -``` - -Above arguments mean: - -* Verbose output (`-v`) -* Use slot 2 (`-2`) -* Set Challenge-Response mode (`-ochal-resp`) -* Generate HMAC-SHA1 challenge responses (`-ochal-hmac`) -* Calculate HMAC on less than 64 bytes input (`-ohmac-lt64`) -* Allow YubiKey serial number to be read using an API call (`-oserial-api-visible`) -* Require touching YubiKey before issue response (`-ochal-btn-trig`) *(optional)* - -This command will enable *HMAC-SHA1 Challenge-Response* mode on a chosen slot and write random 20 byte length secret key to your YubiKey which will be used for creating ykfde passphrases. - -**Warning: choosing YubiKey slot already configured for *HMAC-SHA1 Challenge-Response* mode will overwrite secret key with the new one which means ykfde passphrases created with the old key will be unrecoverable.** - -You may instead enable *HMAC-SHA1 Challenge-Response* mode using graphical interface through [yubikey-personalization-gui](https://www.archlinux.org/packages/community/x86_64/yubikey-personalization-gui/) package. It allows for customization of the secret key, creation of secret key backup and writing the same secret key to multiple YubiKeys which allows for using them interchangeably for creating same ykfde passphrases. - -## Edit /etc/ykfde.conf file - -Open the [/etc/ykfde.conf](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde.conf) file and adjust it for your needs. Alternatively to setting `YKFDE_DISK_UUID` and `YKFDE_LUKS_NAME`, you can use `cryptdevice` kernel parameter. The [syntax](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Configuring_the_kernel_parameters) is compatible with Arch's `encrypt` hook. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): - -``` -sudo mkinitcpio -P -``` - - -# Usage -You can list existing LUKS key slots with `cryptsetup luksDump /dev/`. - -## Format new LUKS encrypted volume using ykfde passphrase - -To format new *LUKS* encrypted volume, you can use [ykfde-format](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-format) script which is wrapper over `cryptsetup luksFormat` command: - -``` -ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/ -``` - -## Enroll ykfde passphrase to existing LUKS encrypted volume - -To enroll new ykfde passphrase to existing *LUKS* encrypted volume you can use [ykfde-enroll](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-enroll) script, see `ykfde-enroll -h` for help: - -``` -ykfde-enroll -d /dev/ -s -``` - -**Warning: having a weaker non-ykfde passphrase(s) on the same *LUKS* encrypted volume undermines the ykfde passphrase value as potential attacker will always try to break the weaker passphrase. Make sure the other non-ykfde passphrases are similarly strong or remove them.** - -## Enroll new ykfde passphrase to existing LUKS encrypted volume protected by old ykfde passphrase - -To enroll new ykfde passphrase to existing *LUKS* encrypted volume protected by old ykfde passphrase you can use [ykfde-enroll](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-enroll) script, see `ykfde-enroll -h` for help: - -``` -ykfde-enroll -d /dev/ -s -o -``` - -## Unlock LUKS encrypted volume protected by ykfde passphrase - -To unlock *LUKS* encrypted volume on a running system, you can use [ykfde-open](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-open) script, see `ykfde-open -h` for help. - -As unprivileged user using udisksctl (recommended): - -``` -ykfde-open -d /dev/ -``` - -As root using cryptsetup (when [udisks2](https://www.archlinux.org/packages/extra/x86_64/udisks2/) or [expect](https://www.archlinux.org/packages/extra/x86_64/expect/) aren't available): - -``` -ykfde-open -d /dev/ -n -``` - -To print only the ykfde passphrase to the console without unlocking any volumes: - -``` -ykfde-open -p -``` - -To test only a passphrase for a specific key slot: - -``` -ykfde-open -d /dev/ -s -t -``` - -To use optional parameters, example, use an external luks header: - -``` -ykfde-open -d /dev/ -- --header /mnt/luks-header.img -``` - -## Kill ykfde passphrase for existing LUKS encrypted volume - -To kill a ykfde passphrase for existing *LUKS* encrypted volume you can use [ykfde-enroll](https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde-enroll) script, see `ykfde-enroll -h` for help: - -``` -ykfde-enroll -d /dev/ -s -k -``` - -## Enable ykfde initramfs hook - -**Warning: It's recommended to have already working [encrypted system setup](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system) with `encrypt` hook and non-ykfde passphrase before starting to use `ykfde` hook with ykfde passphrase to avoid potential misconfigurations.** - -Edit `/etc/mkinitcpio.conf` and add the `ykfde` hook before or instead of `encrypt` hook as provided in [example](https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Examples). Adding `ykfde` hook before `encrypt` hook will allow for a safe fallback in case of ykfde misconfiguration. You can remove `encrypt` hook later when you confim that everything is working correctly. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): - -``` -sudo mkinitcpio -P -``` - -Reboot and test your configuration. - -## Enable NFC support in ykfde initramfs hook (experimental) - -**Warning: Currently NFC support is implemented only in initramfs hook. All ykfde manipulations on booted system have to be done through USB.** - -NFC support is provided through [libnfc](https://www.archlinux.org/packages/community/x86_64/libnfc/) and [ykchalresp-nfc](https://aur.archlinux.org/packages/ykchalresp-nfc/) tools. Make sure you have both packages installed. Edit `/etc/ykfde.conf` and uncomment `YKFDE_NFC="1"`setting. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): - -``` -sudo mkinitcpio -P -``` - -Reboot and test your configuration. - -## Enable ykfde suspend service (experimental) - -You can enable the `ykfde-suspend` service which allows for automatically locking encrypted *LUKS* volumes and wiping keys from memory on suspend and unlocking them on resume by using `cryptsetup luksSuspend` and `cryptsetup luksResume` commands. - -**Warning: RAM storage stays unencrypted in that case.** - -Edit `/etc/mkinitcpio.conf` and add `shutdown` hook as the last in `HOOKS` array. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): - -``` -sudo mkinitcpio -P -``` - -Enable related systemd service: - -``` -systemctl enable ykfde-suspend.service -``` - -Reboot and test your configuration. - -# License - -Copyright 2017 Andrei Gherzan - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0) - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_install b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_install deleted file mode 100644 index e69de29..0000000 diff --git a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_installdocs b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/installed-by-dh_installdocs deleted file mode 100644 index e69de29..0000000 diff --git a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/postinst.service b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/postinst.service deleted file mode 100644 index 6418dae..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/postinst.service +++ /dev/null @@ -1,17 +0,0 @@ -# Automatically added by dh_installsystemd/12.10ubuntu1 -if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then - if deb-systemd-helper debian-installed 'ykfde-suspend.service'; then - # This will only remove masks created by d-s-h on package removal. - deb-systemd-helper unmask 'ykfde-suspend.service' >/dev/null || true - - if deb-systemd-helper --quiet was-enabled 'ykfde-suspend.service'; then - # Create new symlinks, if any. - deb-systemd-helper enable 'ykfde-suspend.service' >/dev/null || true - fi - fi - - # Update the statefile to add new symlinks (if any), which need to be cleaned - # up on purge. Also remove old symlinks. - deb-systemd-helper update-state 'ykfde-suspend.service' >/dev/null || true -fi -# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/prerm.service b/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/prerm.service deleted file mode 100644 index 701f7fb..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/.debhelper/generated/ykfde/prerm.service +++ /dev/null @@ -1,5 +0,0 @@ -# Automatically added by dh_installsystemd/12.10ubuntu1 -if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - deb-systemd-invoke stop 'ykfde-suspend.service' >/dev/null || true -fi -# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/changelog b/debian/DEBUILD/ykfde-0.1/debian/changelog deleted file mode 100644 index 82aa37b..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/changelog +++ /dev/null @@ -1,5 +0,0 @@ -ykfde (0.1) UNRELEASED; urgency=medium - - * Added Debian/Ubuntu support - - -- crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Tue, 11 Jan 2022 21:28:25 -0800 diff --git a/debian/DEBUILD/ykfde-0.1/debian/compat b/debian/DEBUILD/ykfde-0.1/debian/compat deleted file mode 100644 index b4de394..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/compat +++ /dev/null @@ -1 +0,0 @@ -11 diff --git a/debian/DEBUILD/ykfde-0.1/debian/control b/debian/DEBUILD/ykfde-0.1/debian/control deleted file mode 100644 index 5c17a55..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/control +++ /dev/null @@ -1,16 +0,0 @@ -Source: ykfde -Section: admin -Priority: optional -Maintainer: Andrei Gherzan -Build-Depends: debhelper (>= 11), dh-exec -Standards-Version: 4.1.4 -Homepage: https://github.com/agherzan/yubikey-full-disk-encryption - -Package: ykfde -Architecture: all -Depends: cryptsetup, initramfs-tools, yubikey-personalization (>= 1.5), udisks2, expect, ${misc:Depends} -Description: This project leverages a YubiKey HMAC-SHA1 Challenge-Response - mode for creating strong LUKS encrypted volume passphrases. - It can be used in intramfs stage during boot process as well as on running system. - . - Requires Yubikey 4 or newer. diff --git a/debian/DEBUILD/ykfde-0.1/debian/copyright b/debian/DEBUILD/ykfde-0.1/debian/copyright deleted file mode 100644 index 1488d56..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/copyright +++ /dev/null @@ -1,7 +0,0 @@ -Copyright 2017 Andrei Gherzan - -Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. diff --git a/debian/DEBUILD/ykfde-0.1/debian/debhelper-build-stamp b/debian/DEBUILD/ykfde-0.1/debian/debhelper-build-stamp deleted file mode 100644 index 2074761..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/debhelper-build-stamp +++ /dev/null @@ -1 +0,0 @@ -ykfde diff --git a/debian/DEBUILD/ykfde-0.1/debian/files b/debian/DEBUILD/ykfde-0.1/debian/files deleted file mode 100644 index 250e7c6..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/files +++ /dev/null @@ -1,2 +0,0 @@ -ykfde_0.1_all.deb admin optional -ykfde_0.1_amd64.buildinfo admin optional diff --git a/debian/DEBUILD/ykfde-0.1/debian/rules b/debian/DEBUILD/ykfde-0.1/debian/rules deleted file mode 100755 index 1a2a680..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/rules +++ /dev/null @@ -1,25 +0,0 @@ -#! /usr/bin/make -f - -%: - dh $@ - -override_dh_auto_build: - # nothing to build - -override_dh_installsystemd: - dh_installsystemd -pykfde \ - --no-enable --no-start --no-restart-after-upgrade --no-stop-on-upgrade \ - ykfde-suspend.service - -override_dh_install: - dh_install - install -D -o root -g root -m755 hooks/ykfde-deb debian/ykfde/usr/share/initramfs-tools/hooks/ykfde - install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript - install -D -o root -g root -m755 ykfde-open debian/ykfde/usr/bin/ykfde-open - install -D -o root -g root -m755 ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll - install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format - install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md - install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf - install -D -o root -g root -m755 ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend - install -D -o root -g root -m755 initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend - install -D -o root -g root -m644 ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde.debhelper.log b/debian/DEBUILD/ykfde-0.1/debian/ykfde.debhelper.log deleted file mode 100644 index e15a197..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde.debhelper.log +++ /dev/null @@ -1 +0,0 @@ -dh_installsystemd diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde.postinst b/debian/DEBUILD/ykfde-0.1/debian/ykfde.postinst deleted file mode 100644 index 25baaae..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde.postinst +++ /dev/null @@ -1,22 +0,0 @@ -#! /bin/sh - -set -e - -case "$1" in - configure) - if [ -x /usr/sbin/update-initramfs ]; then - echo - update-initramfs -u - fi - ;; - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde.postrm.debhelper b/debian/DEBUILD/ykfde-0.1/debian/ykfde.postrm.debhelper deleted file mode 100644 index 4fb406a..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde.postrm.debhelper +++ /dev/null @@ -1,19 +0,0 @@ -# Automatically added by dh_installsystemd/12.10ubuntu1 -if [ -d /run/systemd/system ]; then - systemctl --system daemon-reload >/dev/null || true -fi -# End automatically added section -# Automatically added by dh_installsystemd/12.10ubuntu1 -if [ "$1" = "remove" ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper mask 'ykfde-suspend.service' >/dev/null || true - fi -fi - -if [ "$1" = "purge" ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper purge 'ykfde-suspend.service' >/dev/null || true - deb-systemd-helper unmask 'ykfde-suspend.service' >/dev/null || true - fi -fi -# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde.substvars b/debian/DEBUILD/ykfde-0.1/debian/ykfde.substvars deleted file mode 100644 index 978fc8b..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde.substvars +++ /dev/null @@ -1,2 +0,0 @@ -misc:Depends= -misc:Pre-Depends= diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/conffiles b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/conffiles deleted file mode 100644 index b7ecc75..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/conffiles +++ /dev/null @@ -1 +0,0 @@ -/etc/ykfde.conf diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/control b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/control deleted file mode 100644 index 757d05d..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/control +++ /dev/null @@ -1,14 +0,0 @@ -Package: ykfde -Version: 0.1 -Architecture: all -Maintainer: Andrei Gherzan -Installed-Size: 60 -Depends: cryptsetup, initramfs-tools, yubikey-personalization (>= 1.5), udisks2, expect -Section: admin -Priority: optional -Homepage: https://github.com/agherzan/yubikey-full-disk-encryption -Description: This project leverages a YubiKey HMAC-SHA1 Challenge-Response - mode for creating strong LUKS encrypted volume passphrases. - It can be used in intramfs stage during boot process as well as on running system. - . - Requires Yubikey 4 or newer. diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/md5sums b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/md5sums deleted file mode 100644 index 5fbca7d..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/md5sums +++ /dev/null @@ -1,11 +0,0 @@ -769bca98716ca774ed0ae9f33de61835 lib/systemd/system/ykfde-suspend.service -d3ed38318a7a12a8fd5bbf81fcb016d2 usr/bin/ykfde-enroll -642e792c052c34be5585db29a0284457 usr/bin/ykfde-format -4242ca31405f4d4b6541cfa0a3b3cc1b usr/bin/ykfde-open -f9416699896f40db5b8edf24871ab100 usr/lib/ykfde/initramfs-suspend -b0f4f822744695d27bead9e971f8a820 usr/lib/ykfde/yubikey-luks-suspend -904c0ee018481e06a9f1dd9feae72ccc usr/share/doc/ykfde/README.md.gz -3c74a9d70ac8577c9285386b947103de usr/share/doc/ykfde/changelog.gz -263720abf7536bd50db10f7f16ae4ef8 usr/share/doc/ykfde/copyright -c032a821f9750aab07bc3044d6258685 usr/share/initramfs-tools/hooks/ykfde -07d9cd251e02f64b4099b644324cbd1b usr/share/ykfde/ykfde-keyscript diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postinst b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postinst deleted file mode 100755 index e2cb5d0..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postinst +++ /dev/null @@ -1,39 +0,0 @@ -#! /bin/sh - -set -e - -case "$1" in - configure) - if [ -x /usr/sbin/update-initramfs ]; then - echo - update-initramfs -u - fi - ;; - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# Automatically added by dh_installsystemd/12.10ubuntu1 -if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then - if deb-systemd-helper debian-installed 'ykfde-suspend.service'; then - # This will only remove masks created by d-s-h on package removal. - deb-systemd-helper unmask 'ykfde-suspend.service' >/dev/null || true - - if deb-systemd-helper --quiet was-enabled 'ykfde-suspend.service'; then - # Create new symlinks, if any. - deb-systemd-helper enable 'ykfde-suspend.service' >/dev/null || true - fi - fi - - # Update the statefile to add new symlinks (if any), which need to be cleaned - # up on purge. Also remove old symlinks. - deb-systemd-helper update-state 'ykfde-suspend.service' >/dev/null || true -fi -# End automatically added section - diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postrm b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postrm deleted file mode 100755 index 96262eb..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/postrm +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -set -e -# Automatically added by dh_installsystemd/12.10ubuntu1 -if [ -d /run/systemd/system ]; then - systemctl --system daemon-reload >/dev/null || true -fi -# End automatically added section -# Automatically added by dh_installsystemd/12.10ubuntu1 -if [ "$1" = "remove" ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper mask 'ykfde-suspend.service' >/dev/null || true - fi -fi - -if [ "$1" = "purge" ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper purge 'ykfde-suspend.service' >/dev/null || true - deb-systemd-helper unmask 'ykfde-suspend.service' >/dev/null || true - fi -fi -# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/prerm b/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/prerm deleted file mode 100755 index bf05e60..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/DEBIAN/prerm +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -set -e -# Automatically added by dh_installsystemd/12.10ubuntu1 -if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - deb-systemd-invoke stop 'ykfde-suspend.service' >/dev/null || true -fi -# End automatically added section diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/etc/ykfde.conf b/debian/DEBUILD/ykfde-0.1/debian/ykfde/etc/ykfde.conf deleted file mode 100644 index 84d9d5c..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/etc/ykfde.conf +++ /dev/null @@ -1,53 +0,0 @@ -### Configuration for 'yubikey-full-disk-encryption'. -### Remove hash (#) symbol and set non-empty ("") value for chosen options to -### enable them. - -### *REQUIRED* ### - -# Set to non-empty value to use 'Automatic mode with stored challenge (1FA)'. -#YKFDE_CHALLENGE="" - -# Use 'Manual mode with secret challenge (2FA)'. -#YKFDE_CHALLENGE_PASSWORD_NEEDED="1" - -# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode. -# Possible values are "1" or "2". Defaults to "2". -#YKFDE_CHALLENGE_SLOT="2" - -### OPTIONAL ### - -# Enable communication with YubiKey via NFC (Experimental). -#YKFDE_NFC="1" - -# UUID of device to unlock with 'cryptsetup'. -# Leave empty to use 'cryptdevice' boot parameter. -#YKFDE_DISK_UUID="" - -# LUKS encrypted volume name after unlocking. -# Leave empty to use 'cryptdevice' boot parameter. -#YKFDE_LUKS_NAME="" - -# Device to unlock with 'cryptsetup'. If left empty and 'YKFDE_DISK_UUID' -# is enabled this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID". -# Leave empty to use 'cryptdevice' boot parameter. -#YKFDE_LUKS_DEV="" - -# Optionally pass '--allow-discards' to 'cryptsetup' for TRIM -# support. Leave empty to use 'cryptdevice' boot parameter. -#YKFDE_LUKS_OPTIONS="--allow-discards" - -# Number of times to try assemble 'ykfde passphrase' and run 'cryptsetup'. -# Defaults to "5". -#YKFDE_CRYPTSETUP_TRIALS="5" - -# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'. -# Defaults to "30". -#YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" - -# Number of seconds to wait after successful decryption. -# Defaults to empty, meaning NO wait. -#YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" - -# Verbose output. It will print all secrets to terminal. -# Use only for debugging. -#DBG="1" diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/lib/systemd/system/ykfde-suspend.service b/debian/DEBUILD/ykfde-0.1/debian/ykfde/lib/systemd/system/ykfde-suspend.service deleted file mode 100644 index 6277ee7..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/lib/systemd/system/ykfde-suspend.service +++ /dev/null @@ -1,21 +0,0 @@ -# This file has been adapted from systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=Suspend -Documentation=man:systemd-suspend.service(8) -DefaultDependencies=no -Requires=sleep.target -After=sleep.target - -[Service] -Type=oneshot -ExecStart=/usr/bin/openvt -ws -- /usr/lib/ykfde-suspend/ykfde-suspend -Nice=-20 - -[Install] -Alias=systemd-suspend.service diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-enroll b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-enroll deleted file mode 100755 index da4b5fb..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-enroll +++ /dev/null @@ -1,228 +0,0 @@ -#!/bin/bash -p - -set -euo pipefail - -# sanitize environment -PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -YKFDE_LUKS_DEV="" -YKFDE_LUKS_KEYSLOT="" -YKFDE_CHANGE_KEYSLOT="" -YKFDE_OLD_YUBIKEY="" -DBG="" -YKFDE_SLOT_CHECK="" -YKFDE_SLOT_KILL="" -YKFDE_CHALLENGE_SLOT="2" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_CHALLENGE="" -YKFDE_RESPONSE="" -YKFDE_PASSPHRASE="" -YKFDE_OLD_CHALLENGE="" -YKFDE_OLD_RESPONSE="" -YKFDE_OLD_PASSPHRASE="" - -if [ -r /etc/ykfde.conf ]; then - # shellcheck source=ykfde.conf - . /etc/ykfde.conf -else - echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." -fi - -while getopts ":d:s:ckovh" opt; do - case "$opt" in - d) - YKFDE_LUKS_DEV="$OPTARG" - printf '%s\n' "INFO: Setting device to '$OPTARG'." - ;; - s) - if [ "$OPTARG" -gt -8 ] && [ "$OPTARG" -lt 8 ]; then - YKFDE_LUKS_KEYSLOT="$OPTARG" - printf '%s\n' "INFO: Setting LUKS keyslot to '$OPTARG'." - else - printf '%s\n' "ERROR: Chosen LUKS keyslot '$OPTARG' is invalid. Please choose valid LUKS keyslot number between '0-7'." - exit 1 - fi - ;; - c) - YKFDE_CHANGE_KEYSLOT=1 - echo "INFO: Changing existing LUKS keyslot" - ;; - k) - YKFDE_SLOT_KILL=1 - echo "WARNING: Killing existing LUKS keyslot. If it's the last configured keyslot, the device will be inaccessible!" - ;; - o) - YKFDE_OLD_YUBIKEY=1 - echo "INFO: Using old YubiKey for passphrase" - ;; - v) - DBG=1 - echo "INFO: Debugging enabled" - ;; - h) - echo - echo " -d : select an existing device" - echo " -s : select the LUKS keyslot" - echo " -c : change an existing keyslot" - echo " -k : killing an existing keyslot" - echo " -o : use old YubiKey for passphrase" - echo " -v : show input/output in cleartext" - echo - exit 0 - ;; - \?) - printf '%s\n' "ERROR: Invalid option: '-$OPTARG'" >&2 - echo - echo " -d : select an existing device" - echo " -s : select the LUKS keyslot" - echo " -c : change an existing keyslot" - echo " -k : killing an existing keyslot" - echo " -o : use old YubiKey for passphrase" - echo " -v : show input/output in cleartext" - echo - exit 1 - ;; - esac -done - -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" - -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then - printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" - exit 1 -fi - -if [ -z "$YKFDE_LUKS_DEV" ]; then - echo "ERROR: Device not selected. Please select an existing device using '-d' option, see 'ykfde-enroll -h' for help." - exit 1 -fi - -if [ ! -e "$YKFDE_LUKS_DEV" ]; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' doesn't exist. Please select an existing device." - exit 1 -fi - -if [ ! -r "$YKFDE_LUKS_DEV" ] || [ ! -w "$YKFDE_LUKS_DEV" ]; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't accessible for current user '$(whoami)'. Please execute this script as 'root'." - exit 1 -fi - -if ! cryptsetup isLuks "$YKFDE_LUKS_DEV"; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." - exit 1 -fi - -if [ -z "$YKFDE_LUKS_KEYSLOT" ]; then - echo "ERROR: LUKS keyslot not selected. Please select LUKS keyslot using '-s' option, see 'ykfde-enroll -h' for help." - exit 1 -fi - -printf '%s\n' "WARNING: This script will utilize LUKS keyslot '$YKFDE_LUKS_KEYSLOT' on device '$YKFDE_LUKS_DEV'. If this is not what you intended, please abort." - -[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 -[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - -while [ -z "$YKFDE_CHALLENGE" ]; do - echo " > Please provide the challenge." - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi - printf "\\n > Please repeat the challenge.\\n" - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_CHALLENGE2; else read -r -s YKFDE_CHALLENGE2; fi - if [ "$YKFDE_CHALLENGE" != "$YKFDE_CHALLENGE2" ]; then - echo "WARNING: Challenges do not match. Try again." - YKFDE_CHALLENGE="" - fi - [ "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "$DBG" ] || echo -done - -if [ -z "$YKFDE_CHALLENGE" ]; then - echo "ERROR: ykfde challenge is empty. Operation aborted." - exit 1 -fi - -while [ -z "$YKFDE_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true - [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" -done - -if [ "$YKFDE_RESPONSE" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" - else - YKFDE_PASSPHRASE="$YKFDE_RESPONSE" - fi -fi - -if [ "$YKFDE_SLOT_KILL" ]; then - [ "$DBG" ] && printf '%s\n' " > Killing with 'cryptsetup luksKillSlot $YKFDE_LUKS_DEV $YKFDE_LUKS_KEYSLOT'..." || echo " > Killing slot with 'cryptsetup'..." - printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksKillSlot "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_KEYSLOT" 2>&1 - printf '%s\n' " LUKS key slot $YKFDE_LUKS_KEYSLOT successfully killed" - exit 0 -fi - -if [ "$YKFDE_OLD_YUBIKEY" ]; then - echo "Please insert old YubiKey for existing keyslot." - - while [ -z "$YKFDE_OLD_CHALLENGE" ]; do - echo " > Please provide the old challenge." - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_OLD_CHALLENGE; else read -r -s YKFDE_OLD_CHALLENGE; fi - printf "\\n > Please repeat the old challenge.\\n" - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_OLD_CHALLENGE2; else read -r -s YKFDE_OLD_CHALLENGE2; fi - if [ "$YKFDE_OLD_CHALLENGE" != "$YKFDE_OLD_CHALLENGE2" ]; then - echo "WARNING: Challenges do not match. Try again." - YKFDE_OLD_CHALLENGE="" - fi - [ "$YKFDE_OLD_CHALLENGE" ] && YKFDE_OLD_CHALLENGE="$(printf %s "$YKFDE_OLD_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "$DBG" ] || echo - done - - if [ -z "$YKFDE_OLD_CHALLENGE" ]; then - echo "ERROR: ykfde old challenge is empty. Operation aborted." - exit 1 - fi - - while [ -z "$YKFDE_OLD_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_OLD_CHALLENGE'..." - echo " Remember to touch the old device if necessary." - YKFDE_OLD_RESPONSE="$(printf %s "$YKFDE_OLD_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true - [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_OLD_RESPONSE'" - done - - if [ "$YKFDE_OLD_RESPONSE" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - YKFDE_OLD_PASSPHRASE="$YKFDE_OLD_CHALLENGE$YKFDE_OLD_RESPONSE" - else - YKFDE_OLD_PASSPHRASE="$YKFDE_OLD_RESPONSE" - fi - fi -else - echo "Please provide the old LUKS passphrase for the existing keyslot." - printf " Enter passphrase: " - if [ "$DBG" ]; then read -r YKFDE_OLD_PASSPHRASE; else read -r -s YKFDE_OLD_PASSPHRASE; fi -fi - -if [ "$YKFDE_PASSPHRASE" ]; then - [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" - if [ "$YKFDE_CHANGE_KEYSLOT" ]; then - [ "$DBG" ] && printf '%s\n' " > Changing LUKS passphrase with 'cryptsetup --key-slot=$YKFDE_LUKS_KEYSLOT luksChangeKey $YKFDE_LUKS_DEV'..." || echo " > Changing LUKS passphrase with 'cryptsetup'..." - printf '%s\n' "$YKFDE_OLD_PASSPHRASE" "$YKFDE_PASSPHRASE" "$YKFDE_PASSPHRASE" | cryptsetup --key-slot="$YKFDE_LUKS_KEYSLOT" luksChangeKey "$YKFDE_LUKS_DEV" 2>&1 - printf '%s\n' " LUKS passphrase for key slot $YKFDE_LUKS_KEYSLOT successfully changed" - else - [ "$DBG" ] && printf '%s\n' " > Adding new LUKS passphrase with 'cryptsetup --key-slot=$YKFDE_LUKS_KEYSLOT luksAddKey $YKFDE_LUKS_DEV'..." || echo " > Adding new LUKS passphrase with 'cryptsetup'..." - printf '%s\n' "$YKFDE_OLD_PASSPHRASE" "$YKFDE_PASSPHRASE" "$YKFDE_PASSPHRASE" | cryptsetup --key-slot="$YKFDE_LUKS_KEYSLOT" luksAddKey "$YKFDE_LUKS_DEV" 2>&1 - printf '%s\n' " New LUKS passphrase successfully added" - fi -else - echo "ERROR: ykfde passphrase is empty. Operation aborted." - exit 1 -fi - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-format b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-format deleted file mode 100755 index 2371be0..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-format +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/bash -p - -set -euo pipefail - -# sanitize environment -PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -YKFDE_SLOT_CHECK="" -YKFDE_CHALLENGE_SLOT="2" -#DBG="" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_CHALLENGE="" -YKFDE_RESPONSE="" -YKFDE_PASSPHRASE="" - -if [ -r /etc/ykfde.conf ]; then - # shellcheck source=ykfde.conf - . /etc/ykfde.conf -else - echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." -fi - -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "${DBG:-}" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" - -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then - printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" - exit 1 -fi - -printf '%s\n' "WARNING: This script will run 'cryptsetup luksFormat $*'. If this is not what you intended, please abort." - -[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 -[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - -while [ -z "$YKFDE_CHALLENGE" ]; do - echo " > Please provide the challenge." - printf " Enter challenge: " - if [ "${DBG:-}" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi - printf "\\n > Please repeat the challenge.\\n" - printf " Enter challenge: " - if [ "${DBG:-}" ]; then read -r YKFDE_CHALLENGE2; else read -r -s YKFDE_CHALLENGE2; fi - if [ "$YKFDE_CHALLENGE" != "$YKFDE_CHALLENGE2" ]; then - echo "WARNING: Challenges do not match. Try again." - YKFDE_CHALLENGE="" - fi - [ "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "${DBG:-}" ] || echo -done - -if [ -z "$YKFDE_CHALLENGE" ]; then - echo "ERROR: ykfde challenge is empty. Operation aborted." - exit 1 -fi - -while [ -z "$YKFDE_RESPONSE" ]; do - [ "${DBG:-}" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true - [ "${DBG:-}" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" -done - -if [ "$YKFDE_RESPONSE" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" - else - YKFDE_PASSPHRASE="$YKFDE_RESPONSE" - fi -fi - -if [ "$YKFDE_PASSPHRASE" ]; then - [ "${DBG:-}" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" - printf '%s\n' "$YKFDE_PASSPHRASE" | cryptsetup luksFormat "$@" -else - echo "ERROR: ykfde passphrase is empty. Operation aborted." - exit 1 -fi - -echo " New LUKS device successfully formatted" - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-open b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-open deleted file mode 100755 index c87e15f..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/bin/ykfde-open +++ /dev/null @@ -1,207 +0,0 @@ -#!/bin/bash -p - -set -euo pipefail - -# sanitize environment -PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -YKFDE_LUKS_DEV="" -YKFDE_LUKS_KEYSLOT="" -YKFDE_LUKS_NAME="" -YKFDE_PRINT_ONLY="" -YKFDE_MOUNT="0" -DBG="" -YKFDE_SLOT_CHECK="" -YKFDE_CHALLENGE_SLOT="2" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_CHALLENGE="" -YKFDE_RESPONSE="" -YKFDE_PASSPHRASE="" -YKFDE_LUKS_OPTIONS="" -YKFDE_TEST_PASSPHRASE="" - -if [ -r /etc/ykfde.conf ]; then - # shellcheck source=ykfde.conf - . /etc/ykfde.conf -else - echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." -fi - -while getopts ":d:s:n:pmtvh" opt; do - case "$opt" in - d) - YKFDE_LUKS_DEV="$OPTARG" - printf '%s\n' "INFO: Setting device to '$OPTARG'." - ;; - s) - if [ "$OPTARG" -gt -8 ] && [ "$OPTARG" -lt 8 ]; then - YKFDE_LUKS_KEYSLOT="$OPTARG" - printf '%s\n' "INFO: Setting LUKS keyslot to '$OPTARG'." - else - printf '%s\n' "ERROR: Chosen LUKS keyslot '$OPTARG' is invalid. Please choose valid LUKS keyslot number between '0-7'." - exit 1 - fi - ;; - n) - YKFDE_LUKS_NAME="$OPTARG" - printf '%s\n' "INFO: Setting name to '$OPTARG'." - ;; - p) - YKFDE_PRINT_ONLY=1 - echo "INFO: Showing cleartext ykfde passphrase without unlocking" - ;; - m) - YKFDE_MOUNT=1 - echo "INFO: Mounting device" - ;; - t) - YKFDE_TEST_PASSPHRASE="--test-passphrase" - echo "INFO: Testing LUKS passphrase" - ;; - v) - DBG=1 - echo "INFO: Debugging enabled" - ;; - h) - echo - echo " -d : select an existing device" - echo " -s : select the LUKS keyslot" - echo " -n : set the new encrypted volume name" - echo " -p : show cleartext ykfde passphrase without unlocking" - echo " -m : mount unlocked device (non root user only)" - echo " -t : test LUKS passphrase" - echo " -v : show input/output in cleartext" - echo " [ -- --params ] : pass optional cryptsetup luksOpen parameters" - echo - exit 0 - ;; - \?) - printf '%s\n' "ERROR: Invalid option: '-$OPTARG'" >&2 - echo - echo " -d : select an existing device" - echo " -s : select the LUKS keyslot" - echo " -n : set the new encrypted volume name" - echo " -p : show cleartext ykfde passphrase without unlocking" - echo " -m : mount unlocked device (non root user only)" - echo " -t : test LUKS passphrase" - echo " -v : show input/output in cleartext" - echo " [ -- --params ] : pass optional cryptsetup luksOpen parameters" - echo - exit 1 - ;; - esac -done - -shift "$((OPTIND - 1))" - -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" - -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then - printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" - exit 1 -fi - -if [ -z "$YKFDE_PRINT_ONLY" ]; then - if [ -z "$YKFDE_LUKS_DEV" ]; then - echo "ERROR: Device not selected. Please select an existing device using '-d' option, see 'ykfde-open -h' for help." - exit 1 - fi - if [ ! -e "$YKFDE_LUKS_DEV" ]; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' doesn't exist. Please select an existing device." - exit 1 - fi - if [ "$(id -u)" -eq 0 ]; then - if ! cryptsetup isLuks "$YKFDE_LUKS_DEV" "$@"; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." - exit 1 - fi - if [ -z "$YKFDE_LUKS_NAME" ]; then - printf '%s\n' "ERROR: Please set the new encrypted volume name using '-n' option, see 'ykfde-open -h' for help." - exit 1 - fi - fi - printf '%s\n' "WARNING: This script will try to open the '$YKFDE_LUKS_NAME' LUKS encrypted volume on drive '$YKFDE_LUKS_DEV' . If this is not what you intended, please abort." -fi - -if [ "$YKFDE_LUKS_KEYSLOT" ]; then - YKFDE_LUKS_KEYSLOT="--key-slot=$YKFDE_LUKS_KEYSLOT" -fi - -[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 -[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - -while [ -z "$YKFDE_CHALLENGE" ]; do - echo " > Please provide the challenge." - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi - YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "$DBG" ] || echo -done - -while [ -z "$YKFDE_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true - [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" -done - -if [ "$YKFDE_RESPONSE" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" - else - YKFDE_PASSPHRASE="$YKFDE_RESPONSE" - fi -fi - -if [ "$YKFDE_PRINT_ONLY" ]; then - printf '%s\n' " > ykfde passphrase: $YKFDE_PASSPHRASE" - exit 0 -fi - -if [ "$YKFDE_TEST_PASSPHRASE" ]; then - [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" - [ "$DBG" ] && printf '%s\n' " > Decrypting with 'cryptsetup luksOpen $YKFDE_TEST_PASSPHRASE $YKFDE_LUKS_DEV $YKFDE_LUKS_KEYSLOT $*'..." || echo " > Decrypting with 'cryptsetup'..." - printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksOpen "$YKFDE_TEST_PASSPHRASE" "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_KEYSLOT" "$*" 2>&1 - printf '%s\n' " Device successfully opened" - exit 0 -fi - -if [ "$(id -u)" -eq 0 ]; then - [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" - [ "$DBG" ] && printf '%s\n' " > Decrypting with 'cryptsetup luksOpen $YKFDE_LUKS_DEV $YKFDE_LUKS_NAME $YKFDE_LUKS_OPTIONS $YKFDE_LUKS_KEYSLOT $*'..." || echo " > Decrypting with 'cryptsetup'..." - printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksOpen "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_NAME" "$YKFDE_LUKS_OPTIONS" "$YKFDE_LUKS_KEYSLOT" "$*" 2>&1 - printf '%s\n' " Device successfully opened as '/dev/mapper/$YKFDE_LUKS_NAME'" -elif ! command -v udisksctl >/dev/null 2>&1 || ! command -v expect >/dev/null 2>&1; then - printf '%s\n' "ERROR: At least one of required tools 'udisksctl' or 'expect' cannot be found. Please install 'udisks2' and 'expect' packages or use 'cryptsetup' by executing this script as 'root'." - exit 1 -elif [ ! -b "$YKFDE_LUKS_DEV" ]; then - # udisks doesn't work with regular file based devies - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a block device file. Please open it with 'cryptsetup' by executing this script as 'root'." - exit 1 -elif ! udisksctl info -b "$YKFDE_LUKS_DEV" | grep -iq 'crypto_LUKS'; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." - exit 1 -else - [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'udisksctl'" - [ "$DBG" ] && printf '%s\n' " > Decrypting with 'udisksctl unlock -b '$YKFDE_LUKS_DEV''..." || echo " > Decrypting with 'udisksctl'..." - expect <( - cat </sys/power/state - -# Resume root device -export YKFDE_RESUME=1 - -# shellcheck source=/dev/null -. /init_functions -parse_cmdline Dvrgu zHVg444U1J?>MZSazRa}|d6E4^g{6qqohsx^86m}uTleSPd0FP>^U1VdS!DQe^Zxqss@Y(s%UDkOVU`T|v__Rx-uksGl!ZY>;x3D;M2TD) zlg|rjlM5@qtK<7>wTJBX~7veP#yEqg8FqWk%y6Xg2m>Fh_8qO3|VQB^{D~;eN z$guuStL30eilcB4oWSTr$FiuEsFcM_v0!e_)kMp5eTRs@S$+pM*OMwOtMwTbe`6lH zVj>BBi=cTeZagz_wJ>YKo>xxTS&=HnWYC^V9Lq_pL^c&?83A0H&Yw2_>2!n;Ex@+f z%%696JmD#Zg9yWcs)xId#Dm?iuB2~4HVs1e%}+j8M$d?H#J})oJ91i;SprFhR`HiO zDD*EY07~esL+tLqJ%u25q@NtnQIA;Lgks!;1^D3XNp+?>36`w4E(I1 znYBstSJnd9D=FX0L@rdmn7#D0td0ac8o0r4Q+Ry2KPu!q)w8OAbK431?=8ahxcHi9 z6eflrftRV>ZbK}XCo&AoT<*8PF5JR^76v*EoKm)SeiP|Z3{)8oR*Pw*`b1DnbxfQp zj0G6t5gG_+z@O>bz{6oyML*jhWd-z0q-rV1+dg!m7C9!`a;JnLuMDt~%`vD~26m+b zmRAPN%Jyl}B7-$<(iUYV)V((Baker=r{%Q|s0U>h__f>FdbmHG{rNnQcP!x@@nNzO zSsZP{$Z<&+J)hH{-XWN*0_^ZLEU(iz3l~pebqkvnFMbLaU*X_VZ<8g(^=}Gup|^<= zOP?c4_Re;HooW}@=UKL3Ik2C$ThyZgjXtFD@$H!~Ri0-Bo9{M~VprYgh{y?CzKpxg z4(SwTZP&5|Z`m+dTl&ZeOl5Lp4Dj6u&!KvBKf8gO9k|&KcL4eK7~p(uC$_&Ke(nex zra1O*O3f+-iLFO+>pc*h@#z%jZ8oDSml+bEl|hoTvm>4!>N=f^RP@&8_rxlz9B~m= zSeS@jy{>1;?FFMlXfz^&l0~WR`H$X)@9eqk%;<%8%^Xu{c@Zj)hBqw2{relj<&$;=Y=y^xpqhv~oUL7TR;&5+`StPmyum_OB z5*?aTuR9&B;Y6GcH3bsSAkMn~cC-ofZ#dMxE=s`il~PSlB#Cu5c~r^&1li2F#*Ie|r9 zW%;Uc#3Yqw)of1A*lHu8`3T>vMtocVmMsnIFyWx2S+$fI`#ef5*gamX^l)*OHTeFhq|=crubr0^IO_Amu3!HHeVp%dr<$eu-{hb-O*u}Q3gk1hGHjeZ%@*F35$wN#v3H^UME%J7jp^L2$7sq ziL8zfp5|5A7i6cz<^zi$YEzv;ifyoKBP5P$!hq%-XwWIARmzG0Z#N!~J2{NGoQgI? z;%@?39#Amg^KYmX7vkmr@I3Kv`~Ulrm(@r+1lIvSp2|HLPDjIogUQJ-8b*i5@?cLM z>>q{EaR1<^!()7z4v!T~?I8N;=w$C`@8sZQc(6a39PI6nKwta={ZkvSzu!YaDMIX& z@@{NPtVkPsJkyU^g~D!#hMq5Yf&INh(zky<-0L#Srls>9q35|azk1U{k`$wp(TP&i zkqTvW5Drh|fgBA_hR1tqbUX^Dd*Q+KC_0kIBRQQOgmQnlH{1&$MHz)7{Cox%-2ZVM zlokjuhZOY)K%NwYJEek?qAD4lP{BAd9NR@(IEpNVH_IyIwe0#P8BnvLZ)onCEKwz! z0(qlFnk{X|V#AYf%$v(Q)rHU1C>RqZQ|p+rVqrv#f=9qxLKc@wnO!~6)i7iuQ<;>?RqeIBKgeVj%FO%%4I}H~tH58{TWw@}K#A|wqjH!pytJ^zr zTEagPQ6F~F$hL*}V9rH~Ybx?oSi!f!CudnqZ5qm_yd#I7BmX?lFwt&HO12|hEzQy6 z3AM9LFc8PIG9{%~WVhJB72=RcxS;+OpXR0}&?4Hd!yoT9IXY$#W=T>Z6Iu=6hX-Hl zjSRYd>-$U-* zZ>anT%O{aWUS3E~)~*8;Kg`BbcUx?>^?l8kPUo#IU_9{q1P9^dA-dt_F{N9MGM|MB zJhQodMTBnQrEY0)cP(xBDz`nGJX%o_BT2$#jO)XenM*KMiw1Eef;$lmMUYW+4OHYZLH*DpBmQ%FMR8M63b}_!Um>@mviEaHR7Gu(5hAYhJss+01yza(lhsWkKQe zHF1%dHXxRtm>^!&cIOlAC!CErp}Pxvo)+hI(nwuB&S6?<#sfC%%(h-ejXX=ooi#;L zL^~1g{T_t!2Yg3DF&M6uROA^VvD!2%WIpF4g|3B)sSGI{F1XTt%uffiO8-z_O#~ZH zyID8e%F|6Hr%BK>D8F)&w_`2zCm=_@)M=Wp1dUA8hI%DcTxv>|ok|!ds1_4-C7D>D zU@O2BV6QfA3yJzR4Menfv|--qe9BeI+}&)9Z@q+iT81%+vx!eLkW{pYc6nDuMn-=D zyp;3OG1$&17MVVr5*DU>%NH|B2u*y%@gJ9O&)?jhUtC?@USD6FkC~ABN(IpE$I}mQ z#;7s#d}CH=Des>c=+2XXX%5br=xuZI9Uqp# zEk{7R-EF;{=?d%1avYEBg)NR!R8;h1M`+B=Rp7w+H&Pl`F%-he-iVt*&3wG5dv#Cb z{=y`KxVBS(o=Z^pEzHX(oNxet}zu6dxoP=*v*b@-gv4%L;o7@ZM z$i8zWs$Kn0pi`aWVz{MVa>|*Qx$@UqCV5>WSA!k98=v$ikBR;j*w~y)0hAt-w39heR+Rvp1Tn zIA25Ek4NheqGl35gA3B}TbnjHSX*Hqb-qn#mkQMhyj`H5@`xvoHR7b_K&)4{2?m&&0YTGlon-B?GC>G4wb=o zy`smk<$Qeo0nt`}oFOmy;b0Qctx(dy8jy%Xrv_)q3w?)-WyURi<+HJhwliUgI*9V( zB;jXG-8J+r$!MF;1?7U;XqH&Z`S0=#%#9^Ke17Y|Eks6(WBmOM2$(gs7v-IVWg}a8 z!U08)il42hZ&P?Ocj7P92c&kteG<0Kb(QuugDyleml)BFQ*&iSmm%(^Y6~BEy%9Y) zv-`-0?Qesl>8TFu)Z{5g+Ga0hy&oy9FISty(!7G7;YRo?o&oI!$duQ{9OI#762AN? z+XocIdA1lNX*u9W0QN&)C$rjczxU|@pJKt$;Ty~Uzr=76ELz#oqfaWX#{b;n!#~_Zr6JQ>3igG%wFJ8^-CnCFxK`R0zI|WDl(Mk3 zs?})=t6R(jx7n<`%XHLAHxg~uI*5h?KNp~5t}vTYf-AzYD+VLB{wrc^o-~72ykY1^6ij zAxHQ8jOHd@ec|gVmppCI=f|z~rk<^i)+Y91h;PO1{Ss9ePTj(+fL50A>Yu%!{H*wH ziPV8zxMgq+o3=qd|9#S$xt>*kB?T<&gy_W!WKJufQ5;41g>;)Nbtt@}MSZ4oYQK`I zQ*uLRXe^r@fNi8k)Q0m7uIsB`*e*8qu2s2igvEN2PQ&l(dD*r8I%2h;E-STNgEfk> zDjuV_z66B$cCTF-_3Yk@WunC_|CIxq92^VO)7`xka}z_?Z{i4UUaI`RCIQ{7ix_bD>8o%EOyO z(DOR-cH~B%99za_UX@X{Oq;Ml$i~vJ^BBMT^y%^n(~Cm>)B8!MPKAnP<7sMz@{9Q^ zRVb>ZeO`z9Zt`>VSh%N?oz7X7uL?bzmtwfL|C2aPqe5x%t4-=U9XBts%?if(6rKS; z+{i1sM&s9R!~UMwr3o+G(2MSWbXM+WA>|55*>`f>Hdgnc%I$N;3|?BxG*r!p_i-!Hzr`*i(9{C@iR^XbPg7jLe_r_bW-)5r6RFBhLa;;*;j^y44m z^5Ww;$`#Em9{8hzc&D_BK!y|VTq(7-xqnnxS5q;}qau5qQA3k!`-iH}+D+pb;1zHOoWr#- aAeay!crIivG9XMcmiz$zj$P@r0001E15Dxo diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/copyright b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/copyright deleted file mode 100644 index 1488d56..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/doc/ykfde/copyright +++ /dev/null @@ -1,7 +0,0 @@ -Copyright 2017 Andrei Gherzan - -Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/initramfs-tools/hooks/ykfde b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/initramfs-tools/hooks/ykfde deleted file mode 100755 index d015c1d..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/initramfs-tools/hooks/ykfde +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -set -e - -PREREQ="cryptroot" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in - prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions -. /etc/ykfde.conf - -copy_exec /usr/bin/ykchalresp -copy_exec /usr/bin/ykinfo -copy_exec /usr/bin/sha256sum -cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript" -cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf" - -#if [ "$SUSPEND" = "1" ]; then -# echo "YKFDE: adding yubikey authentication to suspend." -# cp -pnL /usr/lib/ykfde/initramfs-suspend "${DESTDIR}/suspend" -# chmod 755 "${DESTDIR}/suspend" -# systemctl enable ykfde-suspend.service -#else -# echo "YKFDE: removing yubikey authentication to suspend." -# systemctl disable ykfde-suspend.service -#fi - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/ykfde/ykfde-keyscript b/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/ykfde/ykfde-keyscript deleted file mode 100755 index 0c41a52..0000000 --- a/debian/DEBUILD/ykfde-0.1/debian/ykfde/usr/share/ykfde/ykfde-keyscript +++ /dev/null @@ -1,72 +0,0 @@ -#! /bin/sh -# -# This is /sbin/ykluks-keyscript, which gets called when unlocking the disk -# -# set defualt values: -DBG="" -YKFDE_CONFIG_FILE="/etc/ykfde.conf" -YKFDE_NFC="" -YKFDE_DISK_UUID="" -YKFDE_LUKS_NAME="" -YKFDE_LUKS_DEV="" -YKFDE_LUKS_OPTIONS="" -YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" -YKFDE_CRYPTSETUP_TRIALS="5" -YKFDE_CHALLENGE_SLOT="2" -YKFDE_CHALLENGE="" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" -YKFDE_USE_PLYMOUTH="" - -. /etc/ykfde.conf - -if [ -z "$WELCOME_TEXT" ]; then - WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase" -fi - -message() -{ - if [ -x /bin/plymouth ] && plymouth --ping; then - plymouth message --text="$*" - else - echo "$@" >&2 - fi - return 0 -} - -check_yubikey_present="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" - -if [ -z "$YKFDE_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then - if [ -z "$cryptkeyscript" ]; then - if [ -x /bin/plymouth ] && plymouth --ping; then - cryptkeyscript="plymouth ask-for-password --prompt" - else - cryptkeyscript="/lib/cryptsetup/askpass" - fi - fi - PW="$($cryptkeyscript "$WELCOME_TEXT")" -else - PW="$YKFDE_CHALLENGE" -fi - -if [ "$check_yubikey_present" = "1" ]; then - message "Accessing yubikey..." - #if [ "$HASH" = "1" ]; then - # PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') - #fi - R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)" - if [ "$R" ]; then - message "Retrieved the response from the Yubikey" - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" = "1" ]; then - printf '%s' "$PW$R" - else - printf '%s' "$R" - fi - else - message "Failed to retrieve the response from the Yubikey" - fi -else - printf '%s' "$PW" -fi - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/hooks/ykfde b/debian/DEBUILD/ykfde-0.1/hooks/ykfde deleted file mode 100644 index f621280..0000000 --- a/debian/DEBUILD/ykfde-0.1/hooks/ykfde +++ /dev/null @@ -1,258 +0,0 @@ -#!/usr/bin/ash -# shellcheck shell=dash - -# set default values: -DBG="" -YKFDE_CONFIG_FILE="/etc/ykfde.conf" -YKFDE_NFC="" -YKFDE_DISK_UUID="" -YKFDE_LUKS_NAME="" -YKFDE_LUKS_DEV="" -YKFDE_LUKS_OPTIONS="" -YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" -YKFDE_CRYPTSETUP_TRIALS="5" -YKFDE_CHALLENGE_SLOT="2" -YKFDE_CHALLENGE="" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" -YKFDE_USE_PLYMOUTH="" - -message() { - if [ "$YKFDE_USE_PLYMOUTH" ]; then - plymouth display-message --text="$*" - else - echo "$@" >&2 - fi - return 0 -} - -run_hook() { - local _tmp - _tmp="" - local cryptopt cryptoptions - - [ -x /bin/plymouth ] && [ "$splash" ] && plymouth --ping && YKFDE_USE_PLYMOUTH=1 - - [ "$DBG" ] && message "$0:" - - [ "$DBG" ] && message " > Reading YKFDE configuration file." - # shellcheck source=../ykfde.conf - . "$YKFDE_CONFIG_FILE" || { - ykfde_err 001 "Failed to read the YKFDE configuration file '$YKFDE_CONFIG_FILE'" - return 1 - } - - # if no settings in config, try to pull it from kernel cmdline (analog to encrypt hook) - if [ -z "$YKFDE_DISK_UUID" ] || [ -z "$YKFDE_LUKS_NAME" ]; then - # shellcheck disable=SC2154 - if [ "$cryptdevice" ]; then - IFS=: read -r YKFDE_LUKS_DEV YKFDE_LUKS_NAME cryptoptions < modprobing dm-crypt" - _tmp="$(modprobe -a -q dm-crypt >/dev/null 2>&1)" - - local trial_nr - trial_nr=1 - while [ "$trial_nr" -le "$YKFDE_CRYPTSETUP_TRIALS" ]; do - message "Attempt #$trial_nr/$YKFDE_CRYPTSETUP_TRIALS: cryptsetup of $YKFDE_LUKS_DEV" - ykfde_do_it && return 0 - trial_nr=$((trial_nr + 1)) - done - - # if we get here, we did NOT succeed: - ykfde_err 000 "$0 Failed!" - return 1 -} - -ykfde_err() { - local _rc - _rc="$?" - local code - code="$1" - local msg - msg="$2" - [ "$msg" ] && msg="ERROR $code [rc=$_rc]: $msg" || msg="ERROR $code [rc=$_rc]" - message "$msg" #exit 1; -} - -# assemble passphrase and run 'cryptsetup luksOpen' -ykfde_do_it() { - # key used to 'cryptsetup luksOpen' - local _ykfde_passphrase - _ykfde_passphrase="" - local _tmp - _tmp="" - local _rc - _rc="" - - # if we have a challenge - [ "$YKFDE_CHALLENGE" ] || [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && ykfde_challenge_response - - if [ -z "$_ykfde_passphrase" ]; then - if [ "$YKFDE_CHALLENGE" ] || [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - message " > Challenge-Response failed. Falling back to manual passphrase." - [ "$trial_nr" -le "$YKFDE_CRYPTSETUP_TRIALS" ] && message " Press ENTER to skip and retry Challenge-Response." - else - message " > Passphrase needed to unlock device." - fi - - printf " Enter passphrase: " - if [ "$YKFDE_USE_PLYMOUTH" ]; then - _ykfde_passphrase="$(plymouth ask-for-password --prompt="Enter passphrase" --dont-pause-progress)" - else - # shellcheck disable=SC2169 - if [ "$DBG" ]; then read -r _ykfde_passphrase; else read -r -s _ykfde_passphrase; fi - fi - # if /NOT/ DBG, we need to output \n here. - [ "$DBG" ] || echo - fi - - [ "$DBG" ] && message " > Passing '$_ykfde_passphrase' to 'cryptsetup'" - if [ "$YKFDE_RESUME" ]; then - # shellcheck disable=SC2154 - if [ "$DBG" ]; then message " > Decrypting with 'cryptsetup luksResume $cryptname'..."; else message " > Decrypting with 'cryptsetup'..."; fi - _tmp="$(printf %s "$_ykfde_passphrase" | cryptsetup luksResume "$cryptname" 2>&1)" - else - if [ "$DBG" ]; then message " > Decrypting with 'cryptsetup luksOpen $YKFDE_LUKS_DEV $YKFDE_LUKS_NAME $YKFDE_LUKS_OPTIONS'..."; else message " > Decrypting with 'cryptsetup'..."; fi - _tmp="$(printf %s "$_ykfde_passphrase" | cryptsetup luksOpen "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_NAME" "$YKFDE_LUKS_OPTIONS" 2>&1)" - fi - _rc=$? - - if [ "$_rc" -eq 0 ]; then - message " Decryption was successful." - if [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" ] && [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" -gt 0 ]; then - [ "$DBG" ] && message " > Making $YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP sleep." - sleep "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" - fi - else - message " FAILED! [$_rc] $_tmp" - fi - - return "$_rc" -} - -ykfde_challenge_response() { - local _yubikey_timeout - _yubikey_timeout="$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT" - local _yubikey_timeout_str - _yubikey_timeout_str="" - local _yubikey_detected - _yubikey_detected="" - local _yubikey_nfc_detected - _yubikey_nfc_detected="" - local _ykfde_response - _ykfde_response="" - # to determine if a timeout occurred - local _starttime - _starttime="" - local _endtime - _endtime="" - local _usedtime - _usedtime="" - local _tmp - _tmp="" - local _rc - _rc="" - - [ "$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT" -gt 0 ] && _yubikey_timeout_str="$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT seconds" - - _starttime="$(date +%s)" - message " > Waiting $_yubikey_timeout_str for YubiKey..." - - while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do - _endtime="$(date +%s)" - _usedtime=$((_endtime - _starttime)) - [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykinfo -$YKFDE_CHALLENGE_SLOT': " - _tmp="$(ykinfo -"$YKFDE_CHALLENGE_SLOT" 2>&1)" - _rc=$? - [ "$DBG" ] && message "[$_rc] '$_tmp'" - if [ "$_rc" -eq 0 ]; then - _yubikey_detected=1 - elif [ "$YKFDE_NFC" ]; then - [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykchalresp-nfc -n': " - _tmp="$(ykchalresp-nfc -n 2>&1)" - _rc=$? - [ "$_rc" -eq 0 ] && _yubikey_nfc_detected=1 - fi - if [ "$_yubikey_timeout" -eq -1 ] || [ "$_usedtime" -le "$_yubikey_timeout" ]; then - sleep 0.5 - else - message " Timeout - Challenge-Response aborted." - # timeout - return 1 - fi - done - - [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - while [ -z "$YKFDE_CHALLENGE" ]; do - message " > Please provide the challenge." - printf " Enter challenge: " - # shellcheck disable=SC2169 - if [ "$YKFDE_USE_PLYMOUTH" ]; then - YKFDE_CHALLENGE="$(plymouth ask-for-password --prompt="Enter challenge" --dont-pause-progress)" - elif [ "$DBG" ]; then - read -r YKFDE_CHALLENGE - else - read -r -s YKFDE_CHALLENGE - fi - YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "$DBG" ] || echo - done - - if [ "$_yubikey_detected" ]; then - while [ -z "$_ykfde_response" ]; do - [ "$DBG" ] && message " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - message " Remember to touch the device if necessary." - _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" - [ "$DBG" ] && message " Received response: '$_ykfde_response'" - done - fi - - if [ -n "$_yubikey_nfc_detected" ]; then - while [ -z "$_ykfde_response" ]; do - [ "$DBG" ] && message " Running: 'ykchalresp-nfc -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - message " Remember to touch the device if necessary." - _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp-nfc -"$YKFDE_CHALLENGE_SLOT" | tr -d '\n')" - [ "$DBG" ] && message " Received response: '$_ykfde_response'" - done - fi - - if [ "$_ykfde_response" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - _ykfde_passphrase="$YKFDE_CHALLENGE$_ykfde_response" - else - _ykfde_passphrase="$_ykfde_response" - fi - fi -} diff --git a/debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb b/debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb deleted file mode 100755 index d015c1d..0000000 --- a/debian/DEBUILD/ykfde-0.1/hooks/ykfde-deb +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -set -e - -PREREQ="cryptroot" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in - prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions -. /etc/ykfde.conf - -copy_exec /usr/bin/ykchalresp -copy_exec /usr/bin/ykinfo -copy_exec /usr/bin/sha256sum -cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript" -cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf" - -#if [ "$SUSPEND" = "1" ]; then -# echo "YKFDE: adding yubikey authentication to suspend." -# cp -pnL /usr/lib/ykfde/initramfs-suspend "${DESTDIR}/suspend" -# chmod 755 "${DESTDIR}/suspend" -# systemctl enable ykfde-suspend.service -#else -# echo "YKFDE: removing yubikey authentication to suspend." -# systemctl disable ykfde-suspend.service -#fi - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/initramfs-suspend b/debian/DEBUILD/ykfde-0.1/initramfs-suspend deleted file mode 100644 index fce7a9e..0000000 --- a/debian/DEBUILD/ykfde-0.1/initramfs-suspend +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/bash -# shellcheck shell=dash - -cryptname="${1}" - -# Start udev from initramfs -/usr/lib/systemd/systemd-udevd --daemon --resolve-names=never - -# Synchronize filesystems before luksSuspend -sync - -# Suspend root device -[ -z "$cryptname" ] || cryptsetup luksSuspend "$cryptname" - -# Suspend the system -echo mem >/sys/power/state - -# Resume root device -export YKFDE_RESUME=1 - -# shellcheck source=/dev/null -. /init_functions -parse_cmdline &2 - fi - return 0 -} - -check_yubikey_present="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" - -if [ -z "$YKFDE_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then - if [ -z "$cryptkeyscript" ]; then - if [ -x /bin/plymouth ] && plymouth --ping; then - cryptkeyscript="plymouth ask-for-password --prompt" - else - cryptkeyscript="/lib/cryptsetup/askpass" - fi - fi - PW="$($cryptkeyscript "$WELCOME_TEXT")" -else - PW="$YKFDE_CHALLENGE" -fi - -if [ "$check_yubikey_present" = "1" ]; then - message "Accessing yubikey..." - #if [ "$HASH" = "1" ]; then - # PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') - #fi - R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)" - if [ "$R" ]; then - message "Retrieved the response from the Yubikey" - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" = "1" ]; then - printf '%s' "$PW$R" - else - printf '%s' "$R" - fi - else - message "Failed to retrieve the response from the Yubikey" - fi -else - printf '%s' "$PW" -fi - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/testrun.sh b/debian/DEBUILD/ykfde-0.1/testrun.sh deleted file mode 100755 index 5894e26..0000000 --- a/debian/DEBUILD/ykfde-0.1/testrun.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# set default values: -YKFDE_CONFIG_FILE="/etc/ykfde.conf" -YKFDE_CHALLENGE="" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_CHALLENGE_SLOT="" - -if [ "$(id -u)" -ne 0 ]; then - echo "ERROR: Please run this script as 'root'." - exit 1 -fi - -# shellcheck source=src/ykfde.conf -. "$YKFDE_CONFIG_FILE" -[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - -if [ -z "$YKFDE_CHALLENGE" ] && [ -z "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - printf '%s\n' "ERROR: No ykfde mode enabled. Please enable 'Automatic mode with stored challenge (1FA)' or 'Manual mode with secret challenge (2FA)' in '$YKFDE_CONFIG_FILE'." - exit 1 -elif [ "$YKFDE_CHALLENGE" ]; then - echo "INFO: 'Automatic mode with stored challenge (1FA)' is enabled." -elif [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - echo "INFO: 'Manual mode with secret challenge (2FA)' is enabled." -fi - -if [ -z "$YKFDE_CHALLENGE_SLOT" ]; then - echo "WARNING: YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode is not selected. Falling back to slot '2'." -fi - -umask 0077 -YKFDE_TMPFILE="" -YKFDE_TMPFILE="$(mktemp /dev/shm/ykfde-XXXXXX)" -truncate -s 20M "$YKFDE_TMPFILE" - -cleanup() { - rm -f "$YKFDE_TMPFILE" -} -trap cleanup EXIT - -echo "INFO: Testing 'ykfde-format' script." -DBG=1 ykfde-format "$YKFDE_TMPFILE" -echo "Test 'ykfde-format' script successfully passed." - -echo "INFO: Testing 'ykfde-enroll' script." -printf '%s\n' "test" | cryptsetup luksFormat "$YKFDE_TMPFILE" -echo "INFO: Old LUKS passphrase is 'test'." -ykfde-enroll -d "$YKFDE_TMPFILE" -s 7 -v -echo "Test 'ykfde-enroll' script successfully passed." - -echo "INFO: Testing 'ykfde-open' script." -ykfde-open -d "$YKFDE_TMPFILE" -n ykfde-test -v -cryptsetup close ykfde-test -echo "Test 'ykfde-open' script successfully passed." - -echo "All tests successfully passed." - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/ykfde-enroll b/debian/DEBUILD/ykfde-0.1/ykfde-enroll deleted file mode 100644 index da4b5fb..0000000 --- a/debian/DEBUILD/ykfde-0.1/ykfde-enroll +++ /dev/null @@ -1,228 +0,0 @@ -#!/bin/bash -p - -set -euo pipefail - -# sanitize environment -PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -YKFDE_LUKS_DEV="" -YKFDE_LUKS_KEYSLOT="" -YKFDE_CHANGE_KEYSLOT="" -YKFDE_OLD_YUBIKEY="" -DBG="" -YKFDE_SLOT_CHECK="" -YKFDE_SLOT_KILL="" -YKFDE_CHALLENGE_SLOT="2" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_CHALLENGE="" -YKFDE_RESPONSE="" -YKFDE_PASSPHRASE="" -YKFDE_OLD_CHALLENGE="" -YKFDE_OLD_RESPONSE="" -YKFDE_OLD_PASSPHRASE="" - -if [ -r /etc/ykfde.conf ]; then - # shellcheck source=ykfde.conf - . /etc/ykfde.conf -else - echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." -fi - -while getopts ":d:s:ckovh" opt; do - case "$opt" in - d) - YKFDE_LUKS_DEV="$OPTARG" - printf '%s\n' "INFO: Setting device to '$OPTARG'." - ;; - s) - if [ "$OPTARG" -gt -8 ] && [ "$OPTARG" -lt 8 ]; then - YKFDE_LUKS_KEYSLOT="$OPTARG" - printf '%s\n' "INFO: Setting LUKS keyslot to '$OPTARG'." - else - printf '%s\n' "ERROR: Chosen LUKS keyslot '$OPTARG' is invalid. Please choose valid LUKS keyslot number between '0-7'." - exit 1 - fi - ;; - c) - YKFDE_CHANGE_KEYSLOT=1 - echo "INFO: Changing existing LUKS keyslot" - ;; - k) - YKFDE_SLOT_KILL=1 - echo "WARNING: Killing existing LUKS keyslot. If it's the last configured keyslot, the device will be inaccessible!" - ;; - o) - YKFDE_OLD_YUBIKEY=1 - echo "INFO: Using old YubiKey for passphrase" - ;; - v) - DBG=1 - echo "INFO: Debugging enabled" - ;; - h) - echo - echo " -d : select an existing device" - echo " -s : select the LUKS keyslot" - echo " -c : change an existing keyslot" - echo " -k : killing an existing keyslot" - echo " -o : use old YubiKey for passphrase" - echo " -v : show input/output in cleartext" - echo - exit 0 - ;; - \?) - printf '%s\n' "ERROR: Invalid option: '-$OPTARG'" >&2 - echo - echo " -d : select an existing device" - echo " -s : select the LUKS keyslot" - echo " -c : change an existing keyslot" - echo " -k : killing an existing keyslot" - echo " -o : use old YubiKey for passphrase" - echo " -v : show input/output in cleartext" - echo - exit 1 - ;; - esac -done - -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" - -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then - printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" - exit 1 -fi - -if [ -z "$YKFDE_LUKS_DEV" ]; then - echo "ERROR: Device not selected. Please select an existing device using '-d' option, see 'ykfde-enroll -h' for help." - exit 1 -fi - -if [ ! -e "$YKFDE_LUKS_DEV" ]; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' doesn't exist. Please select an existing device." - exit 1 -fi - -if [ ! -r "$YKFDE_LUKS_DEV" ] || [ ! -w "$YKFDE_LUKS_DEV" ]; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't accessible for current user '$(whoami)'. Please execute this script as 'root'." - exit 1 -fi - -if ! cryptsetup isLuks "$YKFDE_LUKS_DEV"; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." - exit 1 -fi - -if [ -z "$YKFDE_LUKS_KEYSLOT" ]; then - echo "ERROR: LUKS keyslot not selected. Please select LUKS keyslot using '-s' option, see 'ykfde-enroll -h' for help." - exit 1 -fi - -printf '%s\n' "WARNING: This script will utilize LUKS keyslot '$YKFDE_LUKS_KEYSLOT' on device '$YKFDE_LUKS_DEV'. If this is not what you intended, please abort." - -[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 -[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - -while [ -z "$YKFDE_CHALLENGE" ]; do - echo " > Please provide the challenge." - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi - printf "\\n > Please repeat the challenge.\\n" - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_CHALLENGE2; else read -r -s YKFDE_CHALLENGE2; fi - if [ "$YKFDE_CHALLENGE" != "$YKFDE_CHALLENGE2" ]; then - echo "WARNING: Challenges do not match. Try again." - YKFDE_CHALLENGE="" - fi - [ "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "$DBG" ] || echo -done - -if [ -z "$YKFDE_CHALLENGE" ]; then - echo "ERROR: ykfde challenge is empty. Operation aborted." - exit 1 -fi - -while [ -z "$YKFDE_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true - [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" -done - -if [ "$YKFDE_RESPONSE" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" - else - YKFDE_PASSPHRASE="$YKFDE_RESPONSE" - fi -fi - -if [ "$YKFDE_SLOT_KILL" ]; then - [ "$DBG" ] && printf '%s\n' " > Killing with 'cryptsetup luksKillSlot $YKFDE_LUKS_DEV $YKFDE_LUKS_KEYSLOT'..." || echo " > Killing slot with 'cryptsetup'..." - printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksKillSlot "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_KEYSLOT" 2>&1 - printf '%s\n' " LUKS key slot $YKFDE_LUKS_KEYSLOT successfully killed" - exit 0 -fi - -if [ "$YKFDE_OLD_YUBIKEY" ]; then - echo "Please insert old YubiKey for existing keyslot." - - while [ -z "$YKFDE_OLD_CHALLENGE" ]; do - echo " > Please provide the old challenge." - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_OLD_CHALLENGE; else read -r -s YKFDE_OLD_CHALLENGE; fi - printf "\\n > Please repeat the old challenge.\\n" - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_OLD_CHALLENGE2; else read -r -s YKFDE_OLD_CHALLENGE2; fi - if [ "$YKFDE_OLD_CHALLENGE" != "$YKFDE_OLD_CHALLENGE2" ]; then - echo "WARNING: Challenges do not match. Try again." - YKFDE_OLD_CHALLENGE="" - fi - [ "$YKFDE_OLD_CHALLENGE" ] && YKFDE_OLD_CHALLENGE="$(printf %s "$YKFDE_OLD_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "$DBG" ] || echo - done - - if [ -z "$YKFDE_OLD_CHALLENGE" ]; then - echo "ERROR: ykfde old challenge is empty. Operation aborted." - exit 1 - fi - - while [ -z "$YKFDE_OLD_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_OLD_CHALLENGE'..." - echo " Remember to touch the old device if necessary." - YKFDE_OLD_RESPONSE="$(printf %s "$YKFDE_OLD_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true - [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_OLD_RESPONSE'" - done - - if [ "$YKFDE_OLD_RESPONSE" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - YKFDE_OLD_PASSPHRASE="$YKFDE_OLD_CHALLENGE$YKFDE_OLD_RESPONSE" - else - YKFDE_OLD_PASSPHRASE="$YKFDE_OLD_RESPONSE" - fi - fi -else - echo "Please provide the old LUKS passphrase for the existing keyslot." - printf " Enter passphrase: " - if [ "$DBG" ]; then read -r YKFDE_OLD_PASSPHRASE; else read -r -s YKFDE_OLD_PASSPHRASE; fi -fi - -if [ "$YKFDE_PASSPHRASE" ]; then - [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" - if [ "$YKFDE_CHANGE_KEYSLOT" ]; then - [ "$DBG" ] && printf '%s\n' " > Changing LUKS passphrase with 'cryptsetup --key-slot=$YKFDE_LUKS_KEYSLOT luksChangeKey $YKFDE_LUKS_DEV'..." || echo " > Changing LUKS passphrase with 'cryptsetup'..." - printf '%s\n' "$YKFDE_OLD_PASSPHRASE" "$YKFDE_PASSPHRASE" "$YKFDE_PASSPHRASE" | cryptsetup --key-slot="$YKFDE_LUKS_KEYSLOT" luksChangeKey "$YKFDE_LUKS_DEV" 2>&1 - printf '%s\n' " LUKS passphrase for key slot $YKFDE_LUKS_KEYSLOT successfully changed" - else - [ "$DBG" ] && printf '%s\n' " > Adding new LUKS passphrase with 'cryptsetup --key-slot=$YKFDE_LUKS_KEYSLOT luksAddKey $YKFDE_LUKS_DEV'..." || echo " > Adding new LUKS passphrase with 'cryptsetup'..." - printf '%s\n' "$YKFDE_OLD_PASSPHRASE" "$YKFDE_PASSPHRASE" "$YKFDE_PASSPHRASE" | cryptsetup --key-slot="$YKFDE_LUKS_KEYSLOT" luksAddKey "$YKFDE_LUKS_DEV" 2>&1 - printf '%s\n' " New LUKS passphrase successfully added" - fi -else - echo "ERROR: ykfde passphrase is empty. Operation aborted." - exit 1 -fi - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/ykfde-format b/debian/DEBUILD/ykfde-0.1/ykfde-format deleted file mode 100644 index 2371be0..0000000 --- a/debian/DEBUILD/ykfde-0.1/ykfde-format +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/bash -p - -set -euo pipefail - -# sanitize environment -PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -YKFDE_SLOT_CHECK="" -YKFDE_CHALLENGE_SLOT="2" -#DBG="" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_CHALLENGE="" -YKFDE_RESPONSE="" -YKFDE_PASSPHRASE="" - -if [ -r /etc/ykfde.conf ]; then - # shellcheck source=ykfde.conf - . /etc/ykfde.conf -else - echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." -fi - -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "${DBG:-}" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" - -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then - printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" - exit 1 -fi - -printf '%s\n' "WARNING: This script will run 'cryptsetup luksFormat $*'. If this is not what you intended, please abort." - -[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 -[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - -while [ -z "$YKFDE_CHALLENGE" ]; do - echo " > Please provide the challenge." - printf " Enter challenge: " - if [ "${DBG:-}" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi - printf "\\n > Please repeat the challenge.\\n" - printf " Enter challenge: " - if [ "${DBG:-}" ]; then read -r YKFDE_CHALLENGE2; else read -r -s YKFDE_CHALLENGE2; fi - if [ "$YKFDE_CHALLENGE" != "$YKFDE_CHALLENGE2" ]; then - echo "WARNING: Challenges do not match. Try again." - YKFDE_CHALLENGE="" - fi - [ "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "${DBG:-}" ] || echo -done - -if [ -z "$YKFDE_CHALLENGE" ]; then - echo "ERROR: ykfde challenge is empty. Operation aborted." - exit 1 -fi - -while [ -z "$YKFDE_RESPONSE" ]; do - [ "${DBG:-}" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true - [ "${DBG:-}" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" -done - -if [ "$YKFDE_RESPONSE" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" - else - YKFDE_PASSPHRASE="$YKFDE_RESPONSE" - fi -fi - -if [ "$YKFDE_PASSPHRASE" ]; then - [ "${DBG:-}" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" - printf '%s\n' "$YKFDE_PASSPHRASE" | cryptsetup luksFormat "$@" -else - echo "ERROR: ykfde passphrase is empty. Operation aborted." - exit 1 -fi - -echo " New LUKS device successfully formatted" - -exit 0 diff --git a/debian/DEBUILD/ykfde-0.1/ykfde-open b/debian/DEBUILD/ykfde-0.1/ykfde-open deleted file mode 100644 index c87e15f..0000000 --- a/debian/DEBUILD/ykfde-0.1/ykfde-open +++ /dev/null @@ -1,207 +0,0 @@ -#!/bin/bash -p - -set -euo pipefail - -# sanitize environment -PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -YKFDE_LUKS_DEV="" -YKFDE_LUKS_KEYSLOT="" -YKFDE_LUKS_NAME="" -YKFDE_PRINT_ONLY="" -YKFDE_MOUNT="0" -DBG="" -YKFDE_SLOT_CHECK="" -YKFDE_CHALLENGE_SLOT="2" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_CHALLENGE="" -YKFDE_RESPONSE="" -YKFDE_PASSPHRASE="" -YKFDE_LUKS_OPTIONS="" -YKFDE_TEST_PASSPHRASE="" - -if [ -r /etc/ykfde.conf ]; then - # shellcheck source=ykfde.conf - . /etc/ykfde.conf -else - echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." -fi - -while getopts ":d:s:n:pmtvh" opt; do - case "$opt" in - d) - YKFDE_LUKS_DEV="$OPTARG" - printf '%s\n' "INFO: Setting device to '$OPTARG'." - ;; - s) - if [ "$OPTARG" -gt -8 ] && [ "$OPTARG" -lt 8 ]; then - YKFDE_LUKS_KEYSLOT="$OPTARG" - printf '%s\n' "INFO: Setting LUKS keyslot to '$OPTARG'." - else - printf '%s\n' "ERROR: Chosen LUKS keyslot '$OPTARG' is invalid. Please choose valid LUKS keyslot number between '0-7'." - exit 1 - fi - ;; - n) - YKFDE_LUKS_NAME="$OPTARG" - printf '%s\n' "INFO: Setting name to '$OPTARG'." - ;; - p) - YKFDE_PRINT_ONLY=1 - echo "INFO: Showing cleartext ykfde passphrase without unlocking" - ;; - m) - YKFDE_MOUNT=1 - echo "INFO: Mounting device" - ;; - t) - YKFDE_TEST_PASSPHRASE="--test-passphrase" - echo "INFO: Testing LUKS passphrase" - ;; - v) - DBG=1 - echo "INFO: Debugging enabled" - ;; - h) - echo - echo " -d : select an existing device" - echo " -s : select the LUKS keyslot" - echo " -n : set the new encrypted volume name" - echo " -p : show cleartext ykfde passphrase without unlocking" - echo " -m : mount unlocked device (non root user only)" - echo " -t : test LUKS passphrase" - echo " -v : show input/output in cleartext" - echo " [ -- --params ] : pass optional cryptsetup luksOpen parameters" - echo - exit 0 - ;; - \?) - printf '%s\n' "ERROR: Invalid option: '-$OPTARG'" >&2 - echo - echo " -d : select an existing device" - echo " -s : select the LUKS keyslot" - echo " -n : set the new encrypted volume name" - echo " -p : show cleartext ykfde passphrase without unlocking" - echo " -m : mount unlocked device (non root user only)" - echo " -t : test LUKS passphrase" - echo " -v : show input/output in cleartext" - echo " [ -- --params ] : pass optional cryptsetup luksOpen parameters" - echo - exit 1 - ;; - esac -done - -shift "$((OPTIND - 1))" - -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" - -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then - printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" - exit 1 -fi - -if [ -z "$YKFDE_PRINT_ONLY" ]; then - if [ -z "$YKFDE_LUKS_DEV" ]; then - echo "ERROR: Device not selected. Please select an existing device using '-d' option, see 'ykfde-open -h' for help." - exit 1 - fi - if [ ! -e "$YKFDE_LUKS_DEV" ]; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' doesn't exist. Please select an existing device." - exit 1 - fi - if [ "$(id -u)" -eq 0 ]; then - if ! cryptsetup isLuks "$YKFDE_LUKS_DEV" "$@"; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." - exit 1 - fi - if [ -z "$YKFDE_LUKS_NAME" ]; then - printf '%s\n' "ERROR: Please set the new encrypted volume name using '-n' option, see 'ykfde-open -h' for help." - exit 1 - fi - fi - printf '%s\n' "WARNING: This script will try to open the '$YKFDE_LUKS_NAME' LUKS encrypted volume on drive '$YKFDE_LUKS_DEV' . If this is not what you intended, please abort." -fi - -if [ "$YKFDE_LUKS_KEYSLOT" ]; then - YKFDE_LUKS_KEYSLOT="--key-slot=$YKFDE_LUKS_KEYSLOT" -fi - -[ -z "$YKFDE_CHALLENGE" ] && YKFDE_CHALLENGE_PASSWORD_NEEDED=1 -[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - -while [ -z "$YKFDE_CHALLENGE" ]; do - echo " > Please provide the challenge." - printf " Enter challenge: " - if [ "$DBG" ]; then read -r YKFDE_CHALLENGE; else read -r -s YKFDE_CHALLENGE; fi - YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" - # if /NOT/ DBG, we need to output \n here. - [ "$DBG" ] || echo -done - -while [ -z "$YKFDE_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true - [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" -done - -if [ "$YKFDE_RESPONSE" ]; then - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - YKFDE_PASSPHRASE="$YKFDE_CHALLENGE$YKFDE_RESPONSE" - else - YKFDE_PASSPHRASE="$YKFDE_RESPONSE" - fi -fi - -if [ "$YKFDE_PRINT_ONLY" ]; then - printf '%s\n' " > ykfde passphrase: $YKFDE_PASSPHRASE" - exit 0 -fi - -if [ "$YKFDE_TEST_PASSPHRASE" ]; then - [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" - [ "$DBG" ] && printf '%s\n' " > Decrypting with 'cryptsetup luksOpen $YKFDE_TEST_PASSPHRASE $YKFDE_LUKS_DEV $YKFDE_LUKS_KEYSLOT $*'..." || echo " > Decrypting with 'cryptsetup'..." - printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksOpen "$YKFDE_TEST_PASSPHRASE" "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_KEYSLOT" "$*" 2>&1 - printf '%s\n' " Device successfully opened" - exit 0 -fi - -if [ "$(id -u)" -eq 0 ]; then - [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'cryptsetup'" - [ "$DBG" ] && printf '%s\n' " > Decrypting with 'cryptsetup luksOpen $YKFDE_LUKS_DEV $YKFDE_LUKS_NAME $YKFDE_LUKS_OPTIONS $YKFDE_LUKS_KEYSLOT $*'..." || echo " > Decrypting with 'cryptsetup'..." - printf %s "$YKFDE_PASSPHRASE" | cryptsetup luksOpen "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_NAME" "$YKFDE_LUKS_OPTIONS" "$YKFDE_LUKS_KEYSLOT" "$*" 2>&1 - printf '%s\n' " Device successfully opened as '/dev/mapper/$YKFDE_LUKS_NAME'" -elif ! command -v udisksctl >/dev/null 2>&1 || ! command -v expect >/dev/null 2>&1; then - printf '%s\n' "ERROR: At least one of required tools 'udisksctl' or 'expect' cannot be found. Please install 'udisks2' and 'expect' packages or use 'cryptsetup' by executing this script as 'root'." - exit 1 -elif [ ! -b "$YKFDE_LUKS_DEV" ]; then - # udisks doesn't work with regular file based devies - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a block device file. Please open it with 'cryptsetup' by executing this script as 'root'." - exit 1 -elif ! udisksctl info -b "$YKFDE_LUKS_DEV" | grep -iq 'crypto_LUKS'; then - printf '%s\n' "ERROR: Selected device '$YKFDE_LUKS_DEV' isn't a LUKS encrypted volume. Please select a valid device." - exit 1 -else - [ "$DBG" ] && printf '%s\n' " > Passing '$YKFDE_PASSPHRASE' to 'udisksctl'" - [ "$DBG" ] && printf '%s\n' " > Decrypting with 'udisksctl unlock -b '$YKFDE_LUKS_DEV''..." || echo " > Decrypting with 'udisksctl'..." - expect <( - cat <*z6p&I&TM zfsl&j=^}`^N$eyDWp)B^ZCM>!E%=2BXgAw!Xt%oUqi*{U@gFst6|$WRndQ`MA;Pb% zSSUDXwVre*jFRa#e|~X|*4E3y=U7@5vaa8PQx+O7MHgt4aZ#y#P#lApMHgi57AOXI zPq{GoWvUB35h=#u=Y*-R$iVBwm|S-ojTJ`?8vDhQO6{%XX+-)gXUJ?95M092oGEyI z@&-vfs6&(xcE>^lVvv2RB29ip?h8mA%(zpjoy&~nG)Bx%1ZynpgwNQ5Ol_Kyi0c_a znW#mPgp_V}%*nd&x?Kl$mt%lB?Ejr{9d=9q|GG#THJ5wluM@5zSMpD^g_M0^3UO+n zaEp=Nu?3vJ@12qHd9MX$2?AwUGGxSbE``QKAd@KOsZ zzR1*O405VTj&6f zZpu@JM;)@HV*G)EjEogliD&K>tORt(pSbU5c&=6Gmz z&~j?#RN+B$6b_$Q^MIfwD$I1<04YM%RC{9>j;rvtHy)1b@Nsy3esyyVAA6%w@A7&$ z7{k>F&aN)|!|UPICC+|=-sLU48(#LYJdhp?f>oj%b_B>Bbu0>C%-DnAPTp>=v7q>r zhnSIwty5<#v0w`IVL@VShk9!t3R8lzgVv$j=kk9-YaaQ&i%Tz_TfyZrXE! z#h9kP!Xoc>;~|jTUz(qA^%)^TVhb#ezxa)&%J`p1x0?_;HB1qk$BIVxRx&42+&?UQ zc^b6Uu73r1H-149w;+574JYLb<_J1y4b~-Q`^!o1y0g7%5nUM_3XZNPN_${{J#V)1~9Wzt9E7o>Ty437rlqsJq z54^n3Q#;d3`&|O8^teNiN5(sou~~KxqqqoV`Ilqk+r_%Q+j&}Zsf`2l?Y6gJv)=#O z_x;ZaNhhu?;HwjmqCtfCngP}QRu$aKCE&-MACK{+>%h-2BSa!C5{7kV7n^-xC*gCq^X8-HO!9xU4 zT@r#XQ21IF`TO3AnUHh59aW64Tf)GnKlWQcR^jA__S*hCZlJY_z%&hAoW1_w?fKy1 R!(g;m`46E>p>S3W001;)(qI4p diff --git a/debian/DEBUILD/ykfde_0.1.dsc b/debian/DEBUILD/ykfde_0.1.dsc deleted file mode 100644 index 53e48fa..0000000 --- a/debian/DEBUILD/ykfde_0.1.dsc +++ /dev/null @@ -1,20 +0,0 @@ -Format: 1.0 -Source: ykfde -Binary: ykfde -Architecture: all -Version: 0.1 -Maintainer: Andrei Gherzan -Homepage: https://github.com/agherzan/yubikey-full-disk-encryption -Standards-Version: 4.1.4 -Build-Depends: debhelper (>= 11), dh-exec -Package-List: - ykfde deb admin optional arch=all -Checksums-Sha1: - e2c140d2c771a17b383edc362e9ec398ff2692d4 14121 ykfde_0.1.orig.tar.gz - eaa145143495e32579e2faab0beac5ce664d0823 1463 ykfde_0.1.diff.gz -Checksums-Sha256: - 532afcc745f33a88369702a933911fbcee52f91b6b7ceb7d9bbeb43bf6193da6 14121 ykfde_0.1.orig.tar.gz - f393949e5dac05027b7135f6f06206f06c5462b0f56afd241d95cc900158aafe 1463 ykfde_0.1.diff.gz -Files: - b5ff19097aad01c168678bd7630c412f 14121 ykfde_0.1.orig.tar.gz - d3eaa050adf4cc317cb89b330ab7b38d 1463 ykfde_0.1.diff.gz diff --git a/debian/DEBUILD/ykfde_0.1.orig.tar.gz b/debian/DEBUILD/ykfde_0.1.orig.tar.gz deleted file mode 100644 index fc49dcb42b357e6133e845ee39b110e1234a2296..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 14121 zcmV+^H`d4>iwFP!000001MFORa~n6Z_uum=@Tk0{$o24&L>-B@ik2vwC0TNb(q>)S z6ba6NH6gF3)}iJ9xSNTkY1L`u|Nn>-t}O^@#9t{qMKn$DjKD4L-THZ@Qhc58aw) zfAuv`!R_|`7X9zF4qL1G-)rpczhaHA&dG+)A6)-C>{BvwF2sVJC$7uR964iM--;Gt z>;%4H+)f?I!YKHcuwv$l2NCg!kc_i?J@1FzX&i_0q+XvpGpEKQYw9|F@>mO^N!{^n z@mLF|VI4=$#G=CP-+$|6?k>ptrT$*7JjWTp~N6;_7J# zW)}C^NU%i05XXoA;)r`=2@8UZn4Ltp`X~ru6rd#}h)uG&05QYQz-Lk7`^4Zv#=@%^ z##_PooJWGiQy#MmF;B(lPNTq_nJ3mdn2Vi;9+-vL3fOO#YWg7f)`04r*C zESW7L=K-YiAS6ytO<)()D?#mSpMd~f9*d~5OmG1st$?Hkd$JQNmi2|whIwEHF#o|3 z^LhmhN5Dp42h#Bz7hEhgB5=2fAjRCDiIKzo}jHv9Ynq$nbeD8kz+n`1q;UPG(Z8z(s;A_F$~67L13GF=7-&# zl<*i{n>M^QMfSR)Nvy2~^J08v24mCG&(gtXLOK(qY|}6FSiR{aao~X_EoJy~*eKXv z5P?vv)H~R2^SlF!+~Mh969=0(*i?hfY_QoJ^8)=3+)ub$Brd?Q;v(^uBJR=1B4rv` zpxn}wfo#tQCvjbv=BVEaOP)u8$8w7X8I2vw0VX052GRk3A?WOkVU&sXZIUw0bd;Ho zTBZ4ptN{EKjj!zSnFwc-a!O0th)Hiv{qpk^wogyD3i=&8lO%%RwqvEg7YJwX*;A2` zNf+V>M42q?=ETgY$1PJ%d9xtwNKZ6zqUrdiHp;@vUE7ISUBs5cd^IG<#*T}e3V3J2 zD|&-3Oni~<=}tm~gHZ|oED9-zz`mF-<_x3ldI(jLBcg?HiZY~`Cd?#vG_#qenyCe= z;7UHTxEntTz#CU-vp8Vl(UBB!HZp~~rMYX=%{VaAxtrNqUmy4Wavm@`#tim?+Bn*Ry+;I|djv+DBrDq94JCeAEC z{SeNp*}SSE*D%}rVAU`JpTYwKOtc2TCgjL+1&?C!NPkpUVrNyOGwIj};fiW@JP4G4 z@VbxO3qdc1l~0Dv*53X>n~yA8jE72kRUPK5teOV$DuOA_s#%t(vi-&qvjB8az^MQ+ zE#amKdObMylAMs!*2;91*&#=yVl8YX4ran9)H_GdOkppeQ(9q*QVUj4+<l|DcDgwAp0%Y}N7$)-~mF3bYhnK*3kR!=~xM{R4|u=d6W_5nX?^YM7k;>}j0)v!Q|+_u{A^95W` z|3`OF3PJ#P@Sz?7A&(-IJ3_%xl*A++OMr6(ux*`fAy5Q9M6)0PTuY&E6oAx}>T{aA zGVnx9u7J^K<_B}tu~>=ZE90j8K~x~-I#4irg8M2k1<_107YZH*(GqlVAw-Bd+jD@R zZm)ndj{*oDb|9o*j#FSuRLMBQ=|Vad=s5;e2r^zGSrrcsglO)7;lwewX3COiPSxWs z_He3Mdxwu>h>u7#O*_7=+CsE39U|Es7J0%-AhtnF4gwe3G>E6tKn`&Zy;fQ)z$bGTT`%m-ganM^-|9J6^&P@!x6f1h`76vHAc8BJ}umaETQdzg~S&N>595$(h_6UP=hH3OW;fn~9PA;JwIj4zO z<`Z#SH1U+XR^p~J5xctBv4>RQGhGyFvP;R2#Fz?FDU*Cl`HoT*3@fa<8&Cj%y1lAX zd1?)WkyP1VfNa~X3FHB$gt<|0{xpac_rI^}aoN|2gpi^ESB=V#r)S+9RFxV!6}4T+F` ziUrW%s`H^ce62cW5U#*Q*^t<>1-1l-Aa^`P0|`YSE?7oY!}oIG$Nce`iSEoZiDvzb zhz|0d@1$uNxTOrJmK$Wt$qG}kEQIZ$zmUfvM1_ies0j_Jxe9V1{0)#sR}2wTx|i%e z5|cDvWWBm)a{pn5Gpx`Fc6!*{8>B`&0AUWWrSm|4R!$0#*2^X_^P|d&aqOo%@r7#EtqJ^ry9u@W!T_s6M02X*hIJ{IV~r14CXOhuj==S2L`m~j zXnV5{Sa-=JQeCPbMr+&1ykvOwL&J1;k#=1`j*;*XNMrIM(2yJ3uXWn^RZQ};tNhm) zEtEl7IQa52R1&`K6>XC(;qm1QL>uFA0J!9<3loWM6eYe`5+vlIj)c90k@EnEWkM}| zk)p8#my=cubr9lW&!cNil_lvblJ=&U3zQ>lqbXvA;J-^JF!zdl>*cKjJrNKsY~$Z= zK!96gdyzkI@N7UU&)6U{efFJF^}vTnrgwaceL!sYt1DrfLRYL#Gw?tp(7*^!obn?p zJPgq%RU7ySvxV@&nOcXhx4$K9%^5pZ22Gx`rA_`4XX~NSrsZl5Eahv6Gt>xwO(Vd% zLCA<}UCQxbWgKGpbCx$Ti_>UU_x!j{mjKj*n&V9}$Nkc)2egYBWrxp9|D)t^X3h%e zXzP`Vr8G~6a)oGs28}KLtiZ?CKHVP7#i!yQBj zSwRF=8M}-B^n&t6(Ag521BGzK;F4^L4*Bx?NlWf}nt)h*5X&+lyzv4$#~ENzltt)< zbdfA}DAGU+^_df5`xQ+c!42*q_iPFPs*!4A8!l~d-Syv+U#zU1nR3<$bDfbtw!WYx3w2k8O6d**Wd&SBiJ;ziBqv^!-yhYeGR`C414Wyht@l~*l z(-sa$<4vhq8tQ(}f0@BP=SrKAbyIXdH4lpE^|oO)b*)vHU6Y1q3zp)hJl*K@onH4* z?eq}GVE$7FryfKdC=T)HM{}xFl~SWdBz^}#NX-2C(c4N7qn~n1ExMJLH#9kGaIEyn zZ#p07ngkx^f*maohv%EX>vb6IFpNGsw+!VpiS1zS=V=2a>vBoKWBC61`l1iRqlo{< z$4PBYk#Kn)X)=RKC(~1`P(;D{QX8u2!7s66rms#K#%T~PB4;vMRREb4WnZ6k+>zBRL?p42Q z0-H+5&l?L~3^g>8V!sT;BHGC3f=hNvy0U+979OFF<0|0RxIink$zVF=JbgpiD-9Ed%VW-zuXT96r z^%eYe&N^40*hTN^49XRUT09VsBIF%m7YZ4IxX~A4Y4P+@VOCAK;2sJ3>jWE`RNIHx zsG>`a6lo0C@tj!a$+hj&jF*1@EC2o<+H92gH97s--!c2l_doacTZgOP|7*8ee}4b( zxA^S*PkrP-mB{7PFd(xqQzQWkoluOqgLjIss$w?$mAJ9$i^>y2;SBJA^WM9`dGE6O zrnCZ0O6i#Qoy*Ja)jJrm_Gs|2)9-(OeRDRr>UPh%XPbufFRyR$x#5i2Ju7{)3ssVt zR7%VQ7}#Jxe2eDq8;l8S8n9CL=H~k5gne`cRtI3tD(vZF14vh8>=>16C7kgH39o64 z9oi+-xh_N_s4XPKZA-jaK5;W@u=v`xOU8Zvc-yv0><9LjzpxGRP@6J;T&JPuY<{_6 zflLhg)@b>E;rq z;B`T)sJM4^etq&XX6f#?+H+~^N>533Y31i{ySOZx*;aLvnXfMh3FoSJ_3mW(ro+k& zhw@Wb1W|l14udbbcg95^r@5#Oe%N{7aK&a#)oY4ngVzMeyPGw!rcn{3AP@2%p9+e`UME_ zkm<3k`;XqOVHEXpD^zo>Ts+__YuAT;oxOecrpcC0|JD{!^pMhKG63c+{30)Q+7{Ho zA>BU3hiaD<_*n5!OuHraGuwD}xs5}$(zR==PGq5#1ez`*Nz~+OziyQnYUGfa4;!|< z%=H&+8+)*YO)ocQ*BQ}`2a|v^a8!_n<>F1T{PhNIi;F$YD|Q@^h}=31!%^eKFzR>v z$?;$Qy)s?he6=;6{`Vgm&E|e<1^*p1_YeNWf4{{C@LwXM90M*RA^i1?P1uk;5|5%F zvcXunnZbZ4dED4A}#8i^24d6H0%VpFI8-6aUv;{vT|BU~?$)`~NGS=@g$K-y0_5<8=b~beV`QC!@6+$$1&M zDKQj!8jRIeCqsEG#d-mH%IO9RLFUyd>(!)g7fD@B&ZpRQo(M=a0K7{l_K7^PX2HX> zgcm-(Wp)4y(s6F-8+cHHEJXj1ft~()2CHWB&GpCI&ds}$e!Wsrsd}WZFFUI=j9iuV zG}U*&&;Pe~^=)lj$Nul^r#N2JN}@`dtTOD{ zRx*FwRz=_Uy59mafcY9w1-h-4I>0xwg+pj5B2K?Bex`wo6v? z7j1fS%dWG%b2dP`6Lpzo=vYLeHTo!KlN5di311RugZ{`Nab%NdZc@JHpV0LmT1iS} z4=Q)`$=)gby)2#78lLiY;$Lg^sy}Zs{4REW&S>~l;a=*n!ky}$(ZNG~ z1>qo*faHH!<(oH&rf?FEV*$6K34|2)Ok=B%$d;fo@1hwvUgm8pw9a|%saR5*!r;&( z8%ERKWu0{=H!Qk{28lQ>dB$5DnfzDY-Z@gLi0=AR>dQ1A8>$+TIsn?i(*#iZ;}|f zR5ZDvY_2}2a1c!j^Xvp_gBqlqPEforLnEsp4$*Wnix=q(pl|RVMqR^Fm7Sgi`N=IL#<>q%Q3=GXjZf-L*%pAoZE#Ve*1ST~_qPEl&2g&Sy=|U+44L0HORg|#{(Nz zF^JP`ruz;3M|PhOtYQGOaWc)E-`pc0vTDXWJAZTHOX9nEQUG3bVqe;Chk7YjEIHy(W$z19Tj_c(2ZP-rc z1vu|5d9RoIGR8M$(a&?|y(6($eAt>jg}m5Ma^RZIU3Xco{8{+2)l|7l7IJ57avp~^ z=goXRof-B|=GC9XtxbYS<6%vY+_6zp<1W10>?{utwtC1%03R%Ui&0pbos*U^{ID*m za`trBGEO1*X1R&6b@GkVMB7~K9AY>cb- zy3ST5#80sGkohM53qmRW12u%z;JE$j@Z_MowN93#(+Nkm*RXpG4O6)hCV84l^Us&Z zKOc1wvJb^p^cbxrteiILt47|f*ZDl zOc=DEZ6AN%f&CVVnk58y%P&^QX^3m?(W-<&`nZRv(3Fd|Yz_U2g#@Bh;pjn=2Xmq5 zI+y_QP28)}%fb1S_CB)6g)bmPPjAN1a+sOAX8N6lA3ow%{vG^yhE5{f2$v#up#AV@ z8q9{HSu#CU18CJg#)|NY7#k3lKIp-E{oUJ-p*qPtVpPg_gr~aNFObxlBc(C1GF}y{ zU3tDs`TV0WrRKwO%8BDwDmH0D?1Ulmp2`KB{aN@gvJV~-;9Uc4uz{KIp`$`lQhe^H#2mbii=@aT1{pxHw!C&8I52x%I|sS@Qt`wS^J&D+_+l7`zL~|(eSCS2CyIQzHs!K| zteL$l#0)0&+8$iOBj6S(!RH54fx>|h3Bv9hWDazAz8;`Qx<)0S%RDF$!p%H4Y_+pJ7N}4<0e?jXy|hTD^tZeH?5E8&2oi`HSKUa$&@El^ar!XPLv_dlZ<;%4=0(X2n178CDHe~W5>yxP_1 z;uaOzITo*K@ha|6bm2I-NpT(h4}W(B+!!}O%ZCM4yui;D@itTTxZZ63MVJ*5?w?%4 zgL5d1wgHJN{qM7A0;0iWtNCwZ8Sy(PGP|v_E*u6%lV~!4vjoB)%|z%SC`#pC|2OW| z@`4=oQ4-pL*b{IEDkpgU^0_r#CAK~pO4ziWPM>t2|U1ch^YW=ty8Y}vseqa{^H0+ zs@y9m7BlA-iV9sIzTE7Wt4abO(d_i_sM{efn8(6#lZFbzs#dsTn{;lZ50BlCvLB!& ztI0@o)hcJ3?swIZt2PT|OiGW^98K{KF&t~EXfAguNrLFr>NVmf;?%i#qs<`+9rIHE;isL&QH$v4d$ z&Lga|Z^6~Ds~2Qza|$ou&b~?t*z>%~=1Cmhs^*CtbGyvXt^Iwb+4V8^VkF^of$A2K zG|eg(5jAtGnJa5%Yndx-=2fytzd7QjIB&o);Fbpt$YGv11Wqzpaff>1QXW~0oC47X#zTG78%e{mUreN2vUS*DgRJ0OB`QO zuKg@QN@oDGe<;!-bvwN~{P@t2ZbfBF5pF!$D9X*JNS%*%;Uh}8+{>#Hx z?bB}ipUyR}`DM#7#}e?;QW2CQsu5n2qh%KTB8}8dKO2;EhA50)#Fc9BK^q*@e&rKx ze02ko6C4luC8YeTRzo07M{ZMJMTw9K9dbZIT+LV%C~e|*+A~TBag%rooS&_e4i;Tv zPes#CMSR|cJ#^*+cabkdSn^iE4WXKt%r>IbI2CHSxuzF)?mx!tg117IK1$zFXmlLA z>(KrXNQ?VedLEbmwF>lqXM0?)I%|ERoZ@ zqH~Q7kaH&7=I$eiMapxjOXL+%<`3JQAACiu;18h4HVQiWsnGO`=N8lN*tII+1uSYr z)Ow-tL8Jwdp=5yKj@|iUv|U~&^#!Jf2pUIsN%%$t9n{Xfiy8-IJ4-EEb?;rKwgP>6 ziQ1FOO>CqTeP?A*t=f$SSKNedBCpF9Xr8`Q_Y)fW?#X|zk9+@*P+Iq0N5TF7)8>=M z8Tk)hE#vvos7_KjX1oA~-Km4+2x83Rfo&Y|Q&GB%$ zg!uR!LwqEju@hD(w-`LKX_+^4W4jt-#rt3{I+vqs3fCdM_Or%vnUF|Mg+seS`&PxQ z>lJE#vk(fRn5kV%W_{NP&9asUPGF;II_8333=HJ%7!tQYkx1Bcig{(^o2n?hnV?A= zt}ot@StRPL{6@5s%}wJwWJSRxCd=1>$)fps#=p1#x#a<{TSQz-2i?MUjT6Kc!nZsufQy$#GmJv~ixozJ zQY-|7LMm2EK>kvQD9(0ZI-|N%hnpU}U4U#=Yr)2^W=?XenUkg1M9?TkNfD8UM>6bu z*==PxC-N*}rcBV*EjteN+e4;gyw~y|XnaSf`MyKE@FgV6r$Mr0n)S7yh%A9UZtE<( z1orR)d-x@Xtcd1{+)DT|JOBfh3t-_K;6I~tZc%YNu?$)3$0Z@**-!N%P$jIinsv^c zQ|BGAN{Gtb&RrD11h0VeQA~s^XgOCR%glo+$rX#f;t}=^C7E8DFND7NYZ>pHVddgk z=pp>R$De=zEn7`jeiD(Q9?9sMcmmb|>y67;tR4H#O38!2yU7ZUZrf9aA_RtACu@8a z_mBd{va+h4$KT?0lrhdJN^5868$L_)X-9;QmHAp_GT~6!RG3+G%7NtO5M!i8VbDxQ zJp}-YBBmCcea_~deO5#ds-p}>SLPFJ5?{=&q6v>sc^0MOz!0aoy|wtkg1c0RWLSaf zB9fm69{i=dbigBHe(;08uQ&dWkvm^)@QbK$L?6pv3$UbM$e+67>A8BR4NvzZS8!op zW}3Xfwx!9C;vQd^&nqN!^x%N={CWGIN9~v0&dcMyqi*mG9r*^s7`1V=Cj32)t`p`X zC^NXhHv~>}I*fj0O}gC`WV3ftqx?Y8vKz=D1OtAw*SCrFuKh=A{pr&F z;~^g8Q=7pz-|-#vY&N*+_v176`rz=iv-kbMR`V@mHAe3leh@+fsk2VbV0)Oc{ccC4 zN84Y#U<7VCxWJ?N+fWrwp&Oa|)ObioS%th%VOg)K}9>5kjmJFnXHVSjGgN>6hQUK@m~t7)w`PY z<1JlagSVYA{R;MAIhvcumfoQ%Lv#=vcana5&cvWuWEf;V!yH&fl?w$$$>8YJga1-U zp7aOjBCw}tG=depaM}!3zNs5wr;Ju?!S%#{||gJ`#=1{HtwI4?DGfT z|Fh#yZ|=2@0{;J`^{vbQpR_iX{yz`$Sn=O)?Uch=jDW52*&+fXbj%TbQPhziau*TK z`Qpih!A!6Xyd!SAPPx^cG>1APoq;dHxN`&g5z#RPy3VMNe?M9h-Ys$YcwFjqh939CCr;TpxJ81n1=pM*?4-1)9kbd zKc{h}D&5`sSEwecR8t1!U-WvXX+0g)n@;a40<1)#J3P~gJ1qKQDEkG)^UN>;aqc@p zA#z`GHH*`$&U((i@ehIpO^}ThjpaDlNl!O6ct0oSJ(kYK7zWq9Sb}ZD^|VRj$pB%& z@Q!+t(mH|yau$L})tF9i8a!hoEJ!*_&va5zCsL>pk>&N7VMTB*x(O0uZ@@pI_iRf7 zr<>i>rgegU0@NU_u^Z0W4+$O3&d4g!d-zV^Xyo~_eR8Z#zqGZ%N40INXumOMfT+cC z>}8?`lue%H`gYp80J7=L$Q!EY^fH>njq_15O&i_rZeu6@PxRxg6D4VVIz6}RFlJ*x zwoFwx5f4C* zKs19{EaAUo`j5+V;ypf&{};{3`>vxv{(p?ZzU%+hda{)NAL3bASz#}2VH&R%g@49`Yabj66*5XmU15hgLKgkhDt|MReI z+&)zT`AkPt8uv@Ut#eo>@JF_K-2UH_z2o-IDns~2glCG$XGWLI3x!v7eYrh@?E>1+ z<2I;t|3ipLX1Ie&b9cLnE%4cUt*{d;=v9==_z^*t0^1VQZIsgTmy-1sYf`b6G4Ac{ zX%UI-Xe2`4aUcbT5R>S73nhfDu+DabOBQwqzR1$1T->O8`Mvt~zU-Ov&5ZQ)|3EJ@5d3$BR-;X zEDhkNG6%a=#^9<#3kw3v@!C6*jb?O?)^^IY{!?nToDiX$o#Hm4S>;uHJ{7gmCA`yw zGL(cM-U6P7?we(hVO&j7Dv+gcEjG?>YO~p(FKrf7Dd8tKOn6~JF^9r3|LTTY>X&OZ zV$!%9^rA^W%^0@OZ0;WKy+V&sE>6}zjT+@7>DEmY9&q0^L@k8LNE08eVu9Frh*P=j z8hmm42N1C`Q_xyG8^+@Cf__+a!`?7T`jitfOsNw%a0W^-V(qN4um)>&7=x6`$}mv| z!vW0EY~7F7eJgh!I>}sO_`KKVFG|1~C2rL;L~BGM5`J(Bnjozi7 zLHmCf{eKI7U+VuK;&I2H{|)Q!9_uI=|K{VT8U6p0Z<|Z`{~;cs|3~dVhkgixqvJM+ z-dkLejFxU8M(>R$@h_=@auOIzJSpMslXHKmDINPohN}68R>pJB(Pz&B^4UYsDy`Yk zx<#^jq!5KUNSH02r=2WA!bL29q8S{Tdy{hkva()PUW0NSVPAm=+z39VEyVIo` zcmbGZB?ze$2fV?|i+iA2;n=^V8WGWa?xy6=fCZ=%x3Kr}*Jc1Sms@;f5Ya(!$) z`gAp{z#Q?w zump2_7%)c#ph#+S>*mZ%>v$K-D;?Mf$5+u!%@3NWu9sc7M7r-Vp%M|z7dHp{7GgTY z*g5zQkFhFlA?RirSfl)f2UKFYz=hZ%Bs0AXy-0@IHPh;yW{@!|SEz8M_04e3XZC^} z#}RSOJX?Z#_%)j|h_O)y4djoRjBtUX&Vk}f@B-JQoA4MNP*6F6*McJUgoyXVDiNH( zM;D|6;L0^Rm_4c%m;@1@ff;@o;Wc_jWs5n~oo> za(Z%op3HfNmi>pjfmwEdFL<$D|8V7Pp&YNo(9mxc>=bi=x zekGGD1T6X33a+a4&2pcfqZG6A2v`>Rth!~Ile5Lbwo>rR7#(FrZJFG`-zB5#WQ`3j z66A#!^|=+2WH0{^CN0#F5=AP5_*DUMeRTCcJ{4-?jCVyf1NLe*;V}z+YsU4;c4jhb zL`lDqnMR`t@jEm4npiekRVkZqtViw2&o>an&BGX+F!zC5vRo_+z02wTSU}wym=Ucr zJdLB6H7)mcFW+NcS6|_gEQ%1AwmFF|rmW?6$=8<-)Os&8hJU|&B2EL+y^Sm$NXMV& z0fmv!6@CeBH||(h+#al=Mz}G`>?-f0$pAO1N?Ii>6VJS=`#0l!rUQp2n1g48&tX`a zaSmFlh|j>LBLs|*Nn8)YYN&14rf9`-nqd4q`75D+N!R+YBwyn=#`9*1j@hl@a;H<& z39}VdN+U1-rfEwxI(I!&Lt||Fqf_8R&^1cJz;BBDQl%n)XMaJ=o`9*a*2L$o31^Vt z1qgYdKj^aq8T2;p<03OB(K?C)jPu<`VPK5cZ^*tvOEwv+iWPm`VPHvlt~rzoZaFXp zLRoI&8GDv;*~Fhqbq~+3Ys1cR-aQk zRYqQxn3HM9A`#PXMT;d?nA=14?w6g@w9TS#4*C7Grc$w@+pT$fhhof$%bLC$jQLcG zQH;zISkLfdvq9R?k>El2+!A-B7I+WmmL7BzHwyd0M;ii!D~jaGx!?ZH6gYFxT{84$@m)Mgge)cgxfL#p7nwzlMLrYLUcVV~isQ^5 zw>u|yJRVq`W)f6{lpumpa!D3#0mu(n^zMQMi7cX%>z7Z(g;0G+bRa`1{XNiA4_^3C&dhypM_r1u>nJs@%j=$9r%<00YQ@IF zIZ%LJceb$nMffVBP%DcT&&W7j@dzHUc5&kL7Net|8J)Mg4bt$=Bleoa6;{G&pdAy0 zxW$J-%UoGLY>Qwrtb=gFClSMbmBkjyQTv6trJknKiKk?IZ3!y!dmm1Hh`?axk?*`2 zlJlN7llk7xNS$NYpF3}O;uVg-&5b7rnJQ9v1*2YXHknX$qD+e6g`crF^@mk$ob+V^ z@vHS25^>2_ zGwFeZQ4ax17{@IkK{_)-Z3p&ea}JotFFgVdiDu`+DM_YdHKSeCs>|6O39rIsd`P-k zQpK&w*|V8xa#drP<^h<7*5)r$=V=PmX03MWIRuL>rA&KD+1iV9c6Hy%Yzj$jzT?Tg z_nPIIQA<=$nSJG?F?+}AAC_sewKA;zB#VI=W(efP)C|3jYL+}TWV6`4#kt6OeIx$} z08dxKsQ8XIgdrLC6=Paqdb`Ibt5=hnfKNhobQWy(Fqc(@EQ0M=jP6)`Mp*cGlWEp% z4mXOdqO*-h7F9#z1*LT7LOwdBIZ1tu`9z4y`#B8B>E^B?Yu{GA;;;dWahtPh-cEBL zc$V%WydA71-$Na#<1=Af7I%ja(bA!=Y&p$xsgo;olDYi$vyU6!)PGB3$0^PmzlR(< z|3DPz;fl0vKAn(LM5bDINAs28%_HxDzIJalH~yDnFLf_<6yZNL*PlA}KO0Y*%lKap z@~kk9ElxHEml4LgC+F3Od}zpCK*WEpQ%G0&7kaClPvV%Rqx0!?G>M-PP?~yygo?=)3?D+%ndx@X5c4GVxC%r+OZY87Om;-*MTU=!WGxH*z2HWVxVZRDqcX(lMgYL~Z z-hv%8y&O%0_OEfTgU7)wW!8n*1@A!wzfKWnFvp?a`YSkqg12g|b*N^Kqr$umwyy>e z(B*H^SH8(DpWMgY|Ka2?jP5xCc)|X^@%Tx`{(pTL|NCK{uOa^9f{__lY-`ic5~1-o z6LK-zbGHa&^Z|Nuv-WWr%;>&?87&;P#b=eVOIt3Xu(R7oVEIEvNYNAcexjtvYTvv` zG?fz&&Z4P9Btk9UKb@^YLR%&fji;+Is=WKQ<%^P~w;xF{qOsFtBkbxr>!K6&MKnl+ zQo*Z3C1P@nVSIDt3xu69b~!urjBEL8&sfo4R!lMONv`o9&{ZG(rR(f)91E*$Q=M&W z4GYJ)nZGIj0b|`1cE}$!-c4={nj*e_%P1vI0gD9r5WEcCNo=XdT1bYe;w@H^n!E?` nwPgrwh4xF1XZb9joag@m&dZqW02l!P^`ocy diff --git a/debian/DEBUILD/ykfde_0.1_all.deb b/debian/DEBUILD/ykfde_0.1_all.deb deleted file mode 100644 index 7e1b764b80e5d36dfa19331bf4f38eb7a6401e18..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13564 zcmbu_Q*bU&+aBQ9w#^;mO?K=Z+qSb~TW@UJwsvgWwrxB8+WzfydeVd5vu4da2hTda zX4c%KyoQd(7W{A~rbd>AwhTs=wuX)#BqSs(9PBJy8~`?E00{~6f9C&nvoJGru(Okp z{O9~v4B%K9ncY@HqLY#5yl9U0v{|KIy89321kgaOBM%2nfXSa?>A(-W~*h z1yWEfkpG#8O?KH`>K`ahT@Y;eP68j$gNaK~ z+UiY`71X2ddau}bOl8fiylhPK~-EKXm8h4hr z5^q=On}%irtic*uOwEoY3wawZHilKj-m20EAhcGg0@vA#SWj|pcc%(vSWP9MI6 zy!xIBhGQt(f+g9ugzd=uZ{9pi?fksah>0T81y(K6T;AslaS6son;Jn6yt!5NtB70~ zN5QwcMRRTzfBURZW7UfBWjVR*8XAkyHc!D_v^~XEAAH&!a4}aGaq0|#*9{Z+;01l0 z=`@5;vjCqRf5IDrvr6(9U~3Rs^(rH&dD5PY`Q<^s!$)_00ls0PL-U%K`z{*AumG-Y zh>Nmfn!LD#jHpn4-+sUWcij&c$1h*f0@#jIj@a};MybFh{fqEb0%xrbdU}HLanb0z z@sbPJ;8X1x-lDPJaaoXmSe3}YZ=W-t`r(9O@MNgPPk>r0wZm_Hhh2|hs)9TVx66)~ ztd!MiZ_pL)@NyoI0lEbWes>#WYa`;$1K=#{QTF;ja!?##d7|xBs|A7$4lRiT2u@^3 z)$^`tglZXfSGHwtP=d~%Vyaoq`&STuv^NBB=G!K!Fs65j6ol*?Y=uVD;`Z-dIfczB zCrO(=C2$ZNDvLUL%8$36Lid^ejdy`1ZHChpFAJepeSn0AsL}H^V|(+s;sTRH-TXDJ zdspOC4)0XNfQb@fv2Y`GkC!VuWl24YJ|XmW30D>GCaBP6%RBSzzAVCBXz8h3veX3#u)!AlpUJ1W^Fz7F2cdXa2==-kk-rI+ z=mbB#`+PO_tAZ9W(iUlE9-T7)%wF=XHyKGENJ8N!oT?K$wy+c=R>gF^UY&`KNd=ZLXdkvh0QCw*0KDzp=sTH74k>HeU@a^r;_ZyHiFvXsjHVn)K z?4iqIFqQ^~5)X%uE);_|DVQFY+Ye52Vu;L!q;dBcTEqp-_lq#FMA#Zfz%g6DKLJjHH|hLfWy3HJgps zBJ4LY`k;e!S#F~_?zbYJrQ9#~G@4Dkk{82g-;7eXj(3P{ zaNdtPNx?w7oPUmc(%h4alC=OIBxb#yP*PI}t0}32Ry&HmYOy>>Xs$&&cffl(3U~7B zB<7Ho8o*R|4@-<~zcdpb$z0MAG+bb+Pdx}|v;4F6Wy?WVS*f?$h~Dele#>$DA4ZO? zErb#iQQ<*AH~wP_2uO!)+fV(V`3Km4Ck8@O%f!&x@PEVgAJzU}_OY;VGXMS``u*Q_ zeQNpdg8y&4pfyPOc5i+dod199a?vYM*ztQA5KvIjT~f`%bH4Hf!!y6rJ%Z0=Ob=l2 z8rB_I`{b8rv0r3@vKGZ%$Q?M_fu9-)0rIAIy*dx%J=OTyQjlaFLWw2WG@xXg?wJ%; zYj^?)Q+y>jV8_tmgx#(d9;&`{9V;*Vk+`FUXR4v06q5Sh{MVJGM9bwJHATu9rN(PX zgu!e{P!4O+?D!fa(u;A@zGTZ@@Rm=-se`^6Oc$IUgA3N;k^6S&^HbKg5GVSLx|>~yU%_6rqe?jVd-#7ufNsO6}{-5?`+LL4eIo$*7|SlOJb z;uu02i@%TjfG8zEUhRD=cL%rnOAvooW8-i}R~JR_rGYoed=zFb5;ddc;H8QjLRwoaA!hs|YA^+SgQqG3WseO)hCUXnHZmy*F->Z(N7_eK(ki$t${ke^q7O{oe zg_tM5f7*@e)Mi~|AoGv2Ze&LQk==vd-GdA?VIM0n(*l9a8<*|@a#*Eev31G&W?g%I zRpQ(ajh@1vngBvFBjOIKr(ZnwTSDq2(dcB+pZCC_l=ea1)V49(!>jd+w00}jafuPM z=WeTvMcL7c6~rYMK^+L{33427Z%M~CDJ1n8K*LAwiwxCMFp^eBgBon(|1ldM4ur;_ zjP}AV2gKW7LC@ma zWX=kzUg6VmyaBUxg^p=nw1i(hncYAPsoj3m1Sb3rTid6cF$ zMc!XXoK(GNo8dY>y2*|9ve8O%lg+Iz6o(_X^lnFFz8iB%gVs9!?E{j!FCN29&8u>c z193jeS}g;EO}xb+3__L|LpW7xu1wRj653FB-V?+p_cDyx^W|K7++ec!hf}DdZy=Ih zdA`FF3oIA1!M~;fzoBf3X^=a+eiDbH8mT{9z#6{LO%9KjudN9ek)`ARZg|f`73+}c zgYdBQ|7c6^b``e7+3tkb|H5%qE6fqIa-{A=1IJ5Xwu$0&h}-l(u$%b3)o)*snjA7L z`sdeWvtCjViJ&cAe8RT_Xs3qM}^3Y5@yS4PmqWrks2zQU?RNjbZjrdfSk8@ z-?JXIQrqZ}2BP$L^Sq*EoYY$`ss%_7*#d;|o9kCWwka!YWi*cmN(?9`L7m{7-ef}H z6P$~ERQxbORA55C-6jGucR4=w{S;buC^`ZH)2p{D{<11lfUx2BD?t%mx!f= zG8(q6OXwsBCgj=mab4d}2#ZfrmZ_l@I*7 zP!=T#6ZF+H;d;W-c-Y@csI^rN#Y&-aq8E*GT06?fv0v3cr(!9d^}gJv^6@An-HCj_ zq=h~b0BiXeXpkF-UJi~pzFT(GZo;1yMhK=&lIMa_OYK;^Gm7mM|J+)J>a?q_Fn(?C zrjSb-qRn2@-1;)@BZ7CUN8rDlKi0?5Vw|evzS(VJeMw|Q`H>;8jTVlB*U#ZaV<9)6 z7rdt=J@;E0-D@YhnZ(9c9N#NxQG65h5`c1YS!55B-sK}V${r~^DMrB4g1Lso;&?GZ z3k_`@!dqODzo%EjR=c5~MvmcV4&)@4@39S1F<(F9z&9&y@e@Hw*eh7JQJnE|&I^j8 z$WZ4Jo<@Lt9oJhWouY(k8RzRd5%2u{`J0!D?gZida^fDL%qo-4DHf~AS4;1BZj<2s z5Z#L}TpI+fcHQWpKT6DALdo;|PNq|( z%gvkO$)uj83Zopy6(Q`)5!$}?TH4fALRJ(pi4nv)0lt6KA$gFB6Gq)s}i63b}9+n~9Z8~(z849`Nb?PV>Ti-k@ zRW#Ar{;-O@&5TDE@ph-8nCuhpCw@NvA_t~`q$adL&t^Fb_gR#yZI5hf@*T6p&2kZ2 z!hrX~N&MUd_|Yx&@^~G__z^-;pK+)b{l!n)osz4?$I42hDR6_a_0QZhp_o<4EcjOA zkr)lO2vV0P03{ILVxZdy6psyV1-Spsxc>R8hJ$wWHRv9@fVoK1iVksBynI1HIT*o- zn!0*{GlP*IR8olycR~2k)+Zhg#t?=fRv%OtGlY|YxNY_w#p`cJ^Dr<^wh2GxeG2Qs z>bLV6%GpzVT|^_Mn^sbji`M>f)W@#W^z(z>-l$+nt20dcj@wV38YvQIusdMk3qE^j ziOvZ}`&3p#RZrT*cpr7bZTa<|=T<3m{4>t3&ZElD9(=!2TtMaO00kEq;;nBI?ra9ItUO8`I74|=gvfdyaz-J!THL+ZDUXlD3{NCL4~T5&M(FG zD|pNl^%EhfE7JOxPt)}~+xVG*p8?MDHMn2O3xu}^#t9*=Bxz?s*tzrJ6KJ=38Y+}k zaHSX9@d^{LkjcsDRJRD8!UgH(7Ir!AQ z(67VfNa&HTnjl=G22_!M_&U4z(DsZbAcd*vh){s*bWBc5_m;5_THgCA zx>iN|&Apnn^hE`dc9y3VR?7OFl*sXVEQLoCI^)D#+gji^5aC|=|3z>Nmo#Urwft`^^HzVc}epC*!GvV&qE>FL80MK=FAdxgS!rDHpZKv}xwl@GzREN_+Be2IiLLGLx8yDW$P%QY7+crA43$vmJu{k2|CdP1#F znLBeHhq5t(1RtXWsl^|2+O+uZF#{jU5f~nJzyObb`LZFi>u2-ZUD1iaP_ttQ&INh? zTQ9FKCw8peLIyP9%`{+YM89|XI^uwchgKF2eZ6{v*HDWy_@$q1HE1Izf2DP9$2cZ( z;>%0e!9oumqS^>=J;6LlTucnPE?=UX%k*w74>ssQob04;&cFWJhWW+thf%j<_R{dU z;C{^}8T-A&if8LX9bFIr(kZ$y-z2)BC&M9T=C+{3GxkcIn+1w=;YjJ6@-}5n2N_b@ zr2>P|PD4&5ZQG_gg-p}G>ZrKSk~5+vxrc${_S_)2x`4W3Sv0`6JaIp#cYg=KBdRt? z;)qGw#2Uf)B3Jy zgmd;I+7c=0|nv`0ac)OuJDoe2Mi%>`(=aGxhX z22bui_g#%jv5t2h{RZy(Xx@EQ#J@uBU;3jCG82bfvw2W1-e&7dFWT9R8DNcHf19nx$vK3G5=cY6?-O0{|H{ixTw83l(D5n;Det+ zUiIHpUVdpU0F+KNS5)3S@#>$_bjj_W0VRp}SD%!GdUS|{?_mRU8TPERu*ophh!K!P z4WSzUT*!>dV-E4#AV;S^IUyhLyGH40Dx0$9EXX7h9u~4>s5|> zCt9zWLt{&Pik7ETRoK?LSlgYsE0ER>irRx!Mn4&Q)*Ly3ne0^*fh&q$E?|$+7wJ`D zW5P%Ut%%A5OQtCb7r7LqlpFuVJ6jz_P6csIi92f-p0N2mcMEdEmVTcFGIg}`O1oW% z@Eu<_oV<0`F2?7iJT1wTrf*-VS9`1f{J=t7ULb8+7Zf#h{%RgSZ<+9GQbcn%&$=KE zeaXmg^JI$R>-5#nfM-&W211@fG@4ETL=vlladAD{Y5m?3Eg>V=*X)J7BaPFjV^rL% zT4ow7P5e9JWxoSZt?1G8T~~GUI+n9&Hi!q$}uW=p&K|jUP#5{Y1d}!i|7r>%%OwBTsIRFU3q%0It((@C7*#@p0b>N8& z{1+CN(#bP$Kk5OVe?&(1-KS();_U!0X8 zpq+iU7T-wmdZN&(B<_AucQZi^0#UYH0-SFJ+WB~CE$YDI{52RNv(eCY-GrylVpa32 z&+_jpnyon>r`aecY_9eVBMbpqqV2rOip@Q>yAs(s&Wv>qKHJ!ekPm_2Sn4G`_sA8~#*>0;^o(UBR!hyA`Zo z*iG)pWH7D7X}y*x3nKMmgkzG%SvuIQe*WKygSS#$k4h|l4u(v<+ti8KmwC?;btg3# z3rUp-#uL#y!a-W#`YsyHnF%mVL3w}*kO-XfXAE=x~}AV&cdyYDOHIt0rxs zMWqP%589>BiX2F)QaDg}IB_uFk!-}nV<`I`XsOcn8eaBex@avN&RX3gb;qr11I)d? zYCjgd{)?8{sHHl0AJ$cHr!!|W%a0eP5gH7l)-Hr7#HL-h&*R&rwuhBR=8cATz_vyGDu2?0WSo6NoR8g@Lkvnj-8F}Zi>Qj8o4G^T&4t8 z#84hq*fj{wmqvc35K)@WdtuoKsq0Wzror(=W_*^g{!mtI%HsLmIQ1CC93^I_-U7kZ zLE2Qk#hJzU8{d>d+LWA76-JC6CZvRd$Qnd0lRp*z*E=4LoB#pI6^T*dY-mC92@C4} zc?(40Fer+_xk|{}7370bi1x_E6PjJi41kndrW;l$sYD^Du$;+X?JL8f!5j9KNY?Oz z%8m!R=5T}>K@VUSHZDV}`LQXJ?thlMEPzt9QzU8d`;Svu@PY2<=nB>gFaTXYGGHG? zFHm5SCP(wlGdEdE1Zofg6Ush$E~FQB+6l8H(d~X>LFiwbKX|SO`GUU&-Ndtl2E!X$ z1~bB1E8g-+rW2!=-@e#v5c#+vzpLSOdcRW4PWoO@PsBW~#uO@ms!R9BFx|@-ffWEfP z3c)|#T3?1M+=PYU+^eYs59&A24}*B>LT($%$l7%kq( z-({(~!n-E0D>X71gHMff7bKZhM-^gFhn1**6rCgkjtc{A%4FGR{(#}wtqc>~q!4Xb z&pDh)_jgo#$}N9NNatu+clcL2wf%rmi<_kQa88Nc`py(GK2a}-((WXqw8cld=v>!| zsK_TK0zC62RZN~_1a!?n&BRcU_ts`E;>dw~jbJ3~vlry_sR;w#Yg|CLC!r<_13eaj z2(0Jqu2bWU03}L}?DT%pK<5wjO6V29%r)J0cS})M1xrp+;H~jA?#Jr{44){ zg}x<$|HN=QT_^~6FYlz*nAXKL5tXJ%1@-?lPY`W+@Dr0!i7y5Hg*R|UU;v-c$}olr zPG~OltF^|k)T#~eRFvCJUgq6wa)Ejq!|*yO*+m1$XZXv#pfHEsOA&3*q+JO&M5yCO zUJwPpFfFgABS~!IF12RNln4j5z@-fcV$vdZ2d_44$3<&MOnKl!WrLuFH974my;U|( zLvp;N1Z?4xx>gyV3bsy~@d>jUhH+iTLac3|_lxq>R(u`81ScFvj+Zgpyi9ExJLqOJ zS>sH7+@eO)4C4$Mh=p`VC@m^Suh3}gj(iQ&ll+8#HtS|^gxd0(+1nVev4T~e$SDW zC7nFvYZ3w#hn#0P=7ow;OA>M_mt1&bqG4pHwp`tzWUckLZ%GZkfVVS3T)h(+yhNUZO7&Q5pY= z!jR^0K^6A`xy)=`a+$8me#S3agt%Ln*Pwax!3&=5>=ve9mt-Qx*wk z2Mi&h>fir}p_e*$8{f}S1RSfZbIgBin&2JQA8TfpQcu$^jwC8Prt>nM-L1o*r{?t7 z#z}pP5W#*8%qR^@glbsC_nWKTM3CY@X%R!DiBy)FW&>kYc$>qGI;51Tw%2U($d2lBRS7xTjR+6rwgHm^?q*N(b_1 zYv!l?y~%M>z5#0pXm?|88ICJVz(9--Z ziFgYCIh}jx9rH%kVgJ>O7TG$Udmnf9hs%+6hR1`<8aWVQ1I#7hQL|^*;`bMkX4jYP zXjmtdt)wO5WRl~B2e?S`y?^8?K#O~QZZ79eC3phtN@V#NqBrjr}|AGqs2zS zpaYe^G5+bg1fqVfvwO)GRs$S9h}bFV;HbyV&g8Z?Aut+6krCAcJ$=|4GxK#e!z;Ri$;MkQA4YU#v>k$S1=*sCtRjqm}P3qaxxK_KYSGi}|Rz7Q0 z`YNJ=PKQx>V#mtK%=xU7$?eF*pm_FBAP7Nn)#Llu5{yC&Q`TK^mJ4rh7rzE+?`6rW zJ}X?67k3&B-@1W%<-=2}<=urZG-faY)|n(v-%Q>@mQH|M#8${HM! zddcv(oV=WC6tgqg2wUDdry4E3Ef(4T&hj^9>#A^*Ar5IBVJav>5It~CQ_vv8TO=t{ zdN*m7p^EK>N`L`Ne)me@`!`YmAC8w=^I4xs{V9&fKhn>I7G;a#12ptbSIr2txrP~^0p?M?5yQ={Ril~n_Ap2&HR z9Zp`3{RhlQWHfbXj%X>onY}121UGte`>e~pqP3!1ip?U}^I`72QwGv-f>(PrfzyNG zy;wb$=3<|Hm0i9r452l?gLx1~+*Bgn!6dxY`3d!&zO;9mpAd90%HSM`iV#dT!G#7n zhRJPo;z;Wv&U5B8q*z3Cn3rlDPT>4-C(UIu*78R`bU^Canq|}t(bKG`M<8C;S$3sS zTYtfkgzX9`zSGFswVNW~mUS5zBF*1fqzsZR)$(#m&B=M=w#C)DU-%fP60W6dx-T~% z<|K*X^?LtNc;l2ezl0mB)3*jOU)8w)K&xNgM3rNiIY`_xM`pg{U^P`v6<^*h^4!Bl z8c}22i(u1Pg&-`;*HP8p<_OnMWSP7&uDp{=%)8+%y|5j3xlb>&!BZExgpnr?7n)LQ z_D_d5LEWrdq(dFV$QcmFu9~ewUS4+XQo9?^f$ zABL$jM-ID8RKQOCUGB_iGuA2ar=25K2al|0Go9vo)GjCjvb8HF&VW1o&Otw^cbj#2 zdm-@E)4mGlm&8em3oHZGv8i1bpB)clFo;XMYDmLm|LWYd5{8?|t>b3>W0BQg^F^ zzb(R2k+z_9+lwMKZdunm=Y@YtpGt@0EQg|*67Kwf!BWk1E~JXUC?~#`t6w;VtLEAl z_M(gwNg214DwitcD0iOk$P|U$n@F(fX(drNobM|P*=r$4`%G6c>P1kgIT)gvvy69F zlAdu`vJ|E@#NdHkyM>~~*j=8YtCvHwhBGD1i9C_iBK;W5;O%U_Vo%n!9Z$*QC6E~p z@IBBAG;8?a9{}JY{g<@dj9}>s6cwRqrqj6(dBy+r&z93h5rIGu!nJAF>r)q!^<(;c zedv)0nmK>#X*SIBC68_z;+Of-b~P0Sh%-*S**H$XLgw2FVbfrP#cT88zC#^-Hz3m9^b4UFhsTbe903f`BEs^;dgIp9PMf9 z{Zrhk>C7IV^@0hxy8S!)D_o=s#YRU2bJ@1>_H@YU0@U+?-ox6M?C#)yQ#RskNU;8F z*#($E+t!;eMGW7sqGk;7DYS}5gky4gi4C&|xJ3>Te=37o3k{(PweO5Sft?bVs+dF* zkhV1RyX7b_YoVOF>|>|A<-0pc#@Q^Qz}St_q+1+i05i_6h&it>cs41$}VkMbYdg%TAMFd#*Gm>~|iH6JFBJTPwfy zwBL=d2;jzUPz%T6D8yI7Ro{PXH_EnOBqXiWfP$tAsiZ@tzEd3*6<56m7 zy$$cgK9!B%}t`8;(W$%i({*Q3KFRmGZRw(Z!R4H4A$7QxcqnO;t?qrc!5HY>> zik5wD>C(ez|{tp{iim zBO5X+>??q%Ni@%lGoy70`oI8A17*$ev62Jo1f@a_k`q*7vEr-c$OL#*jJZ%5fUcSF zeOGZOC-@N zM7+B2RZ^g|mxvdH5kYmR6)?LImHq>{;Qu%|pj?(?cMN>nYRlwHSBbF2 z_!#vmkZu0N43Gx>Chz@@{JYxU#2dk5>Kk!XaFvk{r5>oSX?2F+I)@REegyaaubNUY zc78S$-o8ipnWmm&#<3OsHaQ62`o0FnUbc{%VF5V_qLq8-HsMI$AK&8(YTBMfwh9^D zr~YKtqzfJaNr_vN?3ZE%i)-IyLXTvZ8$7 zow);cr4e-wgQ;-dQC}*(@Da3bbHFC^2a)fxQJD0g9yF9ZhHjm4;x250_VuwMmPTj9 z>Taxo)@l%dxH<=-2TNp%>EfBDJ~FeBmsPn2HPn4AhK0=Z4lHNOl0lZ`(HO2~-qVir z&f`<(gWi#nA(Y`RhH9j6uGf6nQYiuupMqeSZXmS#MNXtlN=Ec~$$`b|Wh`Z4EngUy4bX)mUQ$(;KC$ z(48TPn1of+5~qiPU9qP=W`1``LY%&e((6Y?r*l*&uaPr0SD3m8B>lZ-- zV=Xy0*MV4!@Fq`WV~XxD?&I6c;Oa*Zr%+xnxJ#vhp6nxKt5eTnR%l zm`872o^(OR;0SE5jn0WO6EZ0##G3sZY|rW;MfgXE@*ra3bVYl=I1ykNO-NfUuC%PY zHA*n)u~;kL4c*LPCTEM;zA1}55z?5oh87{e0#)@cUMW#Em@%j1LIRj>ra!Cq&64jF z%}X7Xwdc;HZ+-h;$J>mLP(MhE0Mx|-VU6% zyZkp=6TH3%Beusc^UP~D;`(eLEd z^iVkiZj>7KfOavQHyc55o@&=ivzQ!!USz@9(3h&&t`nHbw7U>KJQBGDvhUKM|4gZZ z_+P2aIt}mbQHB?%%`khXA!D!8m)nUhAZGUmo~!Q(%P-psdhzM4*}x7{m8;Rhdc?0- zQK07mXma%K{O}exu#~4n^ay24RBGA{9y%B1Htu)!993t7&L(dh3^!bagy>Y9u;`BA)P-wD^%2D0@d>o@K77 zfYF*am==p7H(ff=rDu-kZEJZ}F!%S|7C&VJ>Aib7vk&W5gC7LfPm8|zg?^;yB{Ba~ z*8t!&&&sx9Y&;$~_}U1G4Klfzk%HR1@QTp|F$eKx(1kIb%l$%ypw<~O{q zR9TvUFK82ZT_~0;HW(a6H+t%zyq3>@a1G_tcj)2y zgDk(pwBVFK!)V!3t;Qw)l-m9l*)Jc6@)*m4?nlQFa;`}H%boCQwKK(m;K!NRB(PU~ zp%t2MC#>D1RWsIiKC$E9etF4~Jt}x2e%fvk+*45fBtL3Dh>lV8AKpv;OyGad_8PJ8 z>Q1qU_UzH7p{v-|a;LHBq1dCm33bl4$fhhn^NHwyE&(Q|>Dzq@8GSB?v#%aq$D&9< zXG;(vTL)XWt1Ti(!axr#`MFTLk>HIjcJJ|~AdtSw@Kh;WplR*Swf0av_QEJAX~3o} zBz?v04&MNPT(_nHmVXP-EN(|W?U|{`Ii?bC&sE$p!aDx;08><+Bs!y8p;|i;n38QC zz!!AJax_JY>==$wd^#48qU67=|NJ_Y`(lm|6iv2E z)P^Q#q*l81yhRt-&VsO%84^~*SsnkvnS$q++4o%zLLD(gJh_$%vwILup*40`1J|h_pQ|`&!5m0n@(}+55UzMK-h44xb*(yn# z%ys(17K`aO6Ly2Rcyzbv;0DIm9ID+8i7slEgLnQxq>pq7pn7J@3wArO&Nx+i%Fa^; zWKJ*e=hdFtj3pOa6PxIZ^&^L_?c<(h-Te3xTwFjo7YGxx+?O|@vwp#mEYPp)%SUuI z5bLe@J#~k8OY~B0kx+ZCU)U!45>D#O3IY*~OUU9rUg}7o|M}yVpoV{kE|+oumFke_ z98moDJsF%92cIa{ARTl{9W4`Za6oV34u`~(kI>|N$@!+*6^x)DJMoag82wdfX-x(= zc)F8@09cD)zPCnD<1#&+J^1@!FXEy*v8ex2Ffk4??l%36?6-2!O;km(CU#xm=&zkX zo@a&>%c)C9@-Vh>uEv0K{?wo>S2QFe)aUiilWsbIe7)(vPpaM~?)TEwqym!ypspGR z{-6XB@~ diff --git a/debian/DEBUILD/ykfde_0.1_amd64.build b/debian/DEBUILD/ykfde_0.1_amd64.build deleted file mode 100644 index a95aa58..0000000 --- a/debian/DEBUILD/ykfde_0.1_amd64.build +++ /dev/null @@ -1,94 +0,0 @@ - dpkg-buildpackage -us -uc -ui -dpkg-buildpackage: info: source package ykfde -dpkg-buildpackage: info: source version 0.1 -dpkg-buildpackage: info: source distribution UNRELEASED -dpkg-buildpackage: info: source changed by crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> - dpkg-source --before-build . -dpkg-buildpackage: info: host architecture amd64 - fakeroot debian/rules clean -dh clean - dh_auto_clean - make -j6 clean -make[1]: Entering directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' -rm -fr DEBUILD -make[1]: Leaving directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' - dh_clean - dpkg-source -b . -dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1) -dpkg-source: info: using source format '1.0' -dpkg-source: info: building ykfde using existing ykfde_0.1.orig.tar.gz -dpkg-source: info: building ykfde in ykfde_0.1.diff.gz -dpkg-source: warning: ignoring deletion of directory DEBUILD -dpkg-source: warning: ignoring deletion of directory DEBUILD/ykfde-0.1 -dpkg-source: info: building ykfde in ykfde_0.1.dsc - debian/rules build -dh build - dh_update_autotools_config - dh_autoreconf - dh_auto_configure - debian/rules override_dh_auto_build -make[1]: Entering directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' -# nothing to build -make[1]: Leaving directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' - dh_auto_test - create-stamp debian/debhelper-build-stamp - fakeroot debian/rules binary -dh binary - dh_testroot - dh_prep - dh_auto_install - debian/rules override_dh_install -make[1]: Entering directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' -dh_install -install -D -o root -g root -m755 hooks/ykfde-deb debian/ykfde/usr/share/initramfs-tools/hooks/ykfde -install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript -install -D -o root -g root -m755 ykfde-open debian/ykfde/usr/bin/ykfde-open -install -D -o root -g root -m755 ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll -install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format -install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md -install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf -install -D -o root -g root -m755 ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend -install -D -o root -g root -m755 initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend -install -D -o root -g root -m644 ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service -make[1]: Leaving directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' - dh_installdocs - dh_installchangelogs - debian/rules override_dh_installsystemd -make[1]: Entering directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' -dh_installsystemd -pykfde \ - --no-enable --no-start --no-restart-after-upgrade --no-stop-on-upgrade \ - ykfde-suspend.service -make[1]: Leaving directory '/home/zorin/yubikey-full-disk-encryption/debian/DEBUILD/ykfde-0.1' - dh_perl - dh_link - dh_strip_nondeterminism - dh_compress - dh_fixperms - dh_missing - dh_installdeb - dh_gencontrol - dh_md5sums - dh_builddeb -dpkg-deb: building package 'ykfde' in '../ykfde_0.1_all.deb'. - dpkg-genbuildinfo - dpkg-genchanges >../ykfde_0.1_amd64.changes -dpkg-genchanges: info: including full source code in upload - dpkg-source --after-build . -dpkg-buildpackage: info: full upload (original source is included) -Now running lintian ykfde_0.1_amd64.changes ... -E: ykfde: copyright-should-refer-to-common-license-file-for-apache-2 -E: ykfde source: maintainer-address-malformed Andrei Gherzan -E: ykfde: maintainer-address-malformed Andrei Gherzan -E: ykfde source: malformed-debian-changelog-version 0.1 (for non-native) -E: ykfde: wrong-path-for-interpreter usr/lib/ykfde/initramfs-suspend (#!/usr/bin/bash != /bin/bash) -W: ykfde: binary-without-manpage usr/bin/ykfde-enroll -W: ykfde: binary-without-manpage usr/bin/ykfde-format -W: ykfde: binary-without-manpage usr/bin/ykfde-open -W: ykfde: command-with-path-in-maintainer-script postinst:7 /usr/sbin/update-initramfs -W: ykfde: extended-description-line-too-long -W: ykfde source: missing-debian-source-format -Finished running lintian. - -WARNING generated by debuild: -Making debian/rules executable! - diff --git a/debian/DEBUILD/ykfde_0.1_amd64.buildinfo b/debian/DEBUILD/ykfde_0.1_amd64.buildinfo deleted file mode 100644 index 54d2a1c..0000000 --- a/debian/DEBUILD/ykfde_0.1_amd64.buildinfo +++ /dev/null @@ -1,167 +0,0 @@ -Format: 1.0 -Source: ykfde -Binary: ykfde -Architecture: all source -Version: 0.1 -Checksums-Md5: - 3b4b788b9572ff0e9ed2bf586df00936 789 ykfde_0.1.dsc - f012426015db8e7ec49c180b8f512281 13564 ykfde_0.1_all.deb -Checksums-Sha1: - 8903200460a19b84d96b74576cc9c57aa4cd9e05 789 ykfde_0.1.dsc - ca95ac88d8b7163d94919f27d1ce5bdb1edc7bf1 13564 ykfde_0.1_all.deb -Checksums-Sha256: - 901570ed3da3f8d20dd83c722a3c3b93f3c1fa62a6b740c6b5e1a1929df89128 789 ykfde_0.1.dsc - adf4c43014d0969f0c3f149e0b6838d48d90ef2e6935bbd9a5bd581f1ed9d02d 13564 ykfde_0.1_all.deb -Build-Origin: Ubuntu -Build-Architecture: amd64 -Build-Date: Tue, 11 Jan 2022 22:07:12 -0800 -Build-Tainted-By: - merged-usr-via-symlinks -Installed-Build-Depends: - autoconf (= 2.69-11.1), - automake (= 1:1.16.1-4ubuntu6), - autopoint (= 0.19.8.1-10build1), - autotools-dev (= 20180224.1), - base-files (= 11ubuntu5.4+zorin1), - base-passwd (= 3.5.47), - bash (= 5.0-6ubuntu1.1), - binutils (= 2.34-6ubuntu1.3), - binutils-common (= 2.34-6ubuntu1.3), - binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3), - bsdmainutils (= 11.1.2ubuntu3), - bsdutils (= 1:2.34-0.1ubuntu9.1), - build-essential (= 12.8ubuntu1.1), - bzip2 (= 1.0.8-2), - coreutils (= 8.30-3ubuntu2), - cpp (= 4:9.3.0-1ubuntu2), - cpp-9 (= 9.3.0-17ubuntu1~20.04), - dash (= 0.5.10.2-6), - debconf (= 1.5.73), - debhelper (= 12.10ubuntu1), - debianutils (= 4.9.1), - dh-autoreconf (= 19), - dh-exec (= 0.23.2), - dh-strip-nondeterminism (= 1.7.0-1), - diffutils (= 1:3.7-3), - dpkg (= 1.19.7ubuntu3), - dpkg-dev (= 1.19.7ubuntu3), - dwz (= 0.13-5), - file (= 1:5.38-4), - findutils (= 4.7.0-1ubuntu1), - g++ (= 4:9.3.0-1ubuntu2), - g++-9 (= 9.3.0-17ubuntu1~20.04), - gcc (= 4:9.3.0-1ubuntu2), - gcc-10-base (= 10.3.0-1ubuntu1~20.04), - gcc-9 (= 9.3.0-17ubuntu1~20.04), - gcc-9-base (= 9.3.0-17ubuntu1~20.04), - gettext (= 0.19.8.1-10build1), - gettext-base (= 0.19.8.1-10build1), - grep (= 3.4-1), - groff-base (= 1.22.4-4build1), - gzip (= 1.10-0ubuntu4), - hostname (= 3.23), - init-system-helpers (= 1.57), - install-info (= 6.7.0.dfsg.2-5), - intltool-debian (= 0.35.0+20060710.5), - libacl1 (= 2.2.53-6), - libarchive-zip-perl (= 1.67-2), - libasan5 (= 9.3.0-17ubuntu1~20.04), - libatomic1 (= 10.3.0-1ubuntu1~20.04), - libattr1 (= 1:2.4.48-5), - libaudit-common (= 1:2.8.5-2ubuntu6), - libaudit1 (= 1:2.8.5-2ubuntu6), - libbinutils (= 2.34-6ubuntu1.3), - libblkid1 (= 2.34-0.1ubuntu9.1), - libbsd0 (= 0.10.0-1), - libbz2-1.0 (= 1.0.8-2), - libc-bin (= 2.31-0ubuntu9.2), - libc-dev-bin (= 2.31-0ubuntu9.2), - libc6 (= 2.31-0ubuntu9.2), - libc6-dev (= 2.31-0ubuntu9.2), - libcap-ng0 (= 0.7.9-2.1build1), - libcc1-0 (= 10.3.0-1ubuntu1~20.04), - libcroco3 (= 0.6.13-1), - libcrypt-dev (= 1:4.4.10-10ubuntu4), - libcrypt1 (= 1:4.4.10-10ubuntu4), - libctf-nobfd0 (= 2.34-6ubuntu1.3), - libctf0 (= 2.34-6ubuntu1.3), - libdb5.3 (= 5.3.28+dfsg1-0.6ubuntu2), - libdebconfclient0 (= 0.251ubuntu1), - libdebhelper-perl (= 12.10ubuntu1), - libdpkg-perl (= 1.19.7ubuntu3), - libelf1 (= 0.176-1.1build1), - libffi7 (= 3.3-4), - libfile-stripnondeterminism-perl (= 1.7.0-1), - libgcc-9-dev (= 9.3.0-17ubuntu1~20.04), - libgcc-s1 (= 10.3.0-1ubuntu1~20.04), - libgcrypt20 (= 1.8.5-5ubuntu1.1), - libgdbm-compat4 (= 1.18.1-5), - libgdbm6 (= 1.18.1-5), - libglib2.0-0 (= 2.64.6-1~ubuntu20.04.4), - libgmp10 (= 2:6.2.0+dfsg-4), - libgomp1 (= 10.3.0-1ubuntu1~20.04), - libgpg-error0 (= 1.37-1), - libicu66 (= 66.1-2ubuntu2.1), - libisl22 (= 0.22.1-1), - libitm1 (= 10.3.0-1ubuntu1~20.04), - liblsan0 (= 10.3.0-1ubuntu1~20.04), - liblz4-1 (= 1.9.2-2ubuntu0.20.04.1), - liblzma5 (= 5.2.4-1ubuntu1), - libmagic-mgc (= 1:5.38-4), - libmagic1 (= 1:5.38-4), - libmount1 (= 2.34-0.1ubuntu9.1), - libmpc3 (= 1.1.0-1), - libmpfr6 (= 4.0.2-1), - libpam-modules (= 1.3.1-5ubuntu4.3), - libpam-modules-bin (= 1.3.1-5ubuntu4.3), - libpam-runtime (= 1.3.1-5ubuntu4.3), - libpam0g (= 1.3.1-5ubuntu4.3), - libpcre2-8-0 (= 10.34-7), - libpcre3 (= 2:8.39-12build1), - libperl5.30 (= 5.30.0-9ubuntu0.2), - libpipeline1 (= 1.5.2-2build1), - libquadmath0 (= 10.3.0-1ubuntu1~20.04), - libseccomp2 (= 2.5.1-1ubuntu1~20.04.2), - libselinux1 (= 3.0-1build2), - libsigsegv2 (= 2.12-2), - libsmartcols1 (= 2.34-0.1ubuntu9.1), - libstdc++-9-dev (= 9.3.0-17ubuntu1~20.04), - libstdc++6 (= 10.3.0-1ubuntu1~20.04), - libsub-override-perl (= 0.09-2), - libsystemd0 (= 245.4-4ubuntu3.14), - libtinfo6 (= 6.2-0ubuntu2), - libtool (= 2.4.6-14), - libtsan0 (= 10.3.0-1ubuntu1~20.04), - libubsan1 (= 10.3.0-1ubuntu1~20.04), - libuchardet0 (= 0.0.6-3build1), - libudev1 (= 245.4-4ubuntu3.14), - libunistring2 (= 0.9.10-2), - libuuid1 (= 2.34-0.1ubuntu9.1), - libxml2 (= 2.9.10+dfsg-5ubuntu0.20.04.1), - libzstd1 (= 1.4.4+dfsg-3ubuntu0.1), - linux-libc-dev (= 5.4.0-94.106), - login (= 1:4.8.1-1ubuntu5.20.04.1), - lsb-base (= 11.1.0ubuntu2), - m4 (= 1.4.18-4), - make (= 4.2.1-1.2), - man-db (= 2.9.1-1), - mawk (= 1.3.4.20200120-2), - ncurses-base (= 6.2-0ubuntu2), - ncurses-bin (= 6.2-0ubuntu2), - patch (= 2.7.6-6), - perl (= 5.30.0-9ubuntu0.2), - perl-base (= 5.30.0-9ubuntu0.2), - perl-modules-5.30 (= 5.30.0-9ubuntu0.2), - po-debconf (= 1.0.21), - sed (= 4.7-1), - sensible-utils (= 0.0.12+nmu1), - sysvinit-utils (= 2.96-2.1ubuntu1), - tar (= 1.30+dfsg-7ubuntu0.20.04.1), - tzdata (= 2021e-0ubuntu0.20.04), - util-linux (= 2.34-0.1ubuntu9.1), - xz-utils (= 5.2.4-1ubuntu1), - zlib1g (= 1:1.2.11.dfsg-2ubuntu1.2) -Environment: - DEB_BUILD_OPTIONS="parallel=6" - LANG="en_US.UTF-8" - SOURCE_DATE_EPOCH="1641965305" diff --git a/debian/DEBUILD/ykfde_0.1_amd64.changes b/debian/DEBUILD/ykfde_0.1_amd64.changes deleted file mode 100644 index fbaa35e..0000000 --- a/debian/DEBUILD/ykfde_0.1_amd64.changes +++ /dev/null @@ -1,34 +0,0 @@ -Format: 1.8 -Date: Tue, 11 Jan 2022 21:28:25 -0800 -Source: ykfde -Binary: ykfde -Architecture: source all -Version: 0.1 -Distribution: UNRELEASED -Urgency: medium -Maintainer: Andrei Gherzan -Changed-By: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> -Description: - ykfde - This project leverages a YubiKey HMAC-SHA1 Challenge-Response -Changes: - ykfde (0.1) UNRELEASED; urgency=medium - . - * Added Debian/Ubuntu support -Checksums-Sha1: - 8903200460a19b84d96b74576cc9c57aa4cd9e05 789 ykfde_0.1.dsc - e2c140d2c771a17b383edc362e9ec398ff2692d4 14121 ykfde_0.1.orig.tar.gz - eaa145143495e32579e2faab0beac5ce664d0823 1463 ykfde_0.1.diff.gz - ca95ac88d8b7163d94919f27d1ce5bdb1edc7bf1 13564 ykfde_0.1_all.deb - 0b5a244b3323bed5044c51ef362b1a83c36a04a2 5309 ykfde_0.1_amd64.buildinfo -Checksums-Sha256: - 901570ed3da3f8d20dd83c722a3c3b93f3c1fa62a6b740c6b5e1a1929df89128 789 ykfde_0.1.dsc - 532afcc745f33a88369702a933911fbcee52f91b6b7ceb7d9bbeb43bf6193da6 14121 ykfde_0.1.orig.tar.gz - f393949e5dac05027b7135f6f06206f06c5462b0f56afd241d95cc900158aafe 1463 ykfde_0.1.diff.gz - adf4c43014d0969f0c3f149e0b6838d48d90ef2e6935bbd9a5bd581f1ed9d02d 13564 ykfde_0.1_all.deb - beaac1ca0e13c033ef62fc6c165af6452e1a14e54280aa30a347f4ea0b6696f7 5309 ykfde_0.1_amd64.buildinfo -Files: - 3b4b788b9572ff0e9ed2bf586df00936 789 admin optional ykfde_0.1.dsc - b5ff19097aad01c168678bd7630c412f 14121 admin optional ykfde_0.1.orig.tar.gz - d3eaa050adf4cc317cb89b330ab7b38d 1463 admin optional ykfde_0.1.diff.gz - f012426015db8e7ec49c180b8f512281 13564 admin optional ykfde_0.1_all.deb - 92c7f90fd67e731823fac7e0a81d5403 5309 admin optional ykfde_0.1_amd64.buildinfo From d4e4bbed73a98c1868b6a98d7cd1af089ee0d94b Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Tue, 11 Jan 2022 22:35:11 -0800 Subject: [PATCH 06/18] Hash Yubikey challenge --- debian/key-script | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/key-script b/debian/key-script index 0c41a52..0329fee 100755 --- a/debian/key-script +++ b/debian/key-script @@ -52,7 +52,7 @@ fi if [ "$check_yubikey_present" = "1" ]; then message "Accessing yubikey..." #if [ "$HASH" = "1" ]; then - # PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') + PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') #fi R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)" if [ "$R" ]; then From 6614340b106082da0321c1b6a6a388a4c5342f64 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Tue, 11 Jan 2022 22:39:16 -0800 Subject: [PATCH 07/18] Moved testrun.sh to src folder --- arch/Makefile | 2 +- debian/Makefile | 2 +- debian/key-script | 2 -- {arch => src}/testrun.sh | 0 4 files changed, 2 insertions(+), 4 deletions(-) rename {arch => src}/testrun.sh (100%) diff --git a/arch/Makefile b/arch/Makefile index 114d61c..284a1e4 100644 --- a/arch/Makefile +++ b/arch/Makefile @@ -12,6 +12,6 @@ reinstall: install -Dm755 ../src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open" install -Dm644 ../README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md" test: - ./testrun.sh + ../src/testrun.sh all: install diff --git a/debian/Makefile b/debian/Makefile index 8a38efa..2691910 100644 --- a/debian/Makefile +++ b/debian/Makefile @@ -25,4 +25,4 @@ clean: rm -fr DEBUILD #test: -# ./testrun.sh +# ../src/testrun.sh diff --git a/debian/key-script b/debian/key-script index 0329fee..5e488f3 100755 --- a/debian/key-script +++ b/debian/key-script @@ -51,9 +51,7 @@ fi if [ "$check_yubikey_present" = "1" ]; then message "Accessing yubikey..." - #if [ "$HASH" = "1" ]; then PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') - #fi R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)" if [ "$R" ]; then message "Retrieved the response from the Yubikey" diff --git a/arch/testrun.sh b/src/testrun.sh similarity index 100% rename from arch/testrun.sh rename to src/testrun.sh From 8cc6938ba85de54635da7949b196a4d63dd6fee4 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Tue, 11 Jan 2022 22:54:28 -0800 Subject: [PATCH 08/18] Removed testrun.sh from debian directory --- debian/testrun.sh | 60 ----------------------------------------------- 1 file changed, 60 deletions(-) delete mode 100755 debian/testrun.sh diff --git a/debian/testrun.sh b/debian/testrun.sh deleted file mode 100755 index 5894e26..0000000 --- a/debian/testrun.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# set default values: -YKFDE_CONFIG_FILE="/etc/ykfde.conf" -YKFDE_CHALLENGE="" -YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_CHALLENGE_SLOT="" - -if [ "$(id -u)" -ne 0 ]; then - echo "ERROR: Please run this script as 'root'." - exit 1 -fi - -# shellcheck source=src/ykfde.conf -. "$YKFDE_CONFIG_FILE" -[ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" - -if [ -z "$YKFDE_CHALLENGE" ] && [ -z "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - printf '%s\n' "ERROR: No ykfde mode enabled. Please enable 'Automatic mode with stored challenge (1FA)' or 'Manual mode with secret challenge (2FA)' in '$YKFDE_CONFIG_FILE'." - exit 1 -elif [ "$YKFDE_CHALLENGE" ]; then - echo "INFO: 'Automatic mode with stored challenge (1FA)' is enabled." -elif [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then - echo "INFO: 'Manual mode with secret challenge (2FA)' is enabled." -fi - -if [ -z "$YKFDE_CHALLENGE_SLOT" ]; then - echo "WARNING: YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode is not selected. Falling back to slot '2'." -fi - -umask 0077 -YKFDE_TMPFILE="" -YKFDE_TMPFILE="$(mktemp /dev/shm/ykfde-XXXXXX)" -truncate -s 20M "$YKFDE_TMPFILE" - -cleanup() { - rm -f "$YKFDE_TMPFILE" -} -trap cleanup EXIT - -echo "INFO: Testing 'ykfde-format' script." -DBG=1 ykfde-format "$YKFDE_TMPFILE" -echo "Test 'ykfde-format' script successfully passed." - -echo "INFO: Testing 'ykfde-enroll' script." -printf '%s\n' "test" | cryptsetup luksFormat "$YKFDE_TMPFILE" -echo "INFO: Old LUKS passphrase is 'test'." -ykfde-enroll -d "$YKFDE_TMPFILE" -s 7 -v -echo "Test 'ykfde-enroll' script successfully passed." - -echo "INFO: Testing 'ykfde-open' script." -ykfde-open -d "$YKFDE_TMPFILE" -n ykfde-test -v -cryptsetup close ykfde-test -echo "Test 'ykfde-open' script successfully passed." - -echo "All tests successfully passed." - -exit 0 From db3d82d65dc48b6eed31849fb4abeac666141baf Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Wed, 12 Jan 2022 21:15:39 -0800 Subject: [PATCH 09/18] Reorganized files --- {arch => packaging/archlinux}/Makefile | 0 {arch => packaging/archlinux}/PKGBUILD | 0 {debian => packaging/debian}/Makefile | 5 +++-- {debian => packaging/debian}/debian/changelog | 0 {debian => packaging/debian}/debian/compat | 0 {debian => packaging/debian}/debian/control | 0 {debian => packaging/debian}/debian/copyright | 0 {debian => packaging/debian}/debian/rules | 16 ++++++++-------- .../debian}/debian/ykfde.postinst | 0 src/{ => archlinux}/hooks/ykfde | 0 src/{ => archlinux}/initramfs-suspend | 0 src/{ => archlinux}/install/ykfde | 0 src/{ => archlinux}/ykfde-suspend | 0 src/{ => archlinux}/ykfde-suspend.service | 0 src/{hooks/ykfde-deb => debian/hooks/ykfde} | 0 {debian => src/debian}/key-script | 0 16 files changed, 11 insertions(+), 10 deletions(-) rename {arch => packaging/archlinux}/Makefile (100%) rename {arch => packaging/archlinux}/PKGBUILD (100%) rename {debian => packaging/debian}/Makefile (79%) rename {debian => packaging/debian}/debian/changelog (100%) rename {debian => packaging/debian}/debian/compat (100%) rename {debian => packaging/debian}/debian/control (100%) rename {debian => packaging/debian}/debian/copyright (100%) rename {debian => packaging/debian}/debian/rules (51%) rename {debian => packaging/debian}/debian/ykfde.postinst (100%) rename src/{ => archlinux}/hooks/ykfde (100%) rename src/{ => archlinux}/initramfs-suspend (100%) rename src/{ => archlinux}/install/ykfde (100%) rename src/{ => archlinux}/ykfde-suspend (100%) rename src/{ => archlinux}/ykfde-suspend.service (100%) rename src/{hooks/ykfde-deb => debian/hooks/ykfde} (100%) rename {debian => src/debian}/key-script (100%) diff --git a/arch/Makefile b/packaging/archlinux/Makefile similarity index 100% rename from arch/Makefile rename to packaging/archlinux/Makefile diff --git a/arch/PKGBUILD b/packaging/archlinux/PKGBUILD similarity index 100% rename from arch/PKGBUILD rename to packaging/archlinux/PKGBUILD diff --git a/debian/Makefile b/packaging/debian/Makefile similarity index 79% rename from debian/Makefile rename to packaging/debian/Makefile index 2691910..86924e5 100644 --- a/debian/Makefile +++ b/packaging/debian/Makefile @@ -9,8 +9,9 @@ debianize: rm -fr DEBUILD mkdir -p DEBUILD/${SRC_DIR} cp -r * DEBUILD/${SRC_DIR} || true - cp -r ../src/* DEBUILD/${SRC_DIR} || true - cp ../README.md DEBUILD/${SRC_DIR} || true + cp -r ../../src/ykfde* DEBUILD/${SRC_DIR} || true + cp -r ../../src/debian/* DEBUILD/${SRC_DIR} || true + cp ../../README.md DEBUILD/${SRC_DIR} || true (cd DEBUILD; tar -zcf ykfde_${VERSION}.orig.tar.gz --exclude=${SRC_DIR}/debian ${SRC_DIR}) builddeb: diff --git a/debian/debian/changelog b/packaging/debian/debian/changelog similarity index 100% rename from debian/debian/changelog rename to packaging/debian/debian/changelog diff --git a/debian/debian/compat b/packaging/debian/debian/compat similarity index 100% rename from debian/debian/compat rename to packaging/debian/debian/compat diff --git a/debian/debian/control b/packaging/debian/debian/control similarity index 100% rename from debian/debian/control rename to packaging/debian/debian/control diff --git a/debian/debian/copyright b/packaging/debian/debian/copyright similarity index 100% rename from debian/debian/copyright rename to packaging/debian/debian/copyright diff --git a/debian/debian/rules b/packaging/debian/debian/rules similarity index 51% rename from debian/debian/rules rename to packaging/debian/debian/rules index 1a2a680..d37d975 100644 --- a/debian/debian/rules +++ b/packaging/debian/debian/rules @@ -6,20 +6,20 @@ override_dh_auto_build: # nothing to build -override_dh_installsystemd: - dh_installsystemd -pykfde \ - --no-enable --no-start --no-restart-after-upgrade --no-stop-on-upgrade \ - ykfde-suspend.service +#override_dh_installsystemd: +# dh_installsystemd -pykfde \ +# --no-enable --no-start --no-restart-after-upgrade --no-stop-on-upgrade \ +# ykfde-suspend.service override_dh_install: dh_install - install -D -o root -g root -m755 hooks/ykfde-deb debian/ykfde/usr/share/initramfs-tools/hooks/ykfde + install -D -o root -g root -m755 hooks/ykfde debian/ykfde/usr/share/initramfs-tools/hooks/ykfde install -D -o root -g root -m755 key-script debian/ykfde/usr/share/ykfde/ykfde-keyscript install -D -o root -g root -m755 ykfde-open debian/ykfde/usr/bin/ykfde-open install -D -o root -g root -m755 ykfde-enroll debian/ykfde/usr/bin/ykfde-enroll install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf - install -D -o root -g root -m755 ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend - install -D -o root -g root -m755 initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend - install -D -o root -g root -m644 ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service + #install -D -o root -g root -m755 ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend + #install -D -o root -g root -m755 initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend + #install -D -o root -g root -m644 ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service diff --git a/debian/debian/ykfde.postinst b/packaging/debian/debian/ykfde.postinst similarity index 100% rename from debian/debian/ykfde.postinst rename to packaging/debian/debian/ykfde.postinst diff --git a/src/hooks/ykfde b/src/archlinux/hooks/ykfde similarity index 100% rename from src/hooks/ykfde rename to src/archlinux/hooks/ykfde diff --git a/src/initramfs-suspend b/src/archlinux/initramfs-suspend similarity index 100% rename from src/initramfs-suspend rename to src/archlinux/initramfs-suspend diff --git a/src/install/ykfde b/src/archlinux/install/ykfde similarity index 100% rename from src/install/ykfde rename to src/archlinux/install/ykfde diff --git a/src/ykfde-suspend b/src/archlinux/ykfde-suspend similarity index 100% rename from src/ykfde-suspend rename to src/archlinux/ykfde-suspend diff --git a/src/ykfde-suspend.service b/src/archlinux/ykfde-suspend.service similarity index 100% rename from src/ykfde-suspend.service rename to src/archlinux/ykfde-suspend.service diff --git a/src/hooks/ykfde-deb b/src/debian/hooks/ykfde similarity index 100% rename from src/hooks/ykfde-deb rename to src/debian/hooks/ykfde diff --git a/debian/key-script b/src/debian/key-script similarity index 100% rename from debian/key-script rename to src/debian/key-script From a7985a3d51dae13425832ed1250264736a670af0 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Wed, 12 Jan 2022 21:28:04 -0800 Subject: [PATCH 10/18] Updated install paths --- packaging/archlinux/Makefile | 22 +++++++++++----------- packaging/debian/Makefile | 4 ++-- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/packaging/archlinux/Makefile b/packaging/archlinux/Makefile index 284a1e4..084eac0 100644 --- a/packaging/archlinux/Makefile +++ b/packaging/archlinux/Makefile @@ -1,17 +1,17 @@ install: reinstall - install -v -b -Dm644 ../src/ykfde.conf "$(DESTDIR)/etc/ykfde.conf" + install -v -b -Dm644 ../../src/ykfde.conf "$(DESTDIR)/etc/ykfde.conf" reinstall: - install -Dm644 ../src/hooks/ykfde "$(DESTDIR)/usr/lib/initcpio/hooks/ykfde" - install -Dm644 ../src/install/ykfde "$(DESTDIR)/usr/lib/initcpio/install/ykfde" - install -Dm755 ../src/ykfde-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/ykfde-suspend" - install -Dm755 ../src/initramfs-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/initramfs-suspend" - install -Dm644 ../src/ykfde-suspend.service "$(DESTDIR)/usr/lib/systemd/system/ykfde-suspend.service" - install -Dm755 ../src/ykfde-enroll "$(DESTDIR)/usr/bin/ykfde-enroll" - install -Dm755 ../src/ykfde-format "$(DESTDIR)/usr/bin/ykfde-format" - install -Dm755 ../src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open" - install -Dm644 ../README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md" + install -Dm644 ../../src/archlinux/hooks/ykfde "$(DESTDIR)/usr/lib/initcpio/hooks/ykfde" + install -Dm644 ../../src/archlinux/install/ykfde "$(DESTDIR)/usr/lib/initcpio/install/ykfde" + install -Dm755 ../../src/archlinux/ykfde-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/ykfde-suspend" + install -Dm755 ../../src/archlinux/initramfs-suspend "$(DESTDIR)/usr/lib/ykfde-suspend/initramfs-suspend" + install -Dm644 ../../src/archlinux/ykfde-suspend.service "$(DESTDIR)/usr/lib/systemd/system/ykfde-suspend.service" + install -Dm755 ../../src/ykfde-enroll "$(DESTDIR)/usr/bin/ykfde-enroll" + install -Dm755 ../../src/ykfde-format "$(DESTDIR)/usr/bin/ykfde-format" + install -Dm755 ../../src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open" + install -Dm644 ../../README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md" test: - ../src/testrun.sh + ../../src/testrun.sh all: install diff --git a/packaging/debian/Makefile b/packaging/debian/Makefile index 86924e5..f54f4b6 100644 --- a/packaging/debian/Makefile +++ b/packaging/debian/Makefile @@ -25,5 +25,5 @@ endif clean: rm -fr DEBUILD -#test: -# ../src/testrun.sh +test: + sudo ../../../../src/testrun.sh From 611e170e7d199f979b85837eccfa8cf444f6b019 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Wed, 12 Jan 2022 22:20:34 -0800 Subject: [PATCH 11/18] Updated README with Debian/Ubuntu installation instructions --- README.md | 23 +++++++++++++++++------ packaging/archlinux/PKGBUILD | 2 +- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 54329f5..6950217 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,10 @@ This project leverages a [YubiKey](https://wiki.archlinux.org/index.php/Yubikey) Be aware that this was only tested and intended for: * [Arch Linux](https://www.archlinux.org/) and its derivatives +* [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems * [YubiKey (version 4 or later)](https://www.yubico.com/products/yubikey-5-overview/) -There is similar project targeting [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems: [yubikey-luks](https://github.com/cornelinux/yubikey-luks) +There is a similar project targeting [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems: [yubikey-luks](https://github.com/cornelinux/yubikey-luks) Table of Contents ================= @@ -80,7 +81,8 @@ Keep in mind that the above doesn't protect you from physical tampering like *ev # Install -## From Arch Linux official repository +## Arch Linux +### From Arch Linux official repository The easiest way is to install package from [official Arch Linux repository](https://www.archlinux.org/packages/community/any/yubikey-full-disk-encryption/). @@ -88,23 +90,32 @@ The easiest way is to install package from [official Arch Linux repository](http sudo pacman -Syu yubikey-full-disk-encryption ``` -## From Github using 'makepkg' +### From Github using 'makepkg' ``` -wget https://raw.githubusercontent.com/agherzan/yubikey-full-disk-encryption/master/PKGBUILD +wget https://raw.githubusercontent.com/agherzan/yubikey-full-disk-encryption/master/packaging/archlinux/PKGBUILD makepkg -srci ``` -## From Github using 'make' +### From Github using 'make' ``` git clone https://github.com/agherzan/yubikey-full-disk-encryption.git -cd yubikey-full-disk-encryption +cd yubikey-full-disk-encryption/packaging/archlinux sudo make install ``` When installing by using `make` you also need to install [yubikey-personalization](https://www.archlinux.org/packages/community/x86_64/yubikey-personalization/) and [expect](https://www.archlinux.org/packages/extra/x86_64/expect/) packages. +## Debian/Ubuntu +### From Github using 'make' +``` +git clone https://github.com/agherzan/yubikey-full-disk-encryption.git +cd yubikey-full-disk-encryption/packaging/debian +make builddeb NO_SIGN=1 +sudo dpkg -i DEBUILD/ykfde_*_all.deb +``` + # Configure diff --git a/packaging/archlinux/PKGBUILD b/packaging/archlinux/PKGBUILD index d053af0..c863bc6 100644 --- a/packaging/archlinux/PKGBUILD +++ b/packaging/archlinux/PKGBUILD @@ -1,6 +1,6 @@ pkgname=yubikey-full-disk-encryption-git _pkgname=yubikey-full-disk-encryption -pkgver=r136.4d8ba6a +pkgver=r155.dcaac00 pkgrel=1 pkgdesc='Use YubiKey to unlock a LUKS partition' arch=('any') From 44a78be886d4101f7d08edc5ed39967c56aae3a4 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Wed, 12 Jan 2022 22:29:16 -0800 Subject: [PATCH 12/18] Updated README for getting ykfde to work on boot for Debian/Ubuntu --- README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6950217..75d96c9 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,7 @@ make builddeb NO_SIGN=1 sudo dpkg -i DEBUILD/ykfde_*_all.deb ``` + # Configure @@ -223,11 +224,11 @@ To kill a ykfde passphrase for existing *LUKS* encrypted volume you can use [ykf ykfde-enroll -d /dev/ -s -k ``` -## Enable ykfde initramfs hook +## Enable ykfde initramfs hook (Arch Linux) **Warning: It's recommended to have already working [encrypted system setup](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system) with `encrypt` hook and non-ykfde passphrase before starting to use `ykfde` hook with ykfde passphrase to avoid potential misconfigurations.** -Edit `/etc/mkinitcpio.conf` and add the `ykfde` hook before or instead of `encrypt` hook as provided in [example](https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Examples). Adding `ykfde` hook before `encrypt` hook will allow for a safe fallback in case of ykfde misconfiguration. You can remove `encrypt` hook later when you confim that everything is working correctly. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): +For Arch Linux and its derivatives, edit `/etc/mkinitcpio.conf` and add the `ykfde` hook before or instead of `encrypt` hook as provided in [example](https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#Examples). Adding `ykfde` hook before `encrypt` hook will allow for a safe fallback in case of ykfde misconfiguration. You can remove `encrypt` hook later when you confim that everything is working correctly. After making your changes [regenerate initramfs](https://wiki.archlinux.org/index.php/Mkinitcpio#Image_creation_and_activation): ``` sudo mkinitcpio -P @@ -235,6 +236,17 @@ sudo mkinitcpio -P Reboot and test your configuration. +## Update crypttab (Debian/Ubuntu) +To unlock LUKS encrypted volumes at boot for Debian/Ubuntu systems, you must append `keyscript=/usr/share/ykfde/ykfde-keyscript` to the `/etc/crypttab file`. For example: +``` +cryptroot /dev/sda none luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript +``` +After changing this file, update the initial RAM file system: +``` +update-initramfs -u +``` + + ## Enable NFC support in ykfde initramfs hook (experimental) **Warning: Currently NFC support is implemented only in initramfs hook. All ykfde manipulations on booted system have to be done through USB.** From 25c27cd499ed52fef2420f70b69cdea3377a93cf Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Wed, 12 Jan 2022 22:33:05 -0800 Subject: [PATCH 13/18] Fixed typo in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 75d96c9..166466d 100644 --- a/README.md +++ b/README.md @@ -239,7 +239,7 @@ Reboot and test your configuration. ## Update crypttab (Debian/Ubuntu) To unlock LUKS encrypted volumes at boot for Debian/Ubuntu systems, you must append `keyscript=/usr/share/ykfde/ykfde-keyscript` to the `/etc/crypttab file`. For example: ``` -cryptroot /dev/sda none luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript +cryptroot /dev/sda none luks,keyscript=/usr/share/ykfde/ykfde-keyscript ``` After changing this file, update the initial RAM file system: ``` From 341d8561679c62831d78e50dd1c84410a1850169 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Thu, 13 Jan 2022 21:25:30 +0000 Subject: [PATCH 14/18] Incorporated first round of pull request comments --- README.md | 1 - packaging/debian/debian/rules | 8 -------- src/archlinux/initramfs-suspend | 2 +- src/debian/hooks/ykfde | 10 ---------- src/debian/key-script | 2 +- 5 files changed, 2 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 166466d..2475fcd 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ Be aware that this was only tested and intended for: * [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems * [YubiKey (version 4 or later)](https://www.yubico.com/products/yubikey-5-overview/) -There is a similar project targeting [Debian](https://www.debian.org/)/[Ubuntu](https://www.ubuntu.com/) based systems: [yubikey-luks](https://github.com/cornelinux/yubikey-luks) Table of Contents ================= diff --git a/packaging/debian/debian/rules b/packaging/debian/debian/rules index d37d975..60f7939 100644 --- a/packaging/debian/debian/rules +++ b/packaging/debian/debian/rules @@ -6,11 +6,6 @@ override_dh_auto_build: # nothing to build -#override_dh_installsystemd: -# dh_installsystemd -pykfde \ -# --no-enable --no-start --no-restart-after-upgrade --no-stop-on-upgrade \ -# ykfde-suspend.service - override_dh_install: dh_install install -D -o root -g root -m755 hooks/ykfde debian/ykfde/usr/share/initramfs-tools/hooks/ykfde @@ -20,6 +15,3 @@ override_dh_install: install -D -o root -g root -m755 ykfde-format debian/ykfde/usr/bin/ykfde-format install -D -o root -g root -m644 README.md debian/ykfde/usr/share/doc/ykfde/README.md install -D -o root -g root -m644 ykfde.conf debian/ykfde/etc/ykfde.conf - #install -D -o root -g root -m755 ykfde-suspend debian/ykfde/usr/lib/ykfde/yubikey-luks-suspend - #install -D -o root -g root -m755 initramfs-suspend debian/ykfde/usr/lib/ykfde/initramfs-suspend - #install -D -o root -g root -m644 ykfde-suspend.service debian/ykfde/lib/systemd/system/ykfde-suspend.service diff --git a/src/archlinux/initramfs-suspend b/src/archlinux/initramfs-suspend index fce7a9e..5affa55 100644 --- a/src/archlinux/initramfs-suspend +++ b/src/archlinux/initramfs-suspend @@ -1,4 +1,4 @@ -#!/usr/bin/bash +#!/usr/bin/ash # shellcheck shell=dash cryptname="${1}" diff --git a/src/debian/hooks/ykfde b/src/debian/hooks/ykfde index d015c1d..0413f01 100755 --- a/src/debian/hooks/ykfde +++ b/src/debian/hooks/ykfde @@ -25,14 +25,4 @@ copy_exec /usr/bin/sha256sum cp /usr/share/ykfde/ykfde-keyscript "${DESTDIR}/sbin/ykfde-keyscript" cp /etc/ykfde.conf "${DESTDIR}/etc/ykfde.conf" -#if [ "$SUSPEND" = "1" ]; then -# echo "YKFDE: adding yubikey authentication to suspend." -# cp -pnL /usr/lib/ykfde/initramfs-suspend "${DESTDIR}/suspend" -# chmod 755 "${DESTDIR}/suspend" -# systemctl enable ykfde-suspend.service -#else -# echo "YKFDE: removing yubikey authentication to suspend." -# systemctl disable ykfde-suspend.service -#fi - exit 0 diff --git a/src/debian/key-script b/src/debian/key-script index 5e488f3..eb92562 100755 --- a/src/debian/key-script +++ b/src/debian/key-script @@ -1,6 +1,6 @@ #! /bin/sh # -# This is /sbin/ykluks-keyscript, which gets called when unlocking the disk +# This is /sbin/ykfde-keyscript, which gets called when unlocking the disk # # set defualt values: DBG="" From 76459a9ba9277518e275eca84de1e3f0e1282b46 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Thu, 13 Jan 2022 21:34:19 +0000 Subject: [PATCH 15/18] Removed testrun.sh from Makefile --- packaging/debian/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/packaging/debian/Makefile b/packaging/debian/Makefile index f54f4b6..2ee15ef 100644 --- a/packaging/debian/Makefile +++ b/packaging/debian/Makefile @@ -25,5 +25,3 @@ endif clean: rm -fr DEBUILD -test: - sudo ../../../../src/testrun.sh From cd7c08ad8ef8410ec93d56333de492552ef9cc5e Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Wed, 19 Jan 2022 23:24:16 -0800 Subject: [PATCH 16/18] Modified Arch Linux ykfde hook to work with debian/ubuntu --- README.md | 4 +- packaging/debian/Makefile | 1 - src/debian/key-script | 281 ++++++++++++++++++++++++++++++++------ 3 files changed, 240 insertions(+), 46 deletions(-) diff --git a/README.md b/README.md index 2475fcd..06aaac4 100644 --- a/README.md +++ b/README.md @@ -236,13 +236,13 @@ sudo mkinitcpio -P Reboot and test your configuration. ## Update crypttab (Debian/Ubuntu) -To unlock LUKS encrypted volumes at boot for Debian/Ubuntu systems, you must append `keyscript=/usr/share/ykfde/ykfde-keyscript` to the `/etc/crypttab file`. For example: +To unlock LUKS encrypted volumes at boot for Debian/Ubuntu systems, you must append `keyscript=/usr/share/ykfde/ykfde-keyscript` to the `/etc/crypttab` file. For example: ``` cryptroot /dev/sda none luks,keyscript=/usr/share/ykfde/ykfde-keyscript ``` After changing this file, update the initial RAM file system: ``` -update-initramfs -u +sudo update-initramfs -u ``` diff --git a/packaging/debian/Makefile b/packaging/debian/Makefile index 2ee15ef..1a1abfa 100644 --- a/packaging/debian/Makefile +++ b/packaging/debian/Makefile @@ -24,4 +24,3 @@ endif clean: rm -fr DEBUILD - diff --git a/src/debian/key-script b/src/debian/key-script index eb92562..c9671fa 100755 --- a/src/debian/key-script +++ b/src/debian/key-script @@ -1,8 +1,7 @@ -#! /bin/sh -# -# This is /sbin/ykfde-keyscript, which gets called when unlocking the disk -# -# set defualt values: +#!/bin/sh +# shellcheck shell=dash + +# set default values: DBG="" YKFDE_CONFIG_FILE="/etc/ykfde.conf" YKFDE_NFC="" @@ -18,53 +17,249 @@ YKFDE_CHALLENGE_PASSWORD_NEEDED="" YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" YKFDE_USE_PLYMOUTH="" -. /etc/ykfde.conf +message() { + if [ "$YKFDE_USE_PLYMOUTH" ]; then + plymouth display-message --text="$*" + else + echo "$@" >&2 + fi + return 0 +} + +run_hook() { + local _tmp + _tmp="" + local cryptopt cryptoptions + + [ -x /bin/plymouth ] && [ "$splash" ] && plymouth --ping && YKFDE_USE_PLYMOUTH=1 + + # shellcheck source=../ykfde.conf + . "$YKFDE_CONFIG_FILE" || { + ykfde_err 001 "Failed to read the YKFDE configuration file '$YKFDE_CONFIG_FILE'" + return 1 + } + + [ "$DBG" ] && message "$0:" + [ "$DBG" ] && message " > Successfully read YKFDE configuration file." + +# # if no settings in config, try to pull it from kernel cmdline (analog to encrypt hook) +# if [ -z "$YKFDE_DISK_UUID" ] || [ -z "$YKFDE_LUKS_NAME" ]; then +# # shellcheck disable=SC2154 +# if [ "$cryptdevice" ]; then +# IFS=: read -r YKFDE_LUKS_DEV YKFDE_LUKS_NAME cryptoptions < modprobing dm-crypt" +# _tmp="$(modprobe -a -q dm-crypt >/dev/null 2>&1)" -if [ -z "$WELCOME_TEXT" ]; then - WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase" -fi + local trial_nr + trial_nr=1 + while [ "$trial_nr" -le "$YKFDE_CRYPTSETUP_TRIALS" ]; do + #message "Attempt #$trial_nr/$YKFDE_CRYPTSETUP_TRIALS: cryptsetup of $YKFDE_LUKS_DEV" + ykfde_do_it && return 0 + trial_nr=$((trial_nr + 1)) + done -message() -{ - if [ -x /bin/plymouth ] && plymouth --ping; then - plymouth message --text="$*" + # if we get here, we did NOT succeed: + ykfde_err 000 "$0 Failed!" + return 1 +} + +ykfde_err() { + local _rc + _rc="$?" + local code + code="$1" + local msg + msg="$2" + [ "$msg" ] && msg="ERROR $code [rc=$_rc]: $msg" || msg="ERROR $code [rc=$_rc]" + message "$msg" #exit 1; +} + +# assemble passphrase and run 'cryptsetup luksOpen' +ykfde_do_it() { + # key used to 'cryptsetup luksOpen' + local _ykfde_passphrase + _ykfde_passphrase="" + local _tmp + _tmp="" + local _rc + _rc="" + + # if we have a challenge + [ "$YKFDE_CHALLENGE" ] || [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && ykfde_challenge_response + + if [ -z "$_ykfde_passphrase" ]; then + if [ "$YKFDE_CHALLENGE" ] || [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + message " > Challenge-Response failed. Falling back to manual passphrase." + [ "$trial_nr" -le "$YKFDE_CRYPTSETUP_TRIALS" ] && message " Press ENTER to skip and retry Challenge-Response." + #else + #message " > Passphrase needed to unlock device." + fi + + #printf " Enter passphrase: " + if [ "$YKFDE_USE_PLYMOUTH" ]; then + printf '%s' "$(plymouth ask-for-password --prompt="Enter passphrase" --dont-pause-progress)" else - echo "$@" >&2 + # shellcheck disable=SC2169 + printf '%s' "$(/lib/cryptsetup/askpass " Enter passphrase: ")" fi - return 0 + exit 0 +# # if /NOT/ DBG, we need to output \n here. +# [ "$DBG" ] || echo + fi + +# [ "$DBG" ] && message " > Passing '$_ykfde_passphrase' to 'cryptsetup'" +# if [ "$YKFDE_RESUME" ]; then +# # shellcheck disable=SC2154 +# if [ "$DBG" ]; then message " > Decrypting with 'cryptsetup luksResume $cryptname'..."; else message " > Decrypting with 'cryptsetup'..."; fi +# _tmp="$(printf %s "$_ykfde_passphrase" | cryptsetup luksResume "$cryptname" 2>&1)" +# else +# if [ "$DBG" ]; then message " > Decrypting with 'cryptsetup luksOpen $YKFDE_LUKS_DEV $YKFDE_LUKS_NAME $YKFDE_LUKS_OPTIONS'..."; else message " > Decrypting with 'cryptsetup'..."; fi +# _tmp="$(printf %s "$_ykfde_passphrase" | cryptsetup luksOpen "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_NAME" "$YKFDE_LUKS_OPTIONS" 2>&1)" +# fi +# _rc=$? + +# if [ "$_rc" -eq 0 ]; then +# message " Decryption was successful." +# if [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" ] && [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" -gt 0 ]; then +# [ "$DBG" ] && message " > Making $YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP sleep." +# sleep "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" +# fi +# else +# message " FAILED! [$_rc] $_tmp" +# fi + +# return "$_rc" } -check_yubikey_present="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" +ykfde_challenge_response() { + local _yubikey_timeout + _yubikey_timeout="$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT" + local _yubikey_timeout_str + _yubikey_timeout_str="" + local _yubikey_detected + _yubikey_detected="" + local _yubikey_nfc_detected + _yubikey_nfc_detected="" + local _ykfde_response + _ykfde_response="" + # to determine if a timeout occurred + local _starttime + _starttime="" + local _endtime + _endtime="" + local _usedtime + _usedtime="" + local _tmp + _tmp="" + local _rc + _rc="" + + [ "$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT" -gt 0 ] && _yubikey_timeout_str="$YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT seconds" + + _starttime="$(date +%s)" + message " > Waiting $_yubikey_timeout_str for YubiKey..." + + while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do + _endtime="$(date +%s)" + _usedtime=$((_endtime - _starttime)) + [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykinfo -$YKFDE_CHALLENGE_SLOT': " + _tmp="$(ykinfo -"$YKFDE_CHALLENGE_SLOT" 2>&1)" + _rc=$? + [ "$DBG" ] && message "[$_rc] '$_tmp'" + if [ "$_rc" -eq 0 ]; then + _yubikey_detected=1 + elif [ "$YKFDE_NFC" ]; then + [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykchalresp-nfc -n': " + _tmp="$(ykchalresp-nfc -n 2>&1)" + _rc=$? + [ "$_rc" -eq 0 ] && _yubikey_nfc_detected=1 + fi + if [ "$_yubikey_timeout" -eq -1 ] || [ "$_usedtime" -le "$_yubikey_timeout" ]; then + sleep 0.5 + else + message " Timeout - Challenge-Response aborted." + # timeout + return 1 + fi + done + + [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" + while [ -z "$YKFDE_CHALLENGE" ]; do +# message " > Please provide the challenge." + # shellcheck disable=SC2169 + if [ "$YKFDE_USE_PLYMOUTH" ]; then + YKFDE_CHALLENGE="$(plymouth ask-for-password --prompt="Enter challenge" --dont-pause-progress)" +# elif [ "$DBG" ]; then +# read -r YKFDE_CHALLENGE + else +# read -r -s YKFDE_CHALLENGE + YKFDE_CHALLENGE="$(/lib/cryptsetup/askpass " Enter challenge: ")" + fi +# YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" +# # if /NOT/ DBG, we need to output \n here. +# [ "$DBG" ] || echo + done + + if [ "$_yubikey_detected" ]; then + while [ -z "$_ykfde_response" ]; do + [ "$DBG" ] && message " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + message " Remember to touch the device if necessary." + YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" + _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" + [ "$DBG" ] && message " Received response: '$_ykfde_response'" + done + fi -if [ -z "$YKFDE_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then - if [ -z "$cryptkeyscript" ]; then - if [ -x /bin/plymouth ] && plymouth --ping; then - cryptkeyscript="plymouth ask-for-password --prompt" - else - cryptkeyscript="/lib/cryptsetup/askpass" - fi + if [ -n "$_yubikey_nfc_detected" ]; then + while [ -z "$_ykfde_response" ]; do + [ "$DBG" ] && message " Running: 'ykchalresp-nfc -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + message " Remember to touch the device if necessary." + _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp-nfc -"$YKFDE_CHALLENGE_SLOT" | tr -d '\n')" + [ "$DBG" ] && message " Received response: '$_ykfde_response'" + done fi - PW="$($cryptkeyscript "$WELCOME_TEXT")" -else - PW="$YKFDE_CHALLENGE" -fi - -if [ "$check_yubikey_present" = "1" ]; then - message "Accessing yubikey..." - PW=$(printf %s "$PW" | sha256sum | awk '{print $1}') - R="$(printf %s "$PW" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- 2>/dev/null || true)" - if [ "$R" ]; then - message "Retrieved the response from the Yubikey" - if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" = "1" ]; then - printf '%s' "$PW$R" - else - printf '%s' "$R" - fi + + if [ "$_ykfde_response" ]; then + if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then + printf '%s' "$YKFDE_CHALLENGE$_ykfde_response" else - message "Failed to retrieve the response from the Yubikey" + printf '%s' "$_ykfde_response" fi -else - printf '%s' "$PW" -fi + exit 0 + fi +} + +run_hook exit 0 From 393b25dd3688f5869dbd117df43e4f6512a8a0b8 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Fri, 21 Jan 2022 22:11:08 -0800 Subject: [PATCH 17/18] Removed commented sections of code, unused variables, and NFC --- src/debian/key-script | 92 +------------------------------------------ 1 file changed, 1 insertion(+), 91 deletions(-) diff --git a/src/debian/key-script b/src/debian/key-script index c9671fa..12c97b7 100755 --- a/src/debian/key-script +++ b/src/debian/key-script @@ -4,17 +4,11 @@ # set default values: DBG="" YKFDE_CONFIG_FILE="/etc/ykfde.conf" -YKFDE_NFC="" -YKFDE_DISK_UUID="" -YKFDE_LUKS_NAME="" -YKFDE_LUKS_DEV="" -YKFDE_LUKS_OPTIONS="" YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30" YKFDE_CRYPTSETUP_TRIALS="5" YKFDE_CHALLENGE_SLOT="2" YKFDE_CHALLENGE="" YKFDE_CHALLENGE_PASSWORD_NEEDED="" -YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" YKFDE_USE_PLYMOUTH="" message() { @@ -29,7 +23,6 @@ message() { run_hook() { local _tmp _tmp="" - local cryptopt cryptoptions [ -x /bin/plymouth ] && [ "$splash" ] && plymouth --ping && YKFDE_USE_PLYMOUTH=1 @@ -42,49 +35,13 @@ run_hook() { [ "$DBG" ] && message "$0:" [ "$DBG" ] && message " > Successfully read YKFDE configuration file." -# # if no settings in config, try to pull it from kernel cmdline (analog to encrypt hook) -# if [ -z "$YKFDE_DISK_UUID" ] || [ -z "$YKFDE_LUKS_NAME" ]; then -# # shellcheck disable=SC2154 -# if [ "$cryptdevice" ]; then -# IFS=: read -r YKFDE_LUKS_DEV YKFDE_LUKS_NAME cryptoptions < modprobing dm-crypt" -# _tmp="$(modprobe -a -q dm-crypt >/dev/null 2>&1)" - local trial_nr trial_nr=1 while [ "$trial_nr" -le "$YKFDE_CRYPTSETUP_TRIALS" ]; do - #message "Attempt #$trial_nr/$YKFDE_CRYPTSETUP_TRIALS: cryptsetup of $YKFDE_LUKS_DEV" ykfde_do_it && return 0 trial_nr=$((trial_nr + 1)) done @@ -126,7 +83,6 @@ ykfde_do_it() { #message " > Passphrase needed to unlock device." fi - #printf " Enter passphrase: " if [ "$YKFDE_USE_PLYMOUTH" ]; then printf '%s' "$(plymouth ask-for-password --prompt="Enter passphrase" --dont-pause-progress)" else @@ -134,32 +90,7 @@ ykfde_do_it() { printf '%s' "$(/lib/cryptsetup/askpass " Enter passphrase: ")" fi exit 0 -# # if /NOT/ DBG, we need to output \n here. -# [ "$DBG" ] || echo fi - -# [ "$DBG" ] && message " > Passing '$_ykfde_passphrase' to 'cryptsetup'" -# if [ "$YKFDE_RESUME" ]; then -# # shellcheck disable=SC2154 -# if [ "$DBG" ]; then message " > Decrypting with 'cryptsetup luksResume $cryptname'..."; else message " > Decrypting with 'cryptsetup'..."; fi -# _tmp="$(printf %s "$_ykfde_passphrase" | cryptsetup luksResume "$cryptname" 2>&1)" -# else -# if [ "$DBG" ]; then message " > Decrypting with 'cryptsetup luksOpen $YKFDE_LUKS_DEV $YKFDE_LUKS_NAME $YKFDE_LUKS_OPTIONS'..."; else message " > Decrypting with 'cryptsetup'..."; fi -# _tmp="$(printf %s "$_ykfde_passphrase" | cryptsetup luksOpen "$YKFDE_LUKS_DEV" "$YKFDE_LUKS_NAME" "$YKFDE_LUKS_OPTIONS" 2>&1)" -# fi -# _rc=$? - -# if [ "$_rc" -eq 0 ]; then -# message " Decryption was successful." -# if [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" ] && [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" -gt 0 ]; then -# [ "$DBG" ] && message " > Making $YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP sleep." -# sleep "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" -# fi -# else -# message " FAILED! [$_rc] $_tmp" -# fi - -# return "$_rc" } ykfde_challenge_response() { @@ -199,11 +130,6 @@ ykfde_challenge_response() { [ "$DBG" ] && message "[$_rc] '$_tmp'" if [ "$_rc" -eq 0 ]; then _yubikey_detected=1 - elif [ "$YKFDE_NFC" ]; then - [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykchalresp-nfc -n': " - _tmp="$(ykchalresp-nfc -n 2>&1)" - _rc=$? - [ "$_rc" -eq 0 ] && _yubikey_nfc_detected=1 fi if [ "$_yubikey_timeout" -eq -1 ] || [ "$_usedtime" -le "$_yubikey_timeout" ]; then sleep 0.5 @@ -216,19 +142,12 @@ ykfde_challenge_response() { [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ] && YKFDE_CHALLENGE="" while [ -z "$YKFDE_CHALLENGE" ]; do -# message " > Please provide the challenge." # shellcheck disable=SC2169 if [ "$YKFDE_USE_PLYMOUTH" ]; then YKFDE_CHALLENGE="$(plymouth ask-for-password --prompt="Enter challenge" --dont-pause-progress)" -# elif [ "$DBG" ]; then -# read -r YKFDE_CHALLENGE else -# read -r -s YKFDE_CHALLENGE YKFDE_CHALLENGE="$(/lib/cryptsetup/askpass " Enter challenge: ")" fi -# YKFDE_CHALLENGE="$(printf %s "$YKFDE_CHALLENGE" | sha256sum | awk '{print $1}')" -# # if /NOT/ DBG, we need to output \n here. -# [ "$DBG" ] || echo done if [ "$_yubikey_detected" ]; then @@ -241,15 +160,6 @@ ykfde_challenge_response() { done fi - if [ -n "$_yubikey_nfc_detected" ]; then - while [ -z "$_ykfde_response" ]; do - [ "$DBG" ] && message " Running: 'ykchalresp-nfc -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." - message " Remember to touch the device if necessary." - _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp-nfc -"$YKFDE_CHALLENGE_SLOT" | tr -d '\n')" - [ "$DBG" ] && message " Received response: '$_ykfde_response'" - done - fi - if [ "$_ykfde_response" ]; then if [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then printf '%s' "$YKFDE_CHALLENGE$_ykfde_response" From 301f1c14b3a5f8bf2747ae9fb478cc162120cea8 Mon Sep 17 00:00:00 2001 From: crispy-landslide <48504814+crispy-landslide@users.noreply.github.com> Date: Fri, 21 Jan 2022 22:20:27 -0800 Subject: [PATCH 18/18] Removed extraneous commented out code --- src/debian/key-script | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/debian/key-script b/src/debian/key-script index 12c97b7..7198e7a 100755 --- a/src/debian/key-script +++ b/src/debian/key-script @@ -79,8 +79,6 @@ ykfde_do_it() { if [ "$YKFDE_CHALLENGE" ] || [ "$YKFDE_CHALLENGE_PASSWORD_NEEDED" ]; then message " > Challenge-Response failed. Falling back to manual passphrase." [ "$trial_nr" -le "$YKFDE_CRYPTSETUP_TRIALS" ] && message " Press ENTER to skip and retry Challenge-Response." - #else - #message " > Passphrase needed to unlock device." fi if [ "$YKFDE_USE_PLYMOUTH" ]; then