yubikey-full-disk-encryption icon indicating copy to clipboard operation
yubikey-full-disk-encryption copied to clipboard

Published 20 hours ago verified publisher icon agherzan

Idea: Unlock remote machine via SSH

Open Frederick888 opened this issue 4 years ago • 5 comments

This is a proof of concept which contains a lot of ugly hacks and it's not intended to be merged.

I would like to use yubikey-full-disk-encryption to unlock a headless machine without the hassle of unplugging/plugging YubiKey. So inspired by the encryptssh hook from mkinitcpio-utils I'm using currently, here's a prototype that utilises SSH port forwarding to achieve this job.

Server-Side Requirements
  1. nc from gnu-netcat
  2. ss from iproute2
  3. a patched mkinitcpio-dropbear (contains an upstream dss fix and a minor change to allow port forwarding)

dropbear (and netconf) needs to be pre-configured according to https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp).

mkinitcpio hooks should look like:

HOOKS=(base udev autodetect keyboard keymap modconf block netconf dropbear ykfde filesystems fsck)
Client-Side Requirements
  1. ncat from nmap
  2. ykfde-ssh from this PR
Basically what it does is
  1. Server fires up network and dropbear
  2. Client uses ykfde-ssh Hostname and it: 1.1 starts ncat to listen on 127.0.0.1:9000 and wait for the challenge 1.2 forwards 127.0.0.1:9000 to Server
  3. Server uses ss to detect whether 127.0.0.1:9000 is open
  4. Server uses nc to send the challenge to 127.0.0.1:9000 and obtains the response

I've tested it in a virtual machine and it seems to work pretty smoothly. However the configuration does tend to be overly complex and I actually wonder whether there is a better way of doing this rather than using SSH port forwarding. But @agherzan if you feel comfortable about this idea I can then make some time to tidy it up and submit a proper PR.

Frederick888 avatar Dec 06 '19 09:12 Frederick888

Shall we close this PR for now?

agherzan avatar Jul 24 '20 15:07 agherzan

Ah, sorry, got busy for a while then completely forgot about this. I still would like to finish this feature, but I can't give you a time frame right now. Is it ok? Or I'm also happy to submit another PR when I actually manage to wrap it up.

Frederick888 avatar Jul 27 '20 23:07 Frederick888

Take your time, we can wait 😄

Vincent43 avatar Jul 28 '20 08:07 Vincent43

That's absolutely alright. Just wanted to make sure it's still planned sometime in the future.

agherzan avatar Jul 29 '20 10:07 agherzan

https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/ does that

Piraty avatar Oct 18 '20 17:10 Piraty