From 9c7af15758bf7f38486aaf1335fc3ced6cccaf33 Mon Sep 17 00:00:00 2001 From: YunQiang Su Date: Mon, 4 Dec 2023 07:09:26 +0800 Subject: [PATCH] Fallback password input if fail from yubikey If we tried 3 times, and our yubikey has no response, let's fallback to password input. If yubikey repsoned, while we cannot decrypt our disk with this response, let's ask for new password directly. Background: I have 2 yubikey, and one is set to 1FA and another is set to 2FA. I wish that when the 1FA one can just work if I plug it in, and password is asked if I plug the 2FA one in instead. --- key-script | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/key-script b/key-script index ba650f4..273f1e8 100755 --- a/key-script +++ b/key-script @@ -22,7 +22,9 @@ message() check_yubikey_present="$(ykinfo -q -"$YUBIKEY_LUKS_SLOT")" -if [ -z "$YUBIKEY_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then +touch /tmp/ykluks-fail +TRIED="$(grep ${CRYPTTAB_SOURCE} /tmp/ykluks-fail | wc -l)" +if [ -z "$YUBIKEY_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] || [ "$TRIED" -ge 3 ] ; then if [ -z "$cryptkeyscript" ]; then if [ -x /bin/plymouth ] && plymouth --ping; then cryptkeyscript="plymouth ask-for-password --prompt" @@ -35,6 +37,7 @@ else PW="$YUBIKEY_CHALLENGE" fi + if [ "$check_yubikey_present" = "1" ]; then message "Accessing yubikey..." if [ "$HASH" = "1" ]; then @@ -48,8 +51,12 @@ if [ "$check_yubikey_present" = "1" ]; then else printf '%s' "$R" fi + echo "$CRYPTTAB_SOURCE tried" >> /tmp/ykluks-fail + echo "$CRYPTTAB_SOURCE tried" >> /tmp/ykluks-fail + echo "$CRYPTTAB_SOURCE tried" >> /tmp/ykluks-fail else message "Failed to retrieve the response from the Yubikey" + echo "$CRYPTTAB_SOURCE tried" >> /tmp/ykluks-fail fi else printf '%s' "$PW"