File: challenge-in-ps

package info (click to toggle)
yubikey-luks 0.5.1%2B29.g5df2b95-6.3
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 164 kB
  • sloc: sh: 586; makefile: 39
file content (69 lines) | stat: -rw-r--r-- 2,312 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
Description: Stop exposing challenge in process list
 Patch adopted for current packaged version.
Author: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Forwarded: https://github.com/cornelinux/yubikey-luks/pull/63
Last-Update: 2021-03-08
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/

From bccc8027b1a8b184e9440887b245c1f502d313f0 Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Sat, 24 Oct 2020 14:41:41 +0200
Subject: [PATCH 1/3] Stop exposing challenge in process list

Passing challenge as argument to ykchalresp results in it being
exposed in process list, i.e. 'ps aux'. Piping challenge through
stdin fixes that.

Fixes https://github.com/cornelinux/yubikey-luks/issues/51
---
 initramfs-suspend   | 2 +-
 key-script          | 2 +-
 yubikey-luks-enroll | 2 +-
 yubikey-luks-open   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

--- a/initramfs-suspend
+++ b/initramfs-suspend
@@ -39,7 +39,7 @@
 		P1=$(printf %s "$P1" | sha256sum | awk '{print $1}')
 	fi
 
-	R="$(ykchalresp -2 "$P1" 2>/dev/null || true)"
+	R="$(printf %s "$P1" | ykchalresp -2 -i- 2>/dev/null || true)"
 
 	if [ "$CONCATENATE" = "1" ]; then
 		printf %s "$P1$R" | cryptsetup luksResume "${cryptname}" 2>&1;
--- a/key-script
+++ b/key-script
@@ -46,7 +46,7 @@
 	if [ "$HASH" = "1" ]; then
         	PW=$(printf %s "$PW" | sha256sum | awk '{print $1}')
 	fi
-    	R="$(ykchalresp -2 "$PW" 2>/dev/null || true)"
+    R="$(printf %s "$PW" | ykchalresp -2 -i- 2>/dev/null || true)"
 	message "Retrieved the response from the Yubikey"
 	if [ "$CONCATENATE" = "1" ]; then
 		printf '%s' "$PW$R"
--- a/yubikey-luks-enroll
+++ b/yubikey-luks-enroll
@@ -74,7 +74,7 @@
 		if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
 fi
 
-R="$(ykchalresp -2 "$P1" 2>/dev/null || true)"
+R="$(printf %s "$P1" | ykchalresp -2 -i- 2>/dev/null || true)"
 	if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi
 
 if [ -z "$R" ]; then
--- a/yubikey-luks-open
+++ b/yubikey-luks-open
@@ -50,7 +50,7 @@
 		if [ "$DBG" = "1" ]; then echo "Password hash: $P1"; fi
 fi
 
-R="$(ykchalresp -2 "$P1" 2>/dev/null || true)"
+R="$(printf %s "$P1" | ykchalresp -2 -i- 2>/dev/null || true)"
 	if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi
 
 if [ -z "$R" ]; then