Challenge exposed in process list

[HacKanCuBa]

Hello there! I was checking your scripts and I noticed that you pass the password to the ykchalresp bin as part of its command line, thus exposing it to the system:

yubikey-full-disk-encryption/src/ykfde-enroll

Line 149 in 0e1e58b

YKFDE_RESPONSE="$(ykchalresp -"$YKFDE_CHALLENGE_SLOT" "$YKFDE_CHALLENGE" 2>/dev/null | tr -d '\n')"

If you run top or htop you will see the password shows up there. The same happens in the initram script, but on that scenario is not so dangerous. However, on the already booted up scenario, having the password shown as part of the command is VERY dangerous.

I haven't used ykchalresp but a better approach would be to pass the password like: printf "%s" "$P1" | ykchalresp -2 - or something like that (we need to test this).

[HacKanCuBa]

BTW, this code is somewhat similar to cornelinux/yubikey-luks, and thus has this same issue.

[Vincent43]

@HacKanCuBa great find! I'll look into it.

[Vincent43]

@HacKanCuBa This should be fixed in 6aa15b9 . Thank you again for reporting this.

[HacKanCuBa]

Awesome! I checked the commit and seems fine.

Thank you!

[agherzan]

Nice report!