-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathyubico_refresh
executable file
·63 lines (52 loc) · 1.89 KB
/
yubico_refresh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/bin/sh
#
# Copyright (c) 2016 Dmitry Dulepov <[email protected]>
# https://github.com/dmitryd/kali-yubikey
#
#/usr/share/initramfs-tools/scripts/local-bottom/
set -e
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
/bin/ykinfo -s &> /dev/null
if [ $? -eq 0 ] ; then
# Yubikey found, set new LUKS key
if [ -f /boot/yubikey/yk_challenge_new ] && [ -f /boot/yubikey/kfo.enc ] && [ -f /boot/yubikey/kfn.enc ] ; then
[ -f /tmp/kfn ] && shred -u -z /tmp/kfn
[ -f /tmp/kfo ] && shred -u -z /tmp/kfo
/bin/gpgv1 --no-random-seed-file --lock-never --homedir=/root/root/.gnupg --output /tmp/kfo --recipient initramfs --decrypt /boot/yubikey/kfo.enc &> /dev/null
/bin/gpgv1 --no-random-seed-file --lock-never --homedir=/root/root/.gnupg --output /tmp/kfn --recipient initramfs --decrypt /boot/yubikey/kfn.enc &> /dev/null
if [ -f /tmp/kfo ] && [ -f /tmp/kfn ] ; then
cat /tmp/kfo | cryptsetup --key-file=- luksChangeKey --key-slot 2 /dev/sda5 /tmp/kfn
EC="$?"
if [ $EC -eq 0 ] ; then
# All fine
rm /boot/yubikey/yk_challenge
mv /boot/yubikey/yk_challenge_new /boot/yubikey/yk_challenge
echo "LUKS key was updated."
else
echo "Failed to update LUKS key with exit code $EC. Next boot will reuse the same key."
sleep 5
fi
else
echo "Could not find LUKS keys. Next boot will reuse the same key."
sleep 5
fi
else
echo "Could not find yubikey files."
sleep 5
fi
fi
[ -f /tmp/kfn ] && shred -u -z /tmp/kfn
[ -f /tmp/kfo ] && shred -u -z /tmp/kfo
[ -f /boot/yubikey/kfn.enc ] && shred -u -z /boot/yubikey/kfn.enc
[ -f /boot/yubikey/kfo.enc ] && shred -u -z /boot/yubikey/kfo.enc