Yubikey PBA#1620
Merged
mornfall merged 10 commits intoNixOS:masterfrom Jan 29, 2014
MoritzMaxeiner:yubikey
Merged
Conversation
added 10 commits
January 25, 2014 03:13
…; supports simple challenge-response and two-factor authentication
…e design specification of
'YubiKey Integration for Full Disk Encryption Pre-Boot Authentication (Copyright) Yubico, 2011 Version: 1.1'.
Used binaries:
* uuidgen - for generation of random sequence numbers
* ykchalresp - for challenging a Yubikey
* ykinfo - to check if a Yubikey is plugged in at boot (fallback to passphrase authentication otherwise)
* openssl - for calculation of SHA-1, HMAC-SHA-1, as well as AES-256-CTR (de/en)cryption
Main differences to the specification mentioned above:
* No user management (yet), only one password+yubikey per LUKS device
* SHA-512 instead of CRC-16 for checksum
Main differences to the previous implementation:
* Instead of changing the key slot of the LUKS device each boot,
the actual key for the LUKS device will be encrypted itself
* Since the response for the new challenge is now calculated
locally with openssl, the MITM-USB-attack with which previously
an attacker could obtain the new response (that was used as the new
encryption key for the LUKS device) by listening to the
Yubikey has ideally become useless (as long as uuidgen can
successfuly generate new random sequence numbers).
Remarks:
* This is not downwards compatible to the previous implementation
…. To update from the previous configuration, convert your crypt-storage file from raw binary to hex.
…rs can now share a single luks keyslot. This is achieved by having multiple lines per storage file, one for each user (if the feature is enabled); each of these lines has the same format as would be the case for the userless authentication, except that they are prepended with a SHA-512 of the user's id.
r-ryantm
pushed a commit
to r-ryantm/nixpkgs
that referenced
this pull request
Jul 7, 2018
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/singularity/versions. <details><summary>Version release notes (from GitHub)</summary> Greetings Singularity containerizers! This release contains fixes for a _high severity_ security issue affecting Singularity 2.3.0 through 2.5.1 on kernels that support overlay file systems (CVE-2018-12021). A malicious user with network access to the host system (e.g. ssh) could exploit this vulnerability to access sensitive information on disk and bypass directory image restrictions like those preventing the root file system from being mounted into the container. Singularity 2.5.2 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects kernels that support overlayfs. If you are unable to upgrade immediately, you should set `enable overlay = no` in `singularity.conf`. In addition, this release contains a large number of bug fixes. Details follow: ## [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12021) - Removed the option to use overlay images with `singularity mount`. This flaw could allow a malicious user accessing the host system to access sensitive information when coupled with persistent ext3 overlay. - Fixed a race condition that might allow a malicious user to bypass directory image restrictions, like mounting the host root filesystem as a container image ## Bug fixes - Fix an error in malloc allocation NixOS#1620 - Honor debug flag when pulling from docker hub NixOS#1556 - Fix a bug with passwd abort NixOS#1580 - Allow user to override singularity.conf "mount home = no" with --home option NixOS#1496 - Improve debugging output NixOS#1535 - Fix some bugs in bind mounting NixOS#1525 - Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will work with kernels that implement them (like Cray systems) NixOS#1506 - Create /dev/fd and standard streams symlinks in /dev when using minimal dev mount or when specifying -c/-C/--contain option NixOS#1420 - Fixed * expansion during app runscript creation NixOS#1486 As always, please report any bugs to: https://github.com/singularityware/singularity/issues/new</details> These checks were done: - built on NixOS - /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/singularity passed the binary check. - Warning: no invocation of /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/run-singularity had a zero exit code or showed the expected version - 1 of 2 passed binary check by having a zero exit code. - 0 of 2 passed binary check by having the new version present in output. - found 2.5.2 with grep in /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2 - directory tree listing: https://gist.github.com/ed6db09ad43a19c6abf2d35d15ef489c - du listing: https://gist.github.com/9bd23f4d6ee86a9eb2ba7ec5c986741d
Janik-Haag
added
the
12.first-time contribution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement pre-boot authentication with a Yubikey for NixOS.
Features both two-factor authentication and using the Yubikey by itself (the former is recommended and the default)
The necessary setup to use this feature is shown here: https://gist.github.com/Calrama/9ed4d59f295f2431b651#file-setup_luks_device_for_pba-sh (Simply change the DEVICE, STORAGE, SLOT, YUBIKEYS, and MULTIUSER variables to your requirements; to not use two-factor authentication, simply press enter when asked for your user passphrase).