eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-23 16:50:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

ssh token: Allow specifying key slot when adding the token

Browse Source
This commit is contained in:
Vojtech Trefny
2021-06-22 15:56:30 +02:00
parent ff958d376e
commit 35793c24f0
2 changed files with 39 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
tests/ssh-plugin-test
View File

@@ -10,6 +10,7 @@ IMG="ssh_test.img"
MAP="sshtest" MAP="sshtest"
USER="sshtest" USER="sshtest"
PASSWD="sshtest" PASSWD="sshtest"
PASSWD2="sshtest2"
LOOPDEV=$(losetup -f 2>/dev/null) LOOPDEV=$(losetup -f 2>/dev/null)
SSH_OPTIONS="-o StrictHostKeyChecking=no" SSH_OPTIONS="-o StrictHostKeyChecking=no"
@@ -93,11 +94,15 @@ format()
echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $LOOPDEV --force-password -q echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $LOOPDEV --force-password -q
[ $? -ne 0 ] && fail "Format failed." [ $? -ne 0 ] && fail "Format failed."
echo -e "$PASSWD\n$PASSWD2" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -q
[ $? -ne 0 ] && fail "Add key failed."
} }
check_dump() check_dump()
{ {
dump=$1 dump=$1
keyslot=$2
token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ") token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ")
[ "$token" = "ssh" ] || fail " token check from dump failed." [ "$token" = "ssh" ] || fail " token check from dump failed."
@@ -113,6 +118,9 @@ check_dump()
key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ") key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ")
[ "$key_path" = "$SSH_KEY_PATH" ] || fail " key_path check from dump failed." [ "$key_path" = "$SSH_KEY_PATH" ] || fail " key_path check from dump failed."
keyslot_dump=$(echo "$dump" | grep Keyslot: | cut -d: -f2 | tr -d "\t\n ")
[ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed."
} }
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
@@ -138,7 +146,7 @@ $CRYPTSETUP_SSH add $LOOPDEV --ssh-server $SSH_SERVER --ssh-user $USER --ssh-pat
[ $? -ne 0 ] && fail "Failed to add SSH token to $LOOPDEV" [ $? -ne 0 ] && fail "Failed to add SSH token to $LOOPDEV"
out=$($CRYPTSETUP luksDump $LOOPDEV) out=$($CRYPTSETUP luksDump $LOOPDEV)
check_dump "$out" check_dump "$out" 0
echo "[OK]" echo "[OK]"
echo -n "Activating using SSH token: " echo -n "Activating using SSH token: "
@@ -148,5 +156,17 @@ $CRYPTSETUP luksOpen -r $LOOPDEV $MAP -q >/dev/null 2>&1 <&-
[ $? -ne 0 ] && fail "Failed to open $LOOPDEV using SSH token" [ $? -ne 0 ] && fail "Failed to open $LOOPDEV using SSH token"
echo "[OK]" echo "[OK]"
# Remove the newly added token and test adding with --key-slot
$CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail "Failed to remove token"
echo -n "Adding SSH token with --key-slot: "
$CRYPTSETUP_SSH add $LOOPDEV --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1
[ $? -ne 0 ] && fail "Failed to add SSH token to $LOOPDEV"
out=$($CRYPTSETUP luksDump $LOOPDEV)
check_dump "$out" 1
echo "[OK]"
remove_mapping remove_mapping
remove_user remove_user

27
tokens/ssh/cryptsetup-ssh.c
View File

@@ -46,6 +46,7 @@
#define OPT_KEY_PATH 4 #define OPT_KEY_PATH 4
#define OPT_DEBUG 5 #define OPT_DEBUG 5
#define OPT_DEBUG_JSON 6 #define OPT_DEBUG_JSON 6
#define OPT_KEY_SLOT 7
void tools_cleanup(void) void tools_cleanup(void)
{ {
@@ -140,6 +141,8 @@ static struct argp_option options[] = {
{"ssh-user", OPT_SSH_USER, "STRING", 0, "Username used for the remote server" }, {"ssh-user", OPT_SSH_USER, "STRING", 0, "Username used for the remote server" },
{"ssh-path", OPT_SSH_PATH, "STRING", 0, "Path to the key file on the remote server"}, {"ssh-path", OPT_SSH_PATH, "STRING", 0, "Path to the key file on the remote server"},
{"ssh-keypath", OPT_KEY_PATH, "STRING", 0, "Path to the SSH key for connecting to the remote server" }, {"ssh-keypath", OPT_KEY_PATH, "STRING", 0, "Path to the SSH key for connecting to the remote server" },
{"key-slot", OPT_KEY_SLOT, "NUM", 0, "Keyslot to assing the token to. If not specified, token will "\
"be assigned to the first keyslot matching provided passphrase."},
{0, 0, 0, 0, "Generic options:" }, {0, 0, 0, 0, "Generic options:" },
{"verbose", 'v', 0, 0, "Shows more detailed error messages"}, {"verbose", 'v', 0, 0, "Shows more detailed error messages"},
{"debug", OPT_DEBUG, 0, 0, "Show debug messages"}, {"debug", OPT_DEBUG, 0, 0, "Show debug messages"},
@@ -154,6 +157,7 @@ struct arguments {
char *ssh_user; char *ssh_user;
char *ssh_path; char *ssh_path;
char *ssh_keypath; char *ssh_keypath;
int keyslot;
int verbose; int verbose;
int debug; int debug;
int debug_json; int debug_json;
@@ -176,6 +180,9 @@ parse_opt (int key, char *arg, struct argp_state *state) {
case OPT_KEY_PATH: case OPT_KEY_PATH:
arguments->ssh_keypath = arg; arguments->ssh_keypath = arg;
break; break;
case OPT_KEY_SLOT:
arguments->keyslot = atoi(arg);
break;
case 'v': case 'v':
arguments->verbose = 1; arguments->verbose = 1;
break; break;
@@ -230,7 +237,7 @@ void _log(int level, const char *msg, void *usrptr)
} }
} }
static int get_keyslot_for_passphrase(struct arguments *arguments, const char *pin, int *keyslot) static int get_keyslot_for_passphrase(struct arguments *arguments, const char *pin)
{ {
int r = 0; int r = 0;
ssh_key pkey; ssh_key pkey;
@@ -271,7 +278,7 @@ static int get_keyslot_for_passphrase(struct arguments *arguments, const char *p
} }
/* now try again with the password */ /* now try again with the password */
r = get_keyslot_for_passphrase(arguments, ssh_pass, keyslot); r = get_keyslot_for_passphrase(arguments, ssh_pass);
crypt_safe_free(ssh_pass); crypt_safe_free(ssh_pass);
crypt_free(cd); crypt_free(cd);
@@ -323,7 +330,7 @@ static int get_keyslot_for_passphrase(struct arguments *arguments, const char *p
return r; return r;
} }
*keyslot = r; arguments->keyslot = r;
crypt_safe_memzero(password, password_len); crypt_safe_memzero(password, password_len);
free(password); free(password);
@@ -335,8 +342,8 @@ static int get_keyslot_for_passphrase(struct arguments *arguments, const char *p
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
int ret = 0; int ret = 0;
int keyslot = 0;
struct arguments arguments = { 0 }; struct arguments arguments = { 0 };
arguments.keyslot = CRYPT_ANY_SLOT;
ret = argp_parse (&argp, argc, argv, 0, 0, &arguments); ret = argp_parse (&argp, argc, argv, 0, 0, &arguments);
if (ret != 0) { if (ret != 0) {
@@ -381,10 +388,12 @@ int main(int argc, char *argv[])
return EXIT_FAILURE; return EXIT_FAILURE;
} }
ret = get_keyslot_for_passphrase(&arguments, NULL, &keyslot); if (arguments.keyslot == CRYPT_ANY_SLOT) {
if (ret != 0) { ret = get_keyslot_for_passphrase(&arguments, NULL);
printf("Failed open %s using provided credentials.\n", arguments.device); if (ret != 0) {
return EXIT_FAILURE; printf("Failed open %s using provided credentials.\n", arguments.device);
return EXIT_FAILURE;
}
} }
return token_add(arguments.device, return token_add(arguments.device,
@@ -392,7 +401,7 @@ int main(int argc, char *argv[])
arguments.ssh_user, arguments.ssh_user,
arguments.ssh_path, arguments.ssh_path,
arguments.ssh_keypath, arguments.ssh_keypath,
keyslot); arguments.keyslot);
} else { } else {
printf("Only 'add' action is currently supported by this plugin.\n"); printf("Only 'add' action is currently supported by this plugin.\n");
return EXIT_FAILURE; return EXIT_FAILURE;