Hi,

Running fedora 33 with latest patches:
Linux hostname 5.10.17-200.fc33.x86_64 #1 SMP Wed Feb 17 21:21:20 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Followed the guide, but when I reboot the machine, I enter the 2nd factor then an error message appears saying that ykfde-worker failed to start.

Looking at the service status, I get:
worker[564]: /usr/lib/ykfde/worker: error while loading shared libraries: libiniparser.so.1: cannot open shared object file: No such file or directory

If I try to start it manually, the error changes to:
worker[6599]: yk_open_first_key() failed: Permission denied

Tried to add the following line on the service section of the service definition:
Environment="LD_LIBRARY_PATH=/usr/lib64"

But it still do not work.

[root@matrix ~]# ldconfig -v | grep libiniparser
libiniparser.so.1 -> libiniparser.so.1

find /usr/ -name libiniparser.so.1

/usr/lib64/libiniparser.so.1

Tested the second factor key by issuing ykfde -s <2f> and it worked fine.

Any ideas?

I'm trying to configure with a Yubi 4 and when I run ykfde I get a segmentation fault.

Latest kernel, 4.14.11

Let me know what debugging info you need, I'm happy to help out.

Hello,

I set up ykfde to use 2 factor authentication. Everything seems to work great, but this morning I typed a wrong password and yet, my disk was decrypted. So I tried again with a wrong password on purpose and it worked again. I'm using archlinux.
I don't know what information I could provide to help debug this.
I previously had setup ykfde without 2fa (because it wasn't available yet), so maybe I made a mistake when I switched.
To switch, I first changed the config and then typed sudo ykfde -s <2fa> and then used ykfde-cpio and then regenerated the initcpio files.

Cheers

Hi,

the current master is segfaulting for me. I bisected the first bad commit to be 76b1338 and compiling with debug symbols gives me what I think is a NULL pointer dereference at line 321 in ykfde.c:

Thread 1 "ykfde" received signal SIGSEGV, Segmentation fault.
main (argc=, argv=) at ykfde.c:321
321 len = strlen(tmp);
(gdb) print tmp
$1 = 0x0

Not sure if that is going to be at all possible but can ykfde work with Yubikey BIO?

What

Add a flag to the ykdfe executable that prints the resulting luks keyslot passphrase instead of sending it to decrypt the drive.

In other words, instead of calculating the luks keyslot and sending it to unlock the drive, this flag lets a user, on a booted system, to generate the valid luks key with their yubikey, without manually going through the steps below, and without also rolling the challenge salt.

Why

Manually changing the luks setup with this program is currently undocumented. The challenge has to be manually read from ykdfe's files, then up to the first SHA1_MAX_BLOCK_SIZE / 2 bits of the 2fa password has to be manually written over the beginning of that challenge , then the whole thing is fed into ykchalresp, and only then is there an output that can be used by cryptsetup luksOpen or similar. That is a clearly unpleasant process to do manually.

I was able to succesfully setup ykfde on some Fedora PCs however I have problems with one computer.
This is luksDump:

LUKS header information for /dev/nvme0n1p6

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	4096
/cut/
MK iterations: 	148271
UUID:          	6e356120-a228-4bd7-a1a1-b9288a99dc9d

Key Slot 0: ENABLED
	Iterations:         	2385838
/cut/
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

and that is the result of sudo ykfde -N:

Please give new second factor:
Please give new second factor for verification:
Could not update passphrase for key slot 3.

Any hints?
Linux 5.16.13-200.fc35.x86_64 #1 SMP PREEMPT Tue Mar 8 22:50:58 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

EDIT: My fault. No issue.

Hi,
I'm using Fedora 30 and applied the dracut recipe. But It won't decrypt, with or without 2nd factor, at early cryptsetup stage. And I can't see any yk* file in initramfs.
Did the procedure change for Fedora 30?

If programmed with "require user input", yubikey will wait for the user to touch it before generating a response. ykfde should detect this condition and display some message to the user.

If it's not trivial, this can be faked by always asking "Touch yubikey to continue" -- or by looking at how long it takes for Yubikey to respond (if >a few msec, user input is probably required)

I am currently searching for a stripped version of the process this software is doing do understand how you use an HMAC to decrypt a file. Would be great to have something like that prominent on the README.

Is there a way to make the ykfde running with upstream systemd 233-6 that is currently in Fedora 26?

I have tried with 0.6.4 and 0.7.1 without any luck (failing with keyctl_set_timeout() failed: Permission denied)

I don't really like having to type the 2FA on the command line, and would much rather have a prompt like when it asks for the encryption key (ie, where the password is not echoed).
I don't know if this is in the works, but if it isn't I'll take a look and try to add it myself, if that's ok.

Using second factor (user password) as challenge will allow for not storing challenge on disk and keep it secret. It would need asking for second factor before challenge-response action.

gcc (GCC) 8.0.1 20180317 (Red Hat 8.0.1-0.19)

gcc -std=gnu11 -O2 -fPIC -Wall -Werror -larchive -Wl,-z,now -Wl,-z,relro -pie -o ykfde-cpio ykfde-cpio.c
sed -i 's/\(README[-[:alnum:]]*\).md/\1.html/g' README-mkinitcpio.html
gcc -std=gnu11 -O2 -fPIC -Wall -Werror -liniparser -lkeyutils -lykpers-1 -lyubikey -lsystemd  -lcryptsetup -Wl,-z,now -Wl,-z,relro -pie -o ykfde ykfde.c
gcc -std=gnu11 -O2 -fPIC -Wall -Werror -liniparser -lkeyutils -lykpers-1 -lyubikey -lsystemd  -Wl,-z,now -Wl,-z,relro -pie -o worker worker.c
sed -i 's/\(README[-[:alnum:]]*\).md/\1.html/g' README-dracut.html
In function 'send_on_socket.constprop',
    inlined from 'answer_askpass' at worker.c:288:6,
    inlined from 'walk_askpass' at worker.c:321:15,
    inlined from 'main' at worker.c:395:12:
worker.c:66:2: error: 'strncpy' specified bound 108 equals destination size [-Werror=stringop-truncation]
  strncpy(sa.un.sun_path, socket_name, sizeof(sa.un.sun_path));
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

Hi and sorry to abuse issues for my problem solving but I'm getting tired of not finding a solution.

I'm using mkinitcpio to generate an unified kernel image as described here https://wiki.archlinux.org/title/Unified_kernel_image, but I don't see a way to include ykfde-challenges.img

I tried adding it as a "microcode" but the resulting image is not recognized by systemd-boot. I will keep trying to solve this UKI problem but if anyone happens to know the solutuon, I'd appreciate to hear it.

I'm trying to understand the principle of operation, but there are some gaps in my understanding.
Please correct me if I'm wrong

1: Joe Average might not understand the config options for ykfde because LUKS key slots are not exactly obvious after default setup (maybe Fedora makes it too easy?)

Suggested doc edit: add a sentence or two about LUKS keys before explaining configs.
E.g.: LUKS keeps disk encryption key internally but allows up to 8 slots to be configured so different users could unlock the disk with different passphrases. ykfde generates the key from Yubikey [+ user's passphrase (optional)]

Followup question: why should ykfde be limited to a specific slot? Default LUKS will try all slots with the given passphrase until one unlocks or all of them fail. Why not do the same thing?

2: In ykfde, "2nd factor" seems to mean a passphrase.. that's kind of confusing to a new user.

Suggested doc edit: change mentions of "2nd factor" to "ykfde passphrase".

3: It's not immediately obvious that main purpose of "ykfde" executable is to generate a new challenge and update the LUKS slot passphrase.
Suggest adding a sentence to --help description (since there's no man page).

3.5: Non-2nd factor mode is basically same thing as 2nd factor, but using a blank passphrase.

Suggest removing mention of 2nd factor from config file. Instead, it's easier to simply ask the user for a passphrase on every run of ykfde (if interactive shell is detected) -- and allow it to be entered as blank. If no interactive shell detected or using a switch (e.g. "-no-passphrase") then use no-passphrase mode.

I just ran a pacman update which, among other things, upgraded json-c from 0.12.1-1 to 0.13-1.

During the update, the mkinitcpio pacman hook was triggered, which failed with the following output:

:: Running post-transaction hooks...
(1/4) Updating linux initcpios...
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.14.10-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [keyboard]
  -> Running build hook: [ykfde]
==> ERROR: binary dependency `libjson-c.so.2' not found for `/usr/lib/ykfde/worker'
==> ERROR: binary dependency `libjson-c.so.2' not found for `/usr/lib/ykfde/worker'
  -> Running build hook: [sd-encrypt]
  -> Running build hook: [archlogo]
  -> Running build hook: [fsck]
  -> Running build hook: [filesystems]
  -> Running build hook: [sd-shutdown]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> WARNING: errors were encountered during the build. The image may not be complete.
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback
==> Starting build: 4.14.10-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
==> WARNING: Possibly missing firmware for module: aic94xx
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [keyboard]
  -> Running build hook: [ykfde]
==> ERROR: binary dependency `libjson-c.so.2' not found for `/usr/lib/ykfde/worker'
==> ERROR: binary dependency `libjson-c.so.2' not found for `/usr/lib/ykfde/worker'
  -> Running build hook: [sd-encrypt]
  -> Running build hook: [archlogo]
  -> Running build hook: [fsck]
  -> Running build hook: [filesystems]
  -> Running build hook: [sd-shutdown]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> WARNING: errors were encountered during the build. The image may not be complete.
error: command failed to execute correctly

:: Synchronizing package databases...
 core                                         126.8 KiB   433K/s 00:00 [-------------
 extra                                       1642.4 KiB   570K/s 00:03 [-------------
 community                                      4.3 MiB  1248K/s 00:03 [-------------
 multilib                                     168.6 KiB  12.7M/s 00:00 [-------------
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
Package (7)                        Old Version  New Version  Net Change  Download Siz
extra/bind-tools                   9.11.2-2     9.11.2-3      -0.01 MiB       1.59 Mi

core/cryptsetup                    2.0.0-1      2.0.0-2        0.00 MiB       0.33 Mi

community/girara                   0.2.8-1      0.2.8-2        0.00 MiB       0.06 Mi

core/json-c                        0.12.1-1     0.13-1         0.05 MiB       0.04 Mi

extra/lcms                         1.19-5       1.19-6        -0.05 MiB       0.14 Mi

extra/libmagick6                   6.9.9.27-1   6.9.9.31-1     0.00 MiB       2.11 Mi

community/python-websocket-client  0.45.0-1     0.46.0-1       0.00 MiB       0.06 Mi
Total Download Size:    4.34 MiB

Total Installed Size:  17.51 MiB

Net Upgrade Size:      -0.02 MiB
:: Proceed with installation? [Y/n]

:: Retrieving packages...

json-c-0.13-1-x86_64                          44.9 KiB   276K/s 00:00 [-------------

cryptsetup-2.0.0-2-x86_64                    384.8 KiB   483K/s 00:01 [-------------

bind-tools-9.11.2-3-x86_64                  2016.9 KiB   634K/s 00:03 [-------------

lcms-1.19-6-x86_64                             2.1 MiB   626K/s 00:03 [-------------

libmagick6-6.9.9.31-1-x86_64                   4.2 MiB   695K/s 00:06 [-------------

girara-0.2.8-2-x86_64                          4.3 MiB   694K/s 00:06 [-------------

python-websocket-client-0.46.0-1-any           4.3 MiB   690K/s 00:06 [-------------

(7/7) checking keys in keyring                                         [-------------

(7/7) checking package integrity                                       [-------------

(7/7) loading package files                                            [-------------

(7/7) checking for file conflicts                                      [-------------

(7/7) checking available disk space                                    [-------------

:: Processing package changes...

(1/7) upgrading json-c                                                 [-------------

(2/7) upgrading bind-tools                                             [-------------

(3/7) upgrading cryptsetup                                             [-------------

(4/7) upgrading girara                                                 [-------------

(5/7) upgrading lcms                                                   [-------------

(6/7) upgrading libmagick6                                             [-------------

(7/7) upgrading python-websocket-client                                [-------------

:: Running post-transaction hooks...

(1/4) Updating linux initcpios...

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'

-> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img

==> Starting build: 4.14.10-1-ARCH

-> Running build hook: [base]

-> Running build hook: [systemd]

-> Running build hook: [autodetect]

-> Running build hook: [modconf]

-> Running build hook: [block]

-> Running build hook: [sd-vconsole]

-> Running build hook: [keyboard]

-> Running build hook: [ykfde]

==> ERROR: binary dependency libjson-c.so.2' not found for /usr/lib/ykfde/worker'

==> ERROR: binary dependency libjson-c.so.2' not found for /usr/lib/ykfde/worker'

-> Running build hook: [sd-encrypt]

-> Running build hook: [archlogo]

-> Running build hook: [fsck]

-> Running build hook: [filesystems]

-> Running build hook: [sd-shutdown]

==> Generating module dependencies

==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img

==> WARNING: errors were encountered during the build. The image may not be complete.

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'

-> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback

==> Starting build: 4.14.10-1-ARCH

-> Running build hook: [base]

-> Running build hook: [systemd]

-> Running build hook: [modconf]

-> Running build hook: [block]

==> WARNING: Possibly missing firmware for module: wd719x

==> WARNING: Possibly missing firmware for module: aic94xx

-> Running build hook: [sd-vconsole]

-> Running build hook: [keyboard]

-> Running build hook: [ykfde]

==> ERROR: binary dependency libjson-c.so.2' not found for /usr/lib/ykfde/worker'

==> ERROR: binary dependency libjson-c.so.2' not found for /usr/lib/ykfde/worker'

-> Running build hook: [sd-encrypt]

-> Running build hook: [archlogo]

-> Running build hook: [fsck]

-> Running build hook: [filesystems]

-> Running build hook: [sd-shutdown]

==> Generating module dependencies

==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img

==> WARNING: errors were encountered during the build. The image may not be complete.

error: command failed to execute correctly

(2/4) Cleaning pacman cache...

removed '/var/cache/pacman/pkg/cryptsetup-1.7.5-1-x86_64.pkg.tar.xz'

==> finished: 1 packages removed (disk space saved: 240.84 KiB)

==> no candidate packages found for pruning

(3/4) Creating temporary files...

(4/4) Arming ConditionNeedsUpdate...

:: resolving dependencies...
:: looking for inter-conflicts...
AUR Packages  (1)         Old Version  New Version
aur/mkinitcpio-ykfde-git               latest
:: Proceed with installation? [Y/n]

:: Retrieving package(s)...

:: mkinitcpio-ykfde-git build files are up-to-date -- skipping

:: Checking mkinitcpio-ykfde-git integrity...

==> Making package: mkinitcpio-ykfde-git 0.6.4.r0.g95f195c-1 (Wed Jan  3 18:46:12 PST 2018)

==> Retrieving sources...

-> Updating mkinitcpio-ykfde git repo...

Fetching origin

==> Validating source files with sha256sums...

mkinitcpio-ykfde ... Skipped

:: Building mkinitcpio-ykfde-git package(s)...

==> Making package: mkinitcpio-ykfde-git 0.7.3.r2.g38f9628-1 (Wed Jan  3 18:46:13 PST 2018)

==> Checking runtime dependencies...

==> Checking buildtime dependencies...

==> WARNING: Using existing $srcdir/ tree

==> Starting pkgver()...

==> Removing existing $pkgdir/ directory...

==> Starting build()...

cp config.def.h config.h

make -C bin worker

make[1]: Entering directory '/home/maddy/.cache/pacaur/mkinitcpio-ykfde-git/src/mkinitcpio-ykfde/bin'

gcc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -std=gnu11 -O2 -fPIC -Wall -Werror -liniparser -lkeyutils -lykpers-1 -lyubikey -lsystemd -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -Wl,-z,now -Wl,-z,relro -pie -o worker worker.c

/usr/bin/ld: warning: libjson-c.so.2, needed by /usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so, not found (try using -rpath or -rpath-link)

/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_tokener_parse' /usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_get_type'

/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_new_string' /usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_get_string'

/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_new_object' /usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_to_json_string_ext'

/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_get_int' /usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_new_int'

/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_get_boolean' /usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_object_add'

/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_object_get_ex' /usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to json_object_put'

/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/../../../../lib/libykpers-1.so: undefined reference to `json_object_new_boolean'

collect2: error: ld returned 1 exit status

make[1]: *** [Makefile:14: worker] Error 1

make[1]: Leaving directory '/home/maddy/.cache/pacaur/mkinitcpio-ykfde-git/src/mkinitcpio-ykfde/bin'

make: *** [Makefile:16: bin/worker] Error 2

==> ERROR: A failure occurred in build().

Aborting...

:: failed to build mkinitcpio-ykfde-git package(s)

Any help would be appreciated. I'm a bit afraid to reboot now in case my existing initramfs doesn't work anymore.

Hi,
I noticed the cpio archive must be placed before the initramfs-linux.img in order to work.
If I don't I get a initramfs bad magic(something of the sort) error upon boot that prevent ykfde to work.

Can it be added to the doc ?

This is more of a "How Do?" than an issue, my apologies. I've followed the guide and installed this onto a RHEL 8 machine. I can still unlock the disk and boot with my original LUKS password but I guess I'm not fully understanding this project's operation. For context I'm a user of the Arch and Debian Yubikey-LUKS projects and maintain a fork of the Debian version with some additions for my use case.

In this project, if ykfde is ran with no args, what happens? Is the Yubikey effectively a 1fa device in this method? I.E. is the challenge stored on disk somewhere and referenced during boot? If so, this is not happening for me.

I do get an error when running ykfde that Not running from systemd, you may have to give second factor manually if required. is this related?

My use case for Yubikey and LUKS is that it effectively be a 1fa device from a user's perspective. A user will connect the Yubikey to a headless machine and boot without having to interact. I can do this with Debian but I need to also have the ability with RHEL.

While docked I have noticed my laptop BIOS setting regarding numlock state is being overwritten during grub2 boot. Is there a way:

• to preserve original numlock status?
• or to configure it separately for the screen prompting for LUKS PIN?
  (dracut/Fedora)

Has anybody observed a race condition under which the ykfde utility is triggered by udev before the encrypted filesystem device file is populated and therefore the filesystem decryption fails?

Is there any way how to synchronize triggering ykfde with detection of yubikey on the usb bus AND having encrypted file system device file available?

Trying to run//use on Fedora 26. After installation and configuring /etc/ykfde.conf
When running ykfde; it is resulting in error:

Failed requesting key. That's ok if you do not use
second factor. Give it manually if required.
Failed opening challenge file for reading: No such file or directory

Not using second factor. Yubikey is properly configured for HMAC-SHA1 but requires user input (touch).
When ykfde is run it is able to access Yubikey as the light starts blinking and after touching it the error is displayed.

Generating random data from system time is a bad idea. Implement getrandom() instead.

Hi,

First of all, thanks for the project, it looks incredibly promising! However I had some issues setting this up on a fresh Fedora 35 installation. You mention the need to edit /etc/default/grub with the following line:

GRUB_EARLY_INITRD_LINUX_CUSTOM="ykfde-challenges.img"

However Fedora uses grub2 and it seems to ignore this line. Due to dracut there is no support for initramfs-tools' hooks either, so I am unsure where to put this to survive updates.

By default, Fedora installs root partition and swap partition. Both are encrypted and have the same passphrase in slot 0.

ykfde.conf asks me to choose one. It's not at all obvious if it's possible to configure multiple devices.

After configuring one (I started with swap device only, now switched to root, but behavior seems consistent, regardless), boot process asks for ykfde passphrase (2nd factor) and proceeds.. until system asks me for a password for the other partition.
At this point, I have the default Fedora LUKS key in slot 0 of both, slot 1 used/reserved for ykfde, and had now set slot 2 to different passphrases for the partitions: "asdf" for root and "qwer" for swap.

Current sequence of boot events:
...

• ykfde asks for its passphrase (for root)
• I touch YK (see #12), then enter the ykfde passphrase
• after some output, system asks for LUKS passphrase for swap, I enter "qwer"
• system confirms that swap is now unlocked
• system asks for LUKS passphrase for root

...so ykfde failed to unlock? ...oops :(

Note: using https://copr.fedorainfracloud.org/coprs/bpereto/ykfde/packages/ which seems to be a repackage of this repo. Can compile from source if necessary.

I tried, without succes to use ykfde with 2fa.
I think the problem is with systemd-ask-password.

systemd debug:

systemd[1]: ykfde-2f.service: Installed new job ykfde-2f.service/start as 20
systemd[1]: ykfde-2f.service: ConditionPathExists=/etc/ykfde.d/ succeeded.
systemd[1]: ykfde-2f.service: About to execute: /usr/lib/systemd/scripts/ykfde-2f
systemd[1]: ykfde-2f.service: Forked /usr/lib/systemd/scripts/ykfde-2f as 49
systemd[1]: ykfde-2f.service: Changed dead -> start
systemd[1]: Starting Get 2nd Factor for YKFDE...
systemd[49]: ykfde-2f.service: Executing: /usr/lib/systemd/scripts/ykfde-2f
systemd[49]: ykfde-2f.service: Failed at step EXEC spawning /usr/lib/systemd/scripts/ykfde-2f: No such file or directory 
-- Subject: Process /usr/lib/systemd/scripts/ykfde-2f could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The process /usr/lib/systemd/scripts/ykfde-2f could not be executed and failed.
-- 
-- The error number returned by this process is 2.
systemd[1]: Child 49 ((ykfde-2f)) died (code=exited, status=203/EXEC)
systemd[1]: ykfde-2f.service: Child 49 belongs to ykfde-2f.service
systemd[1]: ykfde-2f.service: Main process exited, code=exited, status=203/EXEC
systemd[1]: ykfde-2f.service: Changed start -> failed
systemd[1]: ykfde-2f.service: Job ykfde-2f.service/start finished, result=failed
systemd[1]: Failed to start Get 2nd Factor for YKFDE. 
-- Subject: Unit ykfde-2f.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit ykfde-2f.service has failed.
-- 
-- The result is failed.
systemd[1]: ykfde-2f.service: Unit entered failed state.
systemd[1]: ykfde-2f.service: Failed with result 'exit-code'.
systemd[1]: ykfde-2f.service: cgroup is empty

initcpio info

[root@arch-test ~]# lsinitcpio -v /boot/initramfs-linux.img  | grep ykfde-2
-rwxr-xr-x   1 root     root          627 Feb 25 17:31 usr/lib/systemd/scripts/ykfde-2f
-rw-r--r--   1 root     root          446 Feb 25 17:31 usr/lib/systemd/system/ykfde-2f.service
lrwxrwxrwx   1 root     root           19 Feb 25 17:31 usr/lib/systemd/system/sysinit.target.wants/ykfde-2f.service -> ../ykfde-2f.service

Details:

I have replied my environment in a VM for testing.
OS: Archlinux (not testing repo)
systemd 229-3

Configurations:

/etc/mkinitcpio.conf:

HOOKS="systemd ykfde autodetect modconf block keymap keyboard sd-encrypt sd-lvm2 btrfs filesystems"

/etc/ykfde.conf:

yk slot = 2
device name = lvm_crypt
second factor = yes

[123123123] _(only for example)_
luks slot = 1

Tried out your newest commits to ykfde 2f.

Unfortunately it breaks my Installation on Fedora with this line in journald:
ykfde-2f[219]: systemd-ask-password: unrecognized option '--keyname=ykfde-2f'

the option --keyname shows up with Systemd v227
systemd/systemd@e287086

Fedora 23 (stable release) runs with systemd v222. The Upcoming Release of Fedora 24 will have systemd v229 and should work.

Hi Eworm,

First, thank you for creating this library.

I am following the Guide to Set this up on Arch
https://github.com/eworm-de/mkinitcpio-ykfde/blob/master/README-mkinitcpio.md

I can not find the /etc/crypttab.initramfs file. I do have mkinitcpio installed but I am also assuming that systemd initramfs service is part of it, however, I can't find the service unit itself. I also believe that when I installed Antergos and selected the LUKS options it may have done a nonstandard implementation of this but the prompt for the encrypted volume still works.

Hello again ^^

For the past week or so, I haven't been able to decrypt the disk using my yubikey. Might be since the update to systemd-230.
Anyhow, what happens is that I do see the prompt for the 2nd factor, but whatever I type, it gives me the standard prompt for decryption using a passphrase; as if the 2nd factor was bad.
The first time it happened, I was like "I should add an issue to prompt for 2nd factor more than once" but then I realised it happened every day, and what I typed didn't matter. I tried resetting the 2nd factor, but that didn't change anything.
Not sure what to do, especially if I'm the only one affected.
Are there any logs that I could check?

Cheers

Hi,

the commit introduced in #14 breaks the terminal with shifted lines.
Afterwards, no input to the terminal is displayed.

./ykfde -S
Please give current second factor:
  Failed setting terminal attributes.
                                     loaded device: luks-2e8cb1b1-8854-4838-a524-fa7573aeda52 
              loaded device: luks-7dcfeca3-15c1-4a33-8167-05428fcee703 
                                                                       Failed requesting key. That's ok if you do not use
                                         second factor. Give it manually if required.

Failed setting terminal attributes shows up at

Hi,
There's a warning that causes the build to fail on arch using the AUR package.
It happens on both the git and standard version.

$ yay -S mkinitcpio-ykfde
:: There are 2 providers available for mkinitcpio-ykfde:
:: Repository AUR
    1) mkinitcpio-ykfde 2) mkinitcpio-ykfde-git

Enter a number (default=1): 2
:: Checking for conflicts...
:: Checking for inner conflicts...
[Aur:1]  mkinitcpio-ykfde-git-0.7.6.r4.g7ac4c16-1

  1 mkinitcpio-ykfde-git                     (Build Files Exist)
==> Packages to cleanBuild?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==>
:: PKGBUILD up to date, Skipping (1/1): mkinitcpio-ykfde-git
  1 mkinitcpio-ykfde-git                     (Build Files Exist)
==> Diffs to show?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> A

==> Proceed with install? [Y/n]
:: (1/1) Parsing SRCINFO: mkinitcpio-ykfde-git
==> Making package: mkinitcpio-ykfde-git 0.7.6.r4.g7ac4c16-1 (Fri 07 May 2021 10:59:05 PM CEST)
==> Retrieving sources...
  -> Updating mkinitcpio-ykfde git repo...
Fetching origin
==> Validating source files with sha256sums...
    mkinitcpio-ykfde ... Skipped
==> Making package: mkinitcpio-ykfde-git 0.7.6.r4.g7ac4c16-1 (Fri 07 May 2021 10:59:07 PM CEST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Updating mkinitcpio-ykfde git repo...
Fetching origin
==> Validating source files with sha256sums...
    mkinitcpio-ykfde ... Skipped
==> Removing existing $srcdir/ directory...
==> Extracting sources...
  -> Creating working copy of mkinitcpio-ykfde git repo...
Cloning into 'mkinitcpio-ykfde'...
done.
==> Starting pkgver()...
==> Updated version: mkinitcpio-ykfde-git 0.7.7.r1.g9d6d51c-1
==> Sources are ready.
==> Making package: mkinitcpio-ykfde-git 0.7.7.r1.g9d6d51c-1 (Fri 07 May 2021 10:59:11 PM CEST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> WARNING: Using existing $srcdir/ tree
==> Starting pkgver()...
==> Removing existing $pkgdir/ directory...
==> Starting build()...
cp config.def.h config.h
make -C bin worker
make[1]: Entering directory '/home/nox/.cache/yay/mkinitcpio-ykfde-git/src/mkinitcpio-ykfde/bin'
gcc worker.c -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2,-D_GLIBCXX_ASSERTIONS         -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection -std=gnu11 -O2 -fPIC -Wall -Werror -liniparser -lkeyutils -lykpers-1 -lyubikey -lsystemd  -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -Wl,-z,now -Wl,-z,relro -pie -o worker
make[1]: Leaving directory '/home/nox/.cache/yay/mkinitcpio-ykfde-git/src/mkinitcpio-ykfde/bin'
printf "#ifndef VERSION\n#define VERSION \"%s\"\n#endif\n" 0.7.7-1-g9d6d51c > version.h
make -C bin ykfde
make[1]: Entering directory '/home/nox/.cache/yay/mkinitcpio-ykfde-git/src/mkinitcpio-ykfde/bin'
gcc ykfde.c -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2,-D_GLIBCXX_ASSERTIONS         -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection -std=gnu11 -O2 -fPIC -Wall -Werror -liniparser -lkeyutils -lykpers-1 -lyubikey -lsystemd  -lcryptsetup -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -Wl,-z,now -Wl,-z,relro -pie -o ykfde
ykfde.c: In function ‘main’:
ykfde.c:307:3: error: ignoring return value of ‘getrandom’ declared with attribute ‘warn_unused_result’ [-Werror=unused-result]
  307 |   getrandom((void *)((size_t)challenge_int + len), CHALLENGELEN * sizeof(unsigned int) - len, 0);
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:17: ykfde] Error 1
make[1]: Leaving directory '/home/nox/.cache/yay/mkinitcpio-ykfde-git/src/mkinitcpio-ykfde/bin'
make: *** [Makefile:19: bin/ykfde] Error 2
==> ERROR: A failure occurred in build().
    Aborting...
error making: mkinitcpio-ykfde-git
Execution time: 0h:00m:36s sec

Is there a fix ?