Comments (17)
Ok, first of all... What version are you using?
Wondering if this is a timing issue. Please boot without Yubikey, enter the second factor, then insert the Yubikey. Any change?
from mkinitcpio-ykfde.
I'm using version 0.6.3.
I just realised there is a systemd-v230 version, so I'll try that in addition to the timing and report my findings.
from mkinitcpio-ykfde.
The systemd-v230
tag is to mark the first commit that uses features in that systemd version.
Feel free to test git HEAD...
Looks like it is time for a release. But let's fix your issue first.
from mkinitcpio-ykfde.
Ok. I'll try tomorrow morning because I don't have the computer with me at the moment.
from mkinitcpio-ykfde.
So, if I plug in the yubikey after the prompt is displayed, then everything works as expected. Otherwise, I feel like it's not even trying, it immediately asks for the disk password. This is both with version 0.6.3 and HEAD.
from mkinitcpio-ykfde.
Can you please try 0.6.3-14-g16cc1d8
? Should work a lot more reliable.
from mkinitcpio-ykfde.
I tried, and I got the same behaviour. It works only if I plug the key after the prompt is displayed.
By the way, after I install, I only need to rebuild the initcpio, I don't need to use ykfde
and ykfde-cpio
, right? (For this test, I redid everything just to be sure).
from mkinitcpio-ykfde.
I tried, and I got the same behaviour. It works only if I plug the key after the prompt is displayed.
Damn.
By the way, after I install, I only need to rebuild the initcpio, I don't need to use ykfde and ykfde-cpio, right? (For this test, I redid everything just to be sure).
Yes, right.
Ok, let's try to collect some information.
Let's build ykfde
(the udev
one) manually with simple debugging... Clone the git repository, go to the subdirectory udev
and run:
gcc -std=c11 -O2 -fPIC -Wall -Werror -liniparser -lkeyutils -lykpers-1 -lyubikey -Wl,-z,now -Wl,-z,relro -pie -o ykfde ykfde.c -DDEBUG=1
Then copy ykfde
to /usr/lib/udev/ykfde
, rebuild your initramfs and try again. Error messages should appear on your display.
Also you could give the second factor, then let the prompt for LUKS passphrase time out. Start the shell and look around. Anything suspicious? Is the challenge in /etc/ykfde.d/ still available?
When you start the system (with and without debugging)... Any log entries in journal? Look for udev
and ykfde
.
from mkinitcpio-ykfde.
Pushed some more changes, but that is just for proper clean up and should not have any impact on what you see.
If things keep failing... Can you please increase the sleep
value in /usr/lib/systemd/system/ykfde-notify.service
, rebuild your initramfs and try again?
And if that helps... What hardware (CPU) do use?
from mkinitcpio-ykfde.
So. Weird one.
If I clone the repo and build like you told me to, it works, both with and without debug mode.
If I install using the PKGBUILD in aur, which is supposed to clone and use the latest git HEAD, it doesn't. Maybe there's something in the gcc
command line you gave me that isn't in the Makefile?
When I started the shell after letting LUKS timeout (with the version that worked), the challenge in /etc/ykfde.d/
had disappeared. I didn't try with the non-working version. When it works and I enter the wrong password, it actually tries to decrypt the disk before giving the LUKS prompt.
In the logs, I couldn't see much. My latest boot, with the non working version has a
systemd-udevd[139]: Process '/usr/lib/udev/ykfde' failed with exit code 1.
The boot where it worked has:
Jul 06 17:35:19 localhost systemd[1]: Starting Notify ykfde about key...
Jul 06 17:35:19 localhost systemd[1]: Started Notify ykfde about key.
Jul 06 17:35:26 localhost systemd[1]: Stopped Notify ykfde about key.
As for the hardware, I have a i7-4770HQ, with 16G of RAM in an crappy shell by schenker (no idea what the mobo could be).
from mkinitcpio-ykfde.
If I clone the repo and build like you told me to, it works, both with and without debug mode.
If I install using the PKGBUILD in aur, which is supposed to clone and use the latest git HEAD, it doesn't. Maybe there's something in the gcc command line you gave me that isn't in the Makefile?
Wired... Just to make sure: What is the git hash of your last package?
For some time the package used to systemd-v230
tag to generate the version. Make sure you do not have version 230.x installed and pacman refuses to downgrade. :-D
The only difference in gcc
command is that it defines DEBUG
.
When I started the shell after letting LUKS timeout (with the version that worked), the challenge in /etc/ykfde.d/ had disappeared.
That's expected. The challenge is removed when challenge/response was successful.
I didn't try with the non-working version. When it works and I enter the wrong password, it actually tries to decrypt the disk before giving the LUKS prompt.
ykfde
does not know whether or not the second factor is correct. It does challenge response and caches the response for LUKS.
In the logs, I couldn't see much. My latest boot, with the non working version has a
systemd-udevd[139]: Process '/usr/lib/udev/ykfde' failed with exit code 1.
That looks like an old version before the fix.
So to make sure please double check your installed version. Feel free to install one of my packages for testing:
http://mirror.mylinuxtime.de/arch/eworm/x86_64/mkinitcpio-ykfde-0.6.3.r16.ge2763d3-1-x86_64.pkg.tar.xz
http://mirror.mylinuxtime.de/arch/eworm/x86_64/mkinitcpio-ykfde-git-0.6.3.r16.ge2763d3-1-x86_64.pkg.tar.xz
(It's the same package, just different package name.)
The packages are signed, so you should be able to install with pacman -U
directly from server.
from mkinitcpio-ykfde.
As for the hardware, I have a i7-4770HQ, with 16G of RAM in an crappy shell by schenker (no idea what the mobo could be).
Just wanted to make sure you do not run on aged and under-powered Celeron. ;) That one should be fine and I think it does not suffer any timing issue. :-p
from mkinitcpio-ykfde.
That's expected. The challenge is removed when challenge/response was successful.
That's what I figured.
ykfde
does not know whether or not the second factor is correct. It does challenge response and caches the response for LUKS.
So in the case where it doesn't work and it drops me directly to the LUKS prompt, then it's actually not trying to do anything.
Just wanted to make sure you do not run on aged and under-powered Celeron. ;) That one should be fine and I think it does not suffer any timing issue. :-p
ok ^^
So to make sure please double check your installed version. Feel free to install one of my packages for testing:
I'll check again, although I'm pretty sure pacman removed the package I had installed before because I used the non git version first and then the git version and I ended up with a .pacsave
file. But anyhow, I'll check again.
from mkinitcpio-ykfde.
This morning, it works. I tried reinstalling from the AUR, and it warned me that I was reinstalling the same version (which is indeed 0.6.3.r16.ge2763d3-1
) and now it works.
Not sure what to say now...
from mkinitcpio-ykfde.
Wired...
However, if it works reliable now... Can we close the issue?
from mkinitcpio-ykfde.
Sure. I'll reopen it if needed.
Thanks a lot.
from mkinitcpio-ykfde.
This may be a hardware issue. This morning it doesn't work. I have done no updates from the previous comment, I only went on holidays. I tried upgrading to 0.6.4, but it still doesn't work. meh
from mkinitcpio-ykfde.
Related Issues (20)
- ykfde results in error: Failed opening challenge file for reading: No such file or directory HOT 1
- [idea] Use second factor as challenge HOT 4
- [Arch Linux] [Bug] Unable to build or run mkinitcpio after updating json-c package HOT 6
- Seg fault HOT 6
- Current master segfaults in ykfde.c HOT 3
- gcc 8: error: 'strncpy' specified bound 108 equals destination size [-Werror=stringop-truncation] HOT 4
- Can not Find /etc/crypttab.initramfs Antergos HOT 1
- Insecure random generator used HOT 6
- ykfde.service not available during boot - Fedora 30 HOT 4
- /usr/lib/udev/ykfde helper executed before filesystem device is ready
- Works with RHEL8? HOT 17
- ykfde-worker failed to start HOT 5
- Fails to build from aur HOT 4
- initramfs bad magic HOT 1
- Is it possible to (re)enable numlock for entering the PIN? HOT 1
- Grub initrd injection doesn't work on Fedora HOT 2
- Could not update passphrase for key slot n.
- Feature request: BIO support HOT 3
- feat: commandline calculate key HOT 1
- How to add /boot/ykfde-challenges.img to mkinitcpio UKI? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mkinitcpio-ykfde.