Commit Graph

345 Commits

Author SHA1 Message Date
Moritz Maxeiner
8e74e1fded Replace the current Yubikey PBA implementation with the previous one.
Rationale:
  * The main reason for choosing to implement the PBA in accordance
    with the Yubico documentation was to prevent a MITM-USB-attack
    successfully recovering the new LUKS key.
  * However, a MITM-USB-attacker can read user id and password when
    they were entered for PBA, which allows him to recover the new
    challenge after the PBA is complete, with which he can challenge
    the Yubikey, decrypt the new AES blob and recover the LUKS key.
  * Additionally, since the Yubikey shared secret is stored in the
    same AES blob, after such an attack not only is the LUKS device
    compromised, the Yubikey is as well, since the shared secret
    has also been recovered by the attacker.
  * Furthermore, with this method an attacker could also bruteforce
    the AES blob, if he has access to the unencrypted device, which
    would again compromise the Yubikey, should he be successful.
  * Finally, with this method, once the LUKS key has been recovered
    once, the encryption is permanently broken, while with the previous
    system, the LUKS key itself it changed at every successful boot,
    so recovering it once will not necessarily result in a permanent
    breakage and will also not compromise the Yubikey itself (since
    its secret is never stored anywhere but on the Yubikey itself).

Summary:
The current implementation opens up up vulnerability to brute-forcing
the AES blob, while retaining the current MITM-USB attack, additionally
making the consequences of this attack permanent and extending it to
the Yubikey itself.
2014-02-03 22:50:17 +01:00
Vladimír Čunát
b5a32b3944 Merge #1618: use ubuntu module blacklists by default 2014-02-02 15:51:07 +01:00
Moritz Maxeiner
7bf94cadad Add library dependencies explicitly 2014-01-29 18:49:26 +01:00
Moritz Maxeiner
e96f58ef5c Implement muli-user authentication for yubikey pba, i.e. multiple users can now share a single luks keyslot.
This is achieved by having multiple lines per storage file, one for each user (if the feature is enabled); each of these
lines has the same format as would be the case for the userless authentication, except that they are prepended with a
SHA-512 of the user's id.
2014-01-29 17:20:05 +01:00
Moritz Maxeiner
20cfaf0faa Change the crypt-storage file to be hex encoded instead of raw binary. To update from the previous configuration, convert your crypt-storage file from raw binary to hex. 2014-01-29 13:58:35 +01:00
Moritz Maxeiner
cce9712331 Enable two-factor authentication by default. Add proper descriptions to attributes. 2014-01-29 12:55:32 +01:00
Moritz Maxeiner
45b1ffb8db Cosmetic change to yubikey detection 2014-01-28 20:39:46 +01:00
Vladimír Čunát
5acaa980a5 pull module blacklist from Ubuntu and use it by default
People often have serious problems due to bogus modules like *fb.
2014-01-28 12:52:36 +01:00
Moritz Maxeiner
407a770161 Rewrite as a pre-boot authentication module (mostly) comforming to the design specification of
'YubiKey Integration for Full Disk Encryption Pre-Boot Authentication (Copyright) Yubico, 2011 Version: 1.1'.

Used binaries:
  * uuidgen - for generation of random sequence numbers
  * ykchalresp - for challenging a Yubikey
  * ykinfo - to check if a Yubikey is plugged in at boot (fallback to passphrase authentication otherwise)
  * openssl - for calculation of SHA-1, HMAC-SHA-1, as well as AES-256-CTR (de/en)cryption

Main differences to the specification mentioned above:
  * No user management (yet), only one password+yubikey per LUKS device
  * SHA-512 instead of CRC-16 for checksum

Main differences to the previous implementation:
  * Instead of changing the key slot of the LUKS device each boot,
    the actual key for the LUKS device will be encrypted itself
  * Since the response for the new challenge is now calculated
    locally with openssl, the MITM-USB-attack with which previously
    an attacker could obtain the new response (that was used as the new
    encryption key for the LUKS device) by listening to the
    Yubikey has ideally become useless (as long as uuidgen can
    successfuly generate new random sequence numbers).

Remarks:
  * This is not downwards compatible to the previous implementation
2014-01-28 04:02:51 +01:00
Moritz Maxeiner
333f5caaf9 Implement authentication for a LUKS device with a yubikey (HMAC-SHA1); supports simple challenge-response and two-factor authentication 2014-01-25 03:33:09 +01:00
Shea Levy
ca7805be94 systemd: Enable specifying extra config files for a unit
This will allow overriding package-provided units, or overriding only a
specific instance of a unit template.

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-18 11:10:39 -05:00
Shea Levy
48daf624c5 Add module to use kmscon instead of linux-console for VTs
This required some changes to systemd unit handling:

* Add an option to specify that a unit is just a symlink
* Allow specified units to overwrite systemd-provided ones
* Have gettys.target require autovt@1.service instead of getty@1.service

Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-15 08:17:19 -05:00
Shea Levy
b0000b29af gummiboot module: Don't use obsolete environment.nix option
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-01-05 15:53:39 -05:00
Lluís Batlle i Rossell
152da7671c nixos initrd: load atkbd, not xtkbd
I don't think anyone has a XT keyboard in a computer running nixos.
2013-12-23 09:01:45 +01:00
Song Wenwu
c4885173b6 systemd: add services.journald.extraConfig option 2013-11-30 22:42:01 +01:00
Eelco Dolstra
9ee30cd9b5 Add support for lightweight NixOS containers
You can now say:

  systemd.containers.foo.config =
    { services.openssh.enable = true;
      services.openssh.ports = [ 2022 ];
      users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-dss ..." ];
    };

which defines a NixOS instance with the given configuration running
inside a lightweight container.

You can also manage the configuration of the container independently
from the host:

  systemd.containers.foo.path = "/nix/var/nix/profiles/containers/foo";

where "path" is a NixOS system profile.  It can be created/updated by
doing:

  $ nix-env --set -p /nix/var/nix/profiles/containers/foo \
      -f '<nixos>' -A system -I nixos-config=foo.nix

The container configuration (foo.nix) should define

  boot.isContainer = true;

to optimise away the building of a kernel and initrd.  This is done
automatically when using the "config" route.

On the host, a lightweight container appears as the service
"container-<name>.service".  The container is like a regular NixOS
(virtual) machine, except that it doesn't have its own kernel.  It has
its own root file system (by default /var/lib/containers/<name>), but
shares the Nix store of the host (as a read-only bind mount).  It also
has access to the network devices of the host.

Currently, if the configuration of the container changes, running
"nixos-rebuild switch" on the host will cause the container to be
rebooted.  In the future we may want to send some message to the
container so that it can activate the new container configuration
without rebooting.

Containers are not perfectly isolated yet.  In particular, the host's
/sys/fs/cgroup is mounted (writable!) in the guest.
2013-11-27 17:14:10 +01:00
Eelco Dolstra
953f12995b nscd: Fix LD_LIBRARY_PATH
This ensures that nscd can find the NSS modules.

Fixes #1248.
2013-11-26 18:38:22 +01:00
Eelco Dolstra
14cd8bc248 Allow services to specify a pre-stop script 2013-11-26 18:24:55 +01:00
Eelco Dolstra
2b1f212494 Disable various services when running inside a container 2013-11-26 18:19:45 +01:00
Eelco Dolstra
dc87f8e080 Check whether fileSystems defines the root FS 2013-11-18 18:04:16 +01:00
Eelco Dolstra
8951be2d80 Allow overrides to work for unit options 2013-11-18 18:04:16 +01:00
Eelco Dolstra
33cb0bbb4b Use types.lines for script/preStart/postStart/postStop 2013-11-18 18:04:16 +01:00
Eelco Dolstra
5620e69b5d Apply better type checking to unitConfig/serviceConfig/...
In particular, complain if two modules define the same systemd option.
2013-11-18 18:04:16 +01:00
Eelco Dolstra
f8a034172a Fix broken Conflicts options 2013-11-18 18:04:16 +01:00
Eelco Dolstra
08a85c2152 Allow building/testing individual systemd units 2013-11-18 18:04:16 +01:00
Ricardo M. Correia
36a05c7b15 systemd: Add systemd.extraConfig option for /etc/systemd/system.conf 2013-11-16 16:50:59 +01:00
Ricardo M. Correia
e0171ef026 systemd: Change services.logind.extraConfig type to types.lines 2013-11-16 16:50:59 +01:00
Eelco Dolstra
4cada34b7f Properly handle unit names with dashes in them
We ended up with files in /etc/systemd/system called
"bigx2ddata.mount.wants" rather than "big\x2ddata.mount.wants".
2013-11-12 16:58:36 +01:00
Eelco Dolstra
408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra
d882e19662 Shut up "failed to resume" warning if there is no resume device 2013-10-30 18:47:43 +01:00
Eelco Dolstra
be5d3a59dd Clean up some option examples 2013-10-30 18:47:43 +01:00
Eelco Dolstra
70a2c54527 Strictly check the arguments to mkOption
And fix various instances of bad arguments.
2013-10-30 15:35:09 +01:00
Eelco Dolstra
4680af6a93 Add some option types 2013-10-30 14:57:42 +01:00
Eelco Dolstra
862e3dd977 Substitute "types.uniq types.string" -> "types.str" 2013-10-30 14:57:42 +01:00
Eelco Dolstra
9a8516438e Fix NixOps evaluation 2013-10-28 22:45:57 +01:00
Eelco Dolstra
d5047faede Remove uses of the "merge" option attribute
It's redundant because you can (and should) specify an option type, or
an apply function.
2013-10-28 22:45:56 +01:00
Eelco Dolstra
a40583e7e4 Fix bogus mkOption types
Among others, systemd unit options were not being type-checked because
of this.  mkOption should really check its arguments better...
2013-10-28 22:45:56 +01:00
Eelco Dolstra
1408ac51a4 Add missing types 2013-10-28 22:45:56 +01:00
Eelco Dolstra
4b1a9dd00b Remove uses of mkFixStrictness
mkFixStrictness is no longer needed, woohoo!
2013-10-28 22:45:55 +01:00
Eelco Dolstra
c4149c7b56 Fix evaluation error in the ISOs 2013-10-24 02:03:10 +02:00
Eelco Dolstra
a3777ba4f9 Remove dependencies on the Nixpkgs location 2013-10-23 20:08:23 +02:00
Eelco Dolstra
8f4c5b05d5 Add a way to define obsolete options that have no replacement 2013-10-23 20:08:22 +02:00
Eelco Dolstra
b33657df03 grub: Make assertion lazier 2013-10-17 13:30:49 +02:00
Shea Levy
a63b4dc555 Remove old efi boot stub bootloader
Signed-off-by: Shea Levy <shea@shealevy.com>
2013-10-10 10:54:35 -04:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00