Yubikey

5 files changed, 49 insertions, 18 deletions

diff --git a/README.md b/README.md
index 9eea2a4..db557ed 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # TrustHome
 
 TrustHome disables the password requirement for sudo/login while you’re
-using your home wifi.
+using your home wifi and you have your yubikey connected.
 
 ### DISLAIMER: I’m not responsible for any security breaches you may encounter while having this installed. This is merely a utility for my personal convenience and should never be used if you’re serious about security. You should ALWAYS use other security measures, such as full disk encryption, in addition.
 
@@ -9,29 +9,30 @@ using your home wifi.
 
 0.  Make sure that you use `iwd` and have `pam` and `sudo` configured
     correctly
-    -   if you don’t use `iwd`, modifying `ishome` to fit your network
-        daemon shouldn’t be too hard
+    - if you don’t use `iwd`, modifying `ishome` to fit your network
+      daemon shouldn’t be too hard
 1.  Modify `ishome` according to your network’s specifications
-2.  Verify whether the paths in `install.sh` work for you and your OS
-3.  Run `sudo ./install.sh` - you might need to install `libpam` if you
+2.  Modify `hasyubi` accordingly
+3.  Verify whether the paths in `install.sh` work for you and your OS
+4.  Run `sudo ./install.sh` - you might need to install `libpam` if you
     get errors
-4.  Modify your pam configuration accordingly. For example, my
+5.  Modify your pam configuration accordingly. For example, my
     `/etc/pam.d/sudo` file looks like this:
 
 <!-- -->
 
     auth        sufficient      pam_trusthome.so
-    auth        sufficient      pam_fprintd.so
-    auth        include         system-auth
+    auth        sufficient      pam_yubico.so mode=challenge-response authfile=/etc/yourmappings
     account     include         system-auth
     session     include         system-auth
 
-using this configuration sudo will fall back to my fingerprint sensor if
-I’m not on my home network which will then fall back to normal password
-authentication if something failed. You may also want to edit files like
-`/etc/pam.d/login` in a similar way.
+using this configuration sudo will fall back to my yubikey
+challenge-response if I’m not on my home network. You may also want to
+edit files like `/etc/pam.d/login` in a similar way.
 
 ## Ideas
 
-You could try modifying `ishome` so that you get authenticated
-automatically based on your GPS location or public IP address.
+- other uses of ishome/hasyubi can be found in my
+  [.files](https://github.com/marvinborner/.files)
+- you could try modifying `ishome` so that you get authenticated
+  automatically based on your GPS location or public IP address.
diff --git a/hasyubi b/hasyubi
new file mode 100755
index 0000000..95fe37b
--- /dev/null
+++ b/hasyubi
@@ -0,0 +1,13 @@
+#!/bin/env sh
+
+# WARNING: This (obiously) isn't a replacement for normal challenge-response verification.
+# This only serves as an additional security measure IF YOU ALREADY TRUST YOUR ENVIRONMENT
+
+SERIAL="YOURSERIAL"
+connected=$(ykman list --serials 2>/dev/null)
+
+if [ "$connected" = "$SERIAL" ]; then
+	exit 0
+else
+	exit 1
+fi
diff --git a/install.sh b/install.sh
index 5d40318..e118d4f 100755
--- a/install.sh
+++ b/install.sh
@@ -7,6 +7,14 @@ ld -x --shared -o /lib/security/pam_trusthome.so main.o
 chmod 755 /lib/security/pam_trusthome.so
 rm main.o
 
-cp ishome /etc/security/
-chown root:root /etc/security/ishome
-chmod 005 /etc/security/ishome
+cp ishome /usr/local/bin/
+chown root:root /usr/local/bin/ishome
+chmod 005 /usr/local/bin/ishome
+
+cp hasyubi /usr/local/bin/
+chown root:root /usr/local/bin/hasyubi
+chmod 005 /usr/local/bin/hasyubi
+
+cp isbypass /etc/security/
+chown root:root /etc/security/isbypass
+chmod 005 /etc/security/isbypass
diff --git a/isbypass b/isbypass
new file mode 100755
index 0000000..cd03041
--- /dev/null
+++ b/isbypass
@@ -0,0 +1,9 @@
+#!/bin/env sh
+
+(/usr/local/bin/ishome && /usr/local/bin/hasyubi) && (
+	notify-send "access bypass" &
+	exit 0
+) || (
+	notify-send "awaiting authentication" &
+	exit 1
+)
diff --git a/main.c b/main.c
index 60eeec5..df9047d 100644
--- a/main.c
+++ b/main.c
@@ -8,7 +8,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc,
 				   const char **argv)
 {
 	if (fork() == 0) {
-		execl("/etc/security/ishome", NULL);
+		execl("/etc/security/isbypass", NULL);
 	} else {
 		int stat;
 		wait(&stat);