#include "sd-bus.h"
-#include "alloc-util.h"
#include "ask-password-api.h"
#include "bus-common-errors.h"
#include "bus-error.h"
-#include "bus-util.h"
+#include "bus-locator.h"
#include "cgroup-util.h"
#include "dns-domain.h"
#include "env-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "format-table.h"
-#include "format-util.h"
-#include "fs-util.h"
-#include "hexdecoct.h"
#include "home-util.h"
-#include "libcrypt-util.h"
+#include "homectl-fido2.h"
+#include "homectl-pkcs11.h"
+#include "homectl-recovery-key.h"
#include "locale-util.h"
#include "main-func.h"
#include "memory-util.h"
-#include "openssl-util.h"
#include "pager.h"
#include "parse-util.h"
#include "path-util.h"
#include "pretty-print.h"
#include "process-util.h"
#include "pwquality-util.h"
-#include "random-util.h"
#include "rlimit-util.h"
#include "spawn-polkit-agent.h"
#include "terminal-util.h"
+#include "user-record-pwquality.h"
#include "user-record-show.h"
#include "user-record-util.h"
#include "user-record.h"
static uint64_t arg_disk_size = UINT64_MAX;
static uint64_t arg_disk_size_relative = UINT64_MAX;
static char **arg_pkcs11_token_uri = NULL;
+static char **arg_fido2_device = NULL;
+static bool arg_recovery_key = false;
static bool arg_json = false;
static JsonFormatFlags arg_json_format_flags = 0;
static bool arg_and_resize = false;
STATIC_DESTRUCTOR_REGISTER(arg_identity_filter, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_identity_filter_rlimits, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_pkcs11_token_uri, strv_freep);
+STATIC_DESTRUCTOR_REGISTER(arg_fido2_device, strv_freep);
+
+static const BusLocator *bus_mgr;
static bool identity_properties_specified(void) {
return
!json_variant_is_blank_object(arg_identity_extra_rlimits) ||
!strv_isempty(arg_identity_filter) ||
!strv_isempty(arg_identity_filter_rlimits) ||
- !strv_isempty(arg_pkcs11_token_uri);
+ !strv_isempty(arg_pkcs11_token_uri) ||
+ !strv_isempty(arg_fido2_device);
}
static int acquire_bus(sd_bus **bus) {
if (r < 0)
return r;
- r = bus_call_method(bus, bus_home_mgr, "ListHomes", &error, &reply, NULL);
+ r = bus_call_method(bus, bus_mgr, "ListHomes", &error, &reply, NULL);
if (r < 0)
return log_error_errno(r, "Failed to list homes: %s", bus_error_message(&error, r));
TABLE_UID, uid,
TABLE_GID, gid);
if (r < 0)
- return log_error_errno(r, "Failed to add row to table: %m");
+ return table_log_add_error(r);
r = table_add_cell(table, &cell, TABLE_STRING, state);
if (r < 0)
- return log_error_errno(r, "Failed to add field to table: %m");
+ return table_log_add_error(r);
color = user_record_state_color(state);
if (color)
TABLE_STRING, home,
TABLE_STRING, strna(empty_to_null(shell)));
if (r < 0)
- return log_error_errno(r, "Failed to add row to table: %m");
+ return table_log_add_error(r);
}
r = sd_bus_message_exit_container(reply);
if (table_get_rows(table) > 1 || arg_json) {
r = table_set_sort(table, (size_t) 0, (size_t) -1);
if (r < 0)
- return log_error_errno(r, "Failed to sort table: %m");
+ return table_log_sort_error(r);
table_set_header(table, arg_legend);
else
r = table_print(table, NULL);
if (r < 0)
- return log_error_errno(r, "Failed to show table: %m");
+ return table_log_print_error(r);
}
if (arg_legend && !arg_json) {
return 0;
}
-static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) {
+static int acquire_token_pin(const char *user_name, UserRecord *hr) {
_cleanup_(strv_free_erasep) char **pin = NULL;
_cleanup_free_ char *question = NULL;
char *e;
e = getenv("PIN");
if (e) {
- r = user_record_set_pkcs11_pin(hr, STRV_MAKE(e), false);
+ r = user_record_set_token_pin(hr, STRV_MAKE(e), false);
if (r < 0)
- return log_error_errno(r, "Failed to store PKCS#11 PIN: %m");
+ return log_error_errno(r, "Failed to store token PIN: %m");
string_erase(e);
return log_oom();
/* We never cache or use cached PINs, since usually there are only very few attempts allowed before the PIN is blocked */
- r = ask_password_auto(question, "user-home", NULL, "pkcs11-pin", USEC_INFINITY, 0, &pin);
+ r = ask_password_auto(question, "user-home", NULL, "token-pin", USEC_INFINITY, 0, &pin);
if (r < 0)
return log_error_errno(r, "Failed to acquire security token PIN: %m");
- r = user_record_set_pkcs11_pin(hr, pin, false);
+ r = user_record_set_token_pin(hr, pin, false);
if (r < 0)
return log_error_errno(r, "Failed to store security token PIN: %m");
} else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) {
- r = acquire_pkcs11_pin(user_name, hr);
+ r = acquire_token_pin(user_name, hr);
if (r < 0)
return r;
} else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) {
- log_notice("Please authenticate physically on security token.");
+ log_notice("%s%sPlease authenticate physically on security token.",
+ emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "",
+ emoji_enabled() ? " " : "");
r = user_record_set_pkcs11_protected_authentication_path_permitted(hr, true);
if (r < 0)
return log_error_errno(r, "Failed to set PKCS#11 protected authentication path permitted flag: %m");
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) {
+
+ log_notice("%s%sAuthentication requires presence verification on security token.",
+ emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "",
+ emoji_enabled() ? " " : "");
+
+ r = user_record_set_fido2_user_presence_permitted(hr, true);
+ if (r < 0)
+ return log_error_errno(r, "Failed to set FIDO2 user presence permitted flag: %m");
+
} else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_LOCKED))
- return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Security token PIN is locked, please unlock security token PIN first.");
+ return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Security token PIN is locked, please unlock it first. (Hint: Removal and re-insertion might suffice.)");
else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) {
log_notice("Security token PIN incorrect, please try again.");
- r = acquire_pkcs11_pin(user_name, hr);
+ r = acquire_token_pin(user_name, hr);
if (r < 0)
return r;
log_notice("Security token PIN incorrect, please try again (only a few tries left!).");
- r = acquire_pkcs11_pin(user_name, hr);
+ r = acquire_token_pin(user_name, hr);
if (r < 0)
return r;
log_notice("Security token PIN incorrect, please try again (only one try left!).");
- r = acquire_pkcs11_pin(user_name, hr);
+ r = acquire_token_pin(user_name, hr);
if (r < 0)
return r;
} else
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "ActivateHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "ActivateHome");
if (r < 0)
return bus_log_create_error(r);
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "DeactivateHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "DeactivateHome");
if (r < 0)
return bus_log_create_error(r);
continue;
}
- r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", *i);
+ r = bus_call_method(bus, bus_mgr, "GetUserRecordByName", &error, &reply, "s", *i);
} else
- r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByUID", &error, &reply, "u", (uint32_t) uid);
+ r = bus_call_method(bus, bus_mgr, "GetUserRecordByUID", &error, &reply, "u", (uint32_t) uid);
if (r < 0) {
log_error_errno(r, "Failed to inspect home: %s", bus_error_message(&error, r));
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "AuthenticateHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "AuthenticateHome");
if (r < 0)
return bus_log_create_error(r);
return 1;
}
-struct pkcs11_callback_data {
- char *pin_used;
- X509 *cert;
-};
-
-static void pkcs11_callback_data_release(struct pkcs11_callback_data *data) {
- erase_and_free(data->pin_used);
- X509_free(data->cert);
-}
-
-#if HAVE_P11KIT
-static int pkcs11_callback(
- CK_FUNCTION_LIST *m,
- CK_SESSION_HANDLE session,
- CK_SLOT_ID slot_id,
- const CK_SLOT_INFO *slot_info,
- const CK_TOKEN_INFO *token_info,
- P11KitUri *uri,
- void *userdata) {
-
- _cleanup_(erase_and_freep) char *pin_used = NULL;
- struct pkcs11_callback_data *data = userdata;
- CK_OBJECT_HANDLE object;
- int r;
-
- assert(m);
- assert(slot_info);
- assert(token_info);
- assert(uri);
- assert(data);
-
- /* Called for every token matching our URI */
-
- r = pkcs11_token_login(m, session, slot_id, token_info, "home directory operation", "user-home", "pkcs11-pin", UINT64_MAX, &pin_used);
- if (r < 0)
- return r;
-
- r = pkcs11_token_find_x509_certificate(m, session, uri, &object);
- if (r < 0)
- return r;
-
- r = pkcs11_token_read_x509_certificate(m, session, object, &data->cert);
- if (r < 0)
- return r;
-
- /* Let's read some random data off the token and write it to the kernel pool before we generate our
- * random key from it. This way we can claim the quality of the RNG is at least as good as the
- * kernel's and the token's pool */
- (void) pkcs11_token_acquire_rng(m, session);
-
- data->pin_used = TAKE_PTR(pin_used);
- return 1;
-}
-#endif
-
-static int acquire_pkcs11_certificate(
- const char *uri,
- X509 **ret_cert,
- char **ret_pin_used) {
-
-#if HAVE_P11KIT
- _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {};
- int r;
-
- r = pkcs11_find_token(uri, pkcs11_callback, &data);
- if (r == -EAGAIN) /* pkcs11_find_token() doesn't log about this error, but all others */
- return log_error_errno(ENXIO, "Specified PKCS#11 token with URI '%s' not found.", uri);
- if (r < 0)
- return r;
-
- *ret_cert = TAKE_PTR(data.cert);
- *ret_pin_used = TAKE_PTR(data.pin_used);
-
- return 0;
-#else
- return log_error_errno(EOPNOTSUPP, "PKCS#11 tokens not supported on this build.");
-#endif
-}
-
-static int encrypt_bytes(
- EVP_PKEY *pkey,
- const void *decrypted_key,
- size_t decrypted_key_size,
- void **ret_encrypt_key,
- size_t *ret_encrypt_key_size) {
-
- _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = NULL;
- _cleanup_free_ void *b = NULL;
- size_t l;
-
- ctx = EVP_PKEY_CTX_new(pkey, NULL);
- if (!ctx)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to allocate public key context");
-
- if (EVP_PKEY_encrypt_init(ctx) <= 0)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize public key context");
-
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to configure PKCS#1 padding");
-
- if (EVP_PKEY_encrypt(ctx, NULL, &l, decrypted_key, decrypted_key_size) <= 0)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine encrypted key size");
-
- b = malloc(l);
- if (!b)
- return log_oom();
-
- if (EVP_PKEY_encrypt(ctx, b, &l, decrypted_key, decrypted_key_size) <= 0)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine encrypted key size");
-
- *ret_encrypt_key = TAKE_PTR(b);
- *ret_encrypt_key_size = l;
-
- return 0;
-}
-
-static int add_pkcs11_pin(JsonVariant **v, const char *pin) {
- _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL;
- _cleanup_(strv_free_erasep) char **pins = NULL;
- int r;
-
- assert(v);
-
- if (isempty(pin))
- return 0;
-
- w = json_variant_ref(json_variant_by_key(*v, "secret"));
- l = json_variant_ref(json_variant_by_key(w, "pkcs11Pin"));
-
- r = json_variant_strv(l, &pins);
- if (r < 0)
- return log_error_errno(r, "Failed to convert PIN array: %m");
-
- if (strv_find(pins, pin))
- return 0;
-
- r = strv_extend(&pins, pin);
- if (r < 0)
- return log_oom();
-
- strv_uniq(pins);
-
- l = json_variant_unref(l);
-
- r = json_variant_new_array_strv(&l, pins);
- if (r < 0)
- return log_error_errno(r, "Failed to allocate new PIN array JSON: %m");
-
- json_variant_sensitive(l);
-
- r = json_variant_set_field(&w, "pkcs11Pin", l);
- if (r < 0)
- return log_error_errno(r, "Failed to update PIN field: %m");
-
- r = json_variant_set_field(v, "secret", w);
- if (r < 0)
- return log_error_errno(r, "Failed to update secret object: %m");
-
- return 1;
-}
-
-static int add_pkcs11_encrypted_key(
- JsonVariant **v,
- const char *uri,
- const void *encrypted_key, size_t encrypted_key_size,
- const void *decrypted_key, size_t decrypted_key_size) {
-
- _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL;
- _cleanup_(erase_and_freep) char *base64_encoded = NULL;
- _cleanup_free_ char *salt = NULL;
- struct crypt_data cd = {};
- char *k;
- int r;
-
- assert(v);
- assert(uri);
- assert(encrypted_key);
- assert(encrypted_key_size > 0);
- assert(decrypted_key);
- assert(decrypted_key_size > 0);
-
- r = make_salt(&salt);
- if (r < 0)
- return log_error_errno(r, "Failed to generate salt: %m");
-
- /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
- * expect a NUL terminated string, and we use a binary key */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode secret key: %m");
-
- errno = 0;
- k = crypt_r(base64_encoded, salt, &cd);
- if (!k)
- return log_error_errno(errno_or_else(EINVAL), "Failed to UNIX hash secret key: %m");
-
- r = json_build(&e, JSON_BUILD_OBJECT(
- JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri)),
- JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)),
- JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(k))));
- if (r < 0)
- return log_error_errno(r, "Failed to build encrypted JSON key object: %m");
-
- w = json_variant_ref(json_variant_by_key(*v, "privileged"));
- l = json_variant_ref(json_variant_by_key(w, "pkcs11EncryptedKey"));
-
- r = json_variant_append_array(&l, e);
- if (r < 0)
- return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m");
-
- r = json_variant_set_field(&w, "pkcs11EncryptedKey", l);
- if (r < 0)
- return log_error_errno(r, "Failed to set PKCS#11 encrypted key: %m");
-
- r = json_variant_set_field(v, "privileged", w);
- if (r < 0)
- return log_error_errno(r, "Failed to update privileged field: %m");
-
- return 0;
-}
-
-static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) {
- _cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
- _cleanup_strv_free_ char **l = NULL;
- int r;
-
- assert(v);
- assert(uri);
-
- w = json_variant_ref(json_variant_by_key(*v, "pkcs11TokenUri"));
- if (w) {
- r = json_variant_strv(w, &l);
- if (r < 0)
- return log_error_errno(r, "Failed to parse PKCS#11 token list: %m");
-
- if (strv_contains(l, uri))
- return 0;
- }
-
- r = strv_extend(&l, uri);
- if (r < 0)
- return log_oom();
-
- w = json_variant_unref(w);
- r = json_variant_new_array_strv(&w, l);
- if (r < 0)
- return log_error_errno(r, "Failed to create PKCS#11 token URI JSON: %m");
-
- r = json_variant_set_field(v, "pkcs11TokenUri", w);
- if (r < 0)
- return log_error_errno(r, "Failed to update PKCS#11 token URI list: %m");
-
- return 0;
-}
-
-static int add_pkcs11_key_data(JsonVariant **v, const char *uri) {
- _cleanup_(erase_and_freep) void *decrypted_key = NULL, *encrypted_key = NULL;
- _cleanup_(erase_and_freep) char *pin = NULL;
- size_t decrypted_key_size, encrypted_key_size;
- _cleanup_(X509_freep) X509 *cert = NULL;
- EVP_PKEY *pkey;
- RSA *rsa;
- int bits;
- int r;
-
- assert(v);
-
- r = acquire_pkcs11_certificate(uri, &cert, &pin);
- if (r < 0)
- return r;
-
- pkey = X509_get0_pubkey(cert);
- if (!pkey)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract public key from X.509 certificate.");
-
- if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA)
- return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key.");
-
- rsa = EVP_PKEY_get0_RSA(pkey);
- if (!rsa)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate.");
-
- bits = RSA_bits(rsa);
- log_debug("Bits in RSA key: %i", bits);
-
- /* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only
- * generate a random key half the size of the RSA length */
- decrypted_key_size = bits / 8 / 2;
-
- if (decrypted_key_size < 1)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Uh, RSA key size too short?");
-
- log_debug("Generating %zu bytes random key.", decrypted_key_size);
-
- decrypted_key = malloc(decrypted_key_size);
- if (!decrypted_key)
- return log_oom();
-
- r = genuine_random_bytes(decrypted_key, decrypted_key_size, RANDOM_BLOCK);
- if (r < 0)
- return log_error_errno(r, "Failed to generate random key: %m");
-
- r = encrypt_bytes(pkey, decrypted_key, decrypted_key_size, &encrypted_key, &encrypted_key_size);
- if (r < 0)
- return log_error_errno(r, "Failed to encrypt key: %m");
-
- /* Add the token URI to the public part of the record. */
- r = add_pkcs11_token_uri(v, uri);
- if (r < 0)
- return r;
-
- /* Include the encrypted version of the random key we just generated in the privileged part of the record */
- r = add_pkcs11_encrypted_key(
- v,
- uri,
- encrypted_key, encrypted_key_size,
- decrypted_key, decrypted_key_size);
- if (r < 0)
- return r;
-
- /* If we acquired the PIN also include it in the secret section of the record, so that systemd-homed
- * can use it if it needs to, given that it likely needs to decrypt the key again to pass to LUKS or
- * fscrypt. */
- r = add_pkcs11_pin(v, pin);
- if (r < 0)
- return r;
-
- return 0;
-}
-
static int acquire_new_home_record(UserRecord **ret) {
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
_cleanup_(user_record_unrefp) UserRecord *hr = NULL;
return r;
STRV_FOREACH(i, arg_pkcs11_token_uri) {
- r = add_pkcs11_key_data(&v, *i);
+ r = identity_add_pkcs11_key_data(&v, *i);
+ if (r < 0)
+ return r;
+ }
+
+ STRV_FOREACH(i, arg_fido2_device) {
+ r = identity_add_fido2_parameters(&v, *i);
+ if (r < 0)
+ return r;
+ }
+
+ if (arg_recovery_key) {
+ r = identity_add_recovery_key(&v);
if (r < 0)
return r;
}
static int acquire_new_password(
const char *user_name,
UserRecord *hr,
- bool suggest) {
+ bool suggest,
+ char **ret) {
unsigned i = 5;
char *e;
e = getenv("NEWPASSWORD");
if (e) {
+ _cleanup_(erase_and_freep) char *copy = NULL;
+
/* As above, this is not for use, just for testing */
- r = user_record_set_password(hr, STRV_MAKE(e), /* prepend = */ false);
+ if (ret) {
+ copy = strdup(e);
+ if (!copy)
+ return log_oom();
+ }
+
+ r = user_record_set_password(hr, STRV_MAKE(e), /* prepend = */ true);
if (r < 0)
return log_error_errno(r, "Failed to store password: %m");
if (unsetenv("NEWPASSWORD") < 0)
return log_error_errno(errno, "Failed to unset $NEWPASSWORD: %m");
+ if (ret)
+ *ret = TAKE_PTR(copy);
+
return 0;
}
return log_error_errno(r, "Failed to acquire password: %m");
if (strv_equal(first, second)) {
- r = user_record_set_password(hr, first, /* prepend = */ false);
+ _cleanup_(erase_and_freep) char *copy = NULL;
+
+ if (ret) {
+ copy = strdup(first[0]);
+ if (!copy)
+ return log_oom();
+ }
+
+ r = user_record_set_password(hr, first, /* prepend = */ true);
if (r < 0)
return log_error_errno(r, "Failed to store password: %m");
+ if (ret)
+ *ret = TAKE_PTR(copy);
+
return 0;
}
static int create_home(int argc, char *argv[], void *userdata) {
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
_cleanup_(user_record_unrefp) UserRecord *hr = NULL;
- _cleanup_strv_free_ char **original_hashed_passwords = NULL;
int r;
r = acquire_bus(&bus);
if (r < 0)
return r;
- /* Remember the original hashed paswords before we add our own, so that we can return to them later,
- * should the entered password turn out not to be acceptable. */
- original_hashed_passwords = strv_copy(hr->hashed_password);
- if (!original_hashed_passwords)
- return log_oom();
-
- /* If the JSON record carries no plain text password, then let's query it manually. */
- if (!hr->password) {
+ /* If the JSON record carries no plain text password (besides the recovery key), then let's query it
+ * manually. */
+ if (strv_length(hr->password) <= arg_recovery_key) {
if (strv_isempty(hr->hashed_password)) {
+ _cleanup_(erase_and_freep) char *new_password = NULL;
+
/* No regular (i.e. non-PKCS#11) hashed passwords set in the record, let's fix that. */
- r = acquire_new_password(hr->user_name, hr, /* suggest = */ true);
+ r = acquire_new_password(hr->user_name, hr, /* suggest = */ true, &new_password);
if (r < 0)
return r;
- r = user_record_make_hashed_password(hr, hr->password, /* extend = */ true);
+ r = user_record_make_hashed_password(hr, STRV_MAKE(new_password), /* extend = */ false);
if (r < 0)
return log_error_errno(r, "Failed to hash password: %m");
} else {
/* There's a hash password set in the record, acquire the unhashed version of it. */
- r = acquire_existing_password(hr->user_name, hr, false);
+ r = acquire_existing_password(hr->user_name, hr, /* emphasize_current= */ false);
if (r < 0)
return r;
}
/* If password quality enforcement is disabled, let's at least warn client side */
- r = quality_check_password(hr, hr, &error);
+ r = user_record_quality_check_password(hr, hr, &error);
if (r < 0)
log_warning_errno(r, "Specified password does not pass quality checks (%s), proceeding anyway.", bus_error_message(&error, r));
}
r = json_variant_format(hr->json, 0, &formatted);
if (r < 0)
- return r;
+ return log_error_errno(r, "Failed to format user record: %m");
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "CreateHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "CreateHome");
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_call(bus, m, HOME_SLOW_BUS_CALL_TIMEOUT_USEC, &error, NULL);
if (r < 0) {
- if (!sd_bus_error_has_name(&error, BUS_ERROR_LOW_PASSWORD_QUALITY))
- return log_error_errno(r, "Failed to create user home: %s", bus_error_message(&error, r));
-
- log_error_errno(r, "%s", bus_error_message(&error, r));
- log_info("(Use --enforce-password-policy=no to turn off password quality checks for this account.)");
- } else
- break; /* done */
+ if (sd_bus_error_has_name(&error, BUS_ERROR_LOW_PASSWORD_QUALITY)) {
+ _cleanup_(erase_and_freep) char *new_password = NULL;
- r = user_record_set_hashed_password(hr, original_hashed_passwords);
- if (r < 0)
- return r;
+ log_error_errno(r, "%s", bus_error_message(&error, r));
+ log_info("(Use --enforce-password-policy=no to turn off password quality checks for this account.)");
- r = acquire_new_password(hr->user_name, hr, /* suggest = */ false);
- if (r < 0)
- return r;
+ r = acquire_new_password(hr->user_name, hr, /* suggest = */ false, &new_password);
+ if (r < 0)
+ return r;
- r = user_record_make_hashed_password(hr, hr->password, /* extend = */ true);
- if (r < 0)
- return log_error_errno(r, "Failed to hash passwords: %m");
+ r = user_record_make_hashed_password(hr, STRV_MAKE(new_password), /* extend = */ false);
+ if (r < 0)
+ return log_error_errno(r, "Failed to hash passwords: %m");
+ } else {
+ r = handle_generic_user_record_error(hr->user_name, hr, &error, r, false);
+ if (r < 0)
+ return r;
+ }
+ } else
+ break; /* done */
}
return 0;
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "RemoveHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "RemoveHome");
if (r < 0)
return bus_log_create_error(r);
if (!identity_properties_specified())
return log_error_errno(SYNTHETIC_ERRNO(EALREADY), "No field to change specified.");
- r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", username);
+ r = bus_call_method(bus, bus_mgr, "GetUserRecordByName", &error, &reply, "s", username);
if (r < 0)
return log_error_errno(r, "Failed to acquire user home record: %s", bus_error_message(&error, r));
return r;
STRV_FOREACH(i, arg_pkcs11_token_uri) {
- r = add_pkcs11_key_data(&json, *i);
+ r = identity_add_pkcs11_key_data(&json, *i);
+ if (r < 0)
+ return r;
+ }
+
+ STRV_FOREACH(i, arg_fido2_device) {
+ r = identity_add_fido2_parameters(&json, *i);
if (r < 0)
return r;
}
/* If the user supplied a full record, then add in lastChange, but do not override. Otherwise always
* override. */
- r = update_last_change(&json, !!arg_pkcs11_token_uri, !arg_identity);
+ r = update_last_change(&json, arg_pkcs11_token_uri || arg_fido2_device, !arg_identity);
if (r < 0)
return r;
return 0;
}
+static int home_record_reset_human_interaction_permission(UserRecord *hr) {
+ int r;
+
+ assert(hr);
+
+ /* When we execute multiple operations one after the other, let's reset the permission to ask the
+ * user each time, so that if interaction is necessary we will be told so again and thus can print a
+ * nice message to the user, telling the user so. */
+
+ r = user_record_set_pkcs11_protected_authentication_path_permitted(hr, -1);
+ if (r < 0)
+ return log_error_errno(r, "Failed to reset PKCS#11 protected authentication path permission flag: %m");
+
+ r = user_record_set_fido2_user_presence_permitted(hr, -1);
+ if (r < 0)
+ return log_error_errno(r, "Failed to reset FIDO2 user presence permission flag: %m");
+
+ return 0;
+}
+
static int update_home(int argc, char *argv[], void *userdata) {
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
_cleanup_(user_record_unrefp) UserRecord *hr = NULL;
if (r < 0)
return r;
+ /* If we do multiple operations, let's output things more verbosely, since otherwise the repeated
+ * authentication might be confusing. */
+
+ if (arg_and_resize || arg_and_change_password)
+ log_info("Updating home directory.");
+
for (;;) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
_cleanup_free_ char *formatted = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "UpdateHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "UpdateHome");
if (r < 0)
return bus_log_create_error(r);
r = json_variant_format(hr->json, 0, &formatted);
if (r < 0)
- return r;
+ return log_error_errno(r, "Failed to format user record: %m");
(void) sd_bus_message_sensitive(m);
break;
}
+ if (arg_and_resize)
+ log_info("Resizing home.");
+
+ (void) home_record_reset_human_interaction_permission(hr);
+
/* Also sync down disk size to underlying LUKS/fscrypt/quota */
while (arg_and_resize) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- log_debug("Resizing");
-
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "ResizeHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "ResizeHome");
if (r < 0)
return bus_log_create_error(r);
break;
}
+ if (arg_and_change_password)
+ log_info("Synchronizing passwords and encryption keys.");
+
+ (void) home_record_reset_human_interaction_permission(hr);
+
/* Also sync down passwords to underlying LUKS/fscrypt */
while (arg_and_change_password) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- log_debug("Propagating password");
-
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "ChangePasswordHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "ChangePasswordHome");
if (r < 0)
return bus_log_create_error(r);
if (arg_pkcs11_token_uri)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "To change the PKCS#11 security token use 'homectl update --pkcs11-token-uri=…'.");
+ if (arg_fido2_device)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "To change the FIDO2 security token use 'homectl update --fido2-device=…'.");
if (identity_properties_specified())
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "The 'passwd' verb does not permit changing other record properties at the same time.");
if (!new_secret)
return log_oom();
- r = acquire_new_password(username, new_secret, /* suggest = */ true);
+ r = acquire_new_password(username, new_secret, /* suggest = */ true, NULL);
if (r < 0)
return r;
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "ChangePasswordHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "ChangePasswordHome");
if (r < 0)
return bus_log_create_error(r);
log_error_errno(r, "%s", bus_error_message(&error, r));
- r = acquire_new_password(username, new_secret, /* suggest = */ false);
+ r = acquire_new_password(username, new_secret, /* suggest = */ false, NULL);
} else if (sd_bus_error_has_name(&error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN))
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "ResizeHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "ResizeHome");
if (r < 0)
return bus_log_create_error(r);
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "LockHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "LockHome");
if (r < 0)
return bus_log_create_error(r);
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "UnlockHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "UnlockHome");
if (r < 0)
return bus_log_create_error(r);
return log_oom();
for (;;) {
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "AcquireHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "AcquireHome");
if (r < 0)
return bus_log_create_error(r);
}
}
- r = bus_call_method(bus, bus_home_mgr, "GetHomeByName", &error, &reply, "s", argv[1]);
+ r = bus_call_method(bus, bus_mgr, "GetHomeByName", &error, &reply, "s", argv[1]);
if (r < 0)
return log_error_errno(r, "Failed to inspect home: %s", bus_error_message(&error, r));
/* Close the fd that pings the home now. */
acquired_fd = safe_close(acquired_fd);
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "ReleaseHome");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "ReleaseHome");
if (r < 0)
return bus_log_create_error(r);
if (r < 0)
return r;
- r = bus_message_new_method_call(bus, &m, bus_home_mgr, "LockAllHomes");
+ r = bus_message_new_method_call(bus, &m, bus_mgr, "LockAllHomes");
if (r < 0)
return bus_log_create_error(r);
" Specify SSH public keys\n"
" --pkcs11-token-uri=URI URI to PKCS#11 security token containing\n"
" private key and matching X.509 certificate\n"
+ " --fido2-device=PATH Path to FIDO2 hidraw device with hmac-secret\n"
+ " extension\n"
+ " --recovery-key=BOOL Add a recovery key\n"
"\n%4$sAccount Management User Record Properties:%5$s\n"
" --locked=BOOL Set locked account state\n"
" --not-before=TIMESTAMP Do not allow logins before\n"
" --image-path=PATH Path to image file/directory\n"
"\n%4$sLUKS Storage User Record Properties:%5$s\n"
" --fs-type=TYPE File system type to use in case of luks\n"
- " storage (ext4, xfs, btrfs)\n"
+ " storage (btrfs, ext4, xfs)\n"
" --luks-discard=BOOL Whether to use 'discard' feature of file system\n"
" when activated (mounted)\n"
" --luks-offline-discard=BOOL\n"
ARG_EXPORT_FORMAT,
ARG_AUTO_LOGIN,
ARG_PKCS11_TOKEN_URI,
+ ARG_FIDO2_DEVICE,
+ ARG_RECOVERY_KEY,
ARG_AND_RESIZE,
ARG_AND_CHANGE_PASSWORD,
};
{ "json", required_argument, NULL, ARG_JSON },
{ "export-format", required_argument, NULL, ARG_EXPORT_FORMAT },
{ "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
+ { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE },
+ { "recovery-key", required_argument, NULL, ARG_RECOVERY_KEY },
{ "and-resize", required_argument, NULL, ARG_AND_RESIZE },
{ "and-change-password", required_argument, NULL, ARG_AND_CHANGE_PASSWORD },
{}
case ARG_PKCS11_TOKEN_URI: {
const char *p;
+ if (streq(optarg, "list"))
+ return list_pkcs11_tokens();
+
/* If --pkcs11-token-uri= is specified we always drop everything old */
FOREACH_STRING(p, "pkcs11TokenUri", "pkcs11EncryptedKey") {
r = drop_from_identity(p);
break;
}
- if (!pkcs11_uri_valid(optarg))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a valid PKCS#11 URI: %s", optarg);
+ if (streq(optarg, "auto")) {
+ _cleanup_free_ char *found = NULL;
+
+ r = find_pkcs11_token_auto(&found);
+ if (r < 0)
+ return r;
+ r = strv_consume(&arg_pkcs11_token_uri, TAKE_PTR(found));
+ } else {
+ if (!pkcs11_uri_valid(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a valid PKCS#11 URI: %s", optarg);
- r = strv_extend(&arg_pkcs11_token_uri, optarg);
+ r = strv_extend(&arg_pkcs11_token_uri, optarg);
+ }
if (r < 0)
return r;
break;
}
+ case ARG_FIDO2_DEVICE: {
+ const char *p;
+
+ if (streq(optarg, "list"))
+ return list_fido2_devices();
+
+ FOREACH_STRING(p, "fido2HmacCredential", "fido2HmacSalt") {
+ r = drop_from_identity(p);
+ if (r < 0)
+ return r;
+ }
+
+ if (isempty(optarg)) {
+ arg_fido2_device = strv_free(arg_fido2_device);
+ break;
+ }
+
+ if (streq(optarg, "auto")) {
+ _cleanup_free_ char *found = NULL;
+
+ r = find_fido2_auto(&found);
+ if (r < 0)
+ return r;
+
+ r = strv_consume(&arg_fido2_device, TAKE_PTR(found));
+ } else
+ r = strv_extend(&arg_fido2_device, optarg);
+
+ if (r < 0)
+ return r;
+
+ strv_uniq(arg_fido2_device);
+ break;
+ }
+
+ case ARG_RECOVERY_KEY: {
+ const char *p;
+
+ r = parse_boolean(optarg);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse --recovery-key= argument: %s", optarg);
+
+ arg_recovery_key = r;
+
+ FOREACH_STRING(p, "recoveryKey", "recoveryKeyType") {
+ r = drop_from_identity(p);
+ if (r < 0)
+ return r;
+ }
+
+ break;
+ }
+
case 'j':
arg_json = true;
arg_json_format_flags = JSON_FORMAT_PRETTY_AUTO|JSON_FORMAT_COLOR_AUTO;
}
}
- if (!strv_isempty(arg_pkcs11_token_uri))
+ if (!strv_isempty(arg_pkcs11_token_uri) || !strv_isempty(arg_fido2_device))
arg_and_change_password = true;
if (arg_disk_size != UINT64_MAX || arg_disk_size_relative != UINT64_MAX)
return 1;
}
+static int redirect_bus_mgr(void) {
+ const char *suffix;
+
+ /* Talk to a different service if that's requested. (The same env var is also understood by homed, so
+ * that it is relatively easily possible to invoke a second instance of homed for debug purposes and
+ * have homectl talk to it, without colliding with the host version. This is handy when operating
+ * from a homed-managed account.) */
+
+ suffix = getenv("SYSTEMD_HOME_DEBUG_SUFFIX");
+ if (suffix) {
+ static BusLocator locator = {
+ .path = "/org/freedesktop/home1",
+ .interface = "org.freedesktop.home1.Manager",
+ };
+
+ /* Yes, we leak this memory, but there's little point to collect this, given that we only do
+ * this in a debug environment, do it only once, and the string shall live for out entire
+ * process runtime. */
+
+ locator.destination = strjoin("org.freedesktop.home1.", suffix);
+ if (!locator.destination)
+ return log_oom();
+
+ bus_mgr = &locator;
+ } else
+ bus_mgr = bus_home_mgr;
+
+ return 0;
+}
+
static int run(int argc, char *argv[]) {
static const Verb verbs[] = {
{ "help", VERB_ANY, VERB_ANY, 0, help },
int r;
- log_show_color(true);
- log_parse_environment();
- log_open();
+ log_setup_cli();
+
+ r = redirect_bus_mgr();
+ if (r < 0)
+ return r;
r = parse_argv(argc, argv);
if (r <= 0)
projects / thirdparty / systemd.git / blobdiff