X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=blobdiff_plain;f=src%2Fhome%2Fhomectl.c;fp=src%2Fhome%2Fhomectl.c;h=74c967eb265cbc3895c482fc3aac58c716dcee35;hp=47a506f5e0a4f4b56f0e80f723036ae4f9ca7af4;hb=071be2fa9fe3fbc870a69afe6d44818d8980eb6c;hpb=33d943d168319dcda321d4a758fba8de81c2d0d4 diff --git a/src/home/homectl.c b/src/home/homectl.c index 47a506f5e0a..74c967eb265 100644 --- a/src/home/homectl.c +++ b/src/home/homectl.c @@ -4,7 +4,6 @@ #include "sd-bus.h" -#include "alloc-util.h" #include "ask-password-api.h" #include "bus-common-errors.h" #include "bus-error.h" @@ -15,15 +14,12 @@ #include "fd-util.h" #include "fileio.h" #include "format-table.h" -#include "format-util.h" -#include "fs-util.h" -#include "hexdecoct.h" #include "home-util.h" -#include "libcrypt-util.h" +#include "homectl-fido2.h" +#include "homectl-pkcs11.h" #include "locale-util.h" #include "main-func.h" #include "memory-util.h" -#include "openssl-util.h" #include "pager.h" #include "parse-util.h" #include "path-util.h" @@ -31,7 +27,6 @@ #include "pretty-print.h" #include "process-util.h" #include "pwquality-util.h" -#include "random-util.h" #include "rlimit-util.h" #include "spawn-polkit-agent.h" #include "terminal-util.h" @@ -56,6 +51,7 @@ static char **arg_identity_filter_rlimits = NULL; static uint64_t arg_disk_size = UINT64_MAX; static uint64_t arg_disk_size_relative = UINT64_MAX; static char **arg_pkcs11_token_uri = NULL; +static char **arg_fido2_device = NULL; static bool arg_json = false; static JsonFormatFlags arg_json_format_flags = 0; static bool arg_and_resize = false; @@ -73,6 +69,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_identity_extra_rlimits, json_variant_unrefp); STATIC_DESTRUCTOR_REGISTER(arg_identity_filter, strv_freep); STATIC_DESTRUCTOR_REGISTER(arg_identity_filter_rlimits, strv_freep); STATIC_DESTRUCTOR_REGISTER(arg_pkcs11_token_uri, strv_freep); +STATIC_DESTRUCTOR_REGISTER(arg_fido2_device, strv_freep); static bool identity_properties_specified(void) { return @@ -83,7 +80,8 @@ static bool identity_properties_specified(void) { !json_variant_is_blank_object(arg_identity_extra_rlimits) || !strv_isempty(arg_identity_filter) || !strv_isempty(arg_identity_filter_rlimits) || - !strv_isempty(arg_pkcs11_token_uri); + !strv_isempty(arg_pkcs11_token_uri) || + !strv_isempty(arg_fido2_device); } static int acquire_bus(sd_bus **bus) { @@ -236,7 +234,7 @@ static int acquire_existing_password(const char *user_name, UserRecord *hr, bool return 0; } -static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { +static int acquire_token_pin(const char *user_name, UserRecord *hr) { _cleanup_(strv_free_erasep) char **pin = NULL; _cleanup_free_ char *question = NULL; char *e; @@ -247,9 +245,9 @@ static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { e = getenv("PIN"); if (e) { - r = user_record_set_pkcs11_pin(hr, STRV_MAKE(e), false); + r = user_record_set_token_pin(hr, STRV_MAKE(e), false); if (r < 0) - return log_error_errno(r, "Failed to store PKCS#11 PIN: %m"); + return log_error_errno(r, "Failed to store token PIN: %m"); string_erase(e); @@ -263,11 +261,11 @@ static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { return log_oom(); /* We never cache or use cached PINs, since usually there are only very few attempts allowed before the PIN is blocked */ - r = ask_password_auto(question, "user-home", NULL, "pkcs11-pin", USEC_INFINITY, 0, &pin); + r = ask_password_auto(question, "user-home", NULL, "token-pin", USEC_INFINITY, 0, &pin); if (r < 0) return log_error_errno(r, "Failed to acquire security token PIN: %m"); - r = user_record_set_pkcs11_pin(hr, pin, false); + r = user_record_set_token_pin(hr, pin, false); if (r < 0) return log_error_errno(r, "Failed to store security token PIN: %m"); @@ -315,26 +313,38 @@ static int handle_generic_user_record_error( } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) { - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) { - log_notice("Please authenticate physically on security token."); + log_notice("%s%sPlease authenticate physically on security token.", + emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "", + emoji_enabled() ? " " : ""); r = user_record_set_pkcs11_protected_authentication_path_permitted(hr, true); if (r < 0) return log_error_errno(r, "Failed to set PKCS#11 protected authentication path permitted flag: %m"); + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) { + + log_notice("%s%sAuthentication requires presence verification on security token.", + emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "", + emoji_enabled() ? " " : ""); + + r = user_record_set_fido2_user_presence_permitted(hr, true); + if (r < 0) + return log_error_errno(r, "Failed to set FIDO2 user presence permitted flag: %m"); + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_LOCKED)) - return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Security token PIN is locked, please unlock security token PIN first."); + return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Security token PIN is locked, please unlock it first. (Hint: Removal and re-insertion might suffice.)"); else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) { log_notice("Security token PIN incorrect, please try again."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; @@ -342,7 +352,7 @@ static int handle_generic_user_record_error( log_notice("Security token PIN incorrect, please try again (only a few tries left!)."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; @@ -350,7 +360,7 @@ static int handle_generic_user_record_error( log_notice("Security token PIN incorrect, please try again (only one try left!)."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; } else @@ -889,336 +899,6 @@ static int add_disposition(JsonVariant **v) { return 1; } -struct pkcs11_callback_data { - char *pin_used; - X509 *cert; -}; - -static void pkcs11_callback_data_release(struct pkcs11_callback_data *data) { - erase_and_free(data->pin_used); - X509_free(data->cert); -} - -#if HAVE_P11KIT -static int pkcs11_callback( - CK_FUNCTION_LIST *m, - CK_SESSION_HANDLE session, - CK_SLOT_ID slot_id, - const CK_SLOT_INFO *slot_info, - const CK_TOKEN_INFO *token_info, - P11KitUri *uri, - void *userdata) { - - _cleanup_(erase_and_freep) char *pin_used = NULL; - struct pkcs11_callback_data *data = userdata; - CK_OBJECT_HANDLE object; - int r; - - assert(m); - assert(slot_info); - assert(token_info); - assert(uri); - assert(data); - - /* Called for every token matching our URI */ - - r = pkcs11_token_login(m, session, slot_id, token_info, "home directory operation", "user-home", "pkcs11-pin", UINT64_MAX, &pin_used); - if (r < 0) - return r; - - r = pkcs11_token_find_x509_certificate(m, session, uri, &object); - if (r < 0) - return r; - - r = pkcs11_token_read_x509_certificate(m, session, object, &data->cert); - if (r < 0) - return r; - - /* Let's read some random data off the token and write it to the kernel pool before we generate our - * random key from it. This way we can claim the quality of the RNG is at least as good as the - * kernel's and the token's pool */ - (void) pkcs11_token_acquire_rng(m, session); - - data->pin_used = TAKE_PTR(pin_used); - return 1; -} -#endif - -static int acquire_pkcs11_certificate( - const char *uri, - X509 **ret_cert, - char **ret_pin_used) { - -#if HAVE_P11KIT - _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {}; - int r; - - r = pkcs11_find_token(uri, pkcs11_callback, &data); - if (r == -EAGAIN) /* pkcs11_find_token() doesn't log about this error, but all others */ - return log_error_errno(ENXIO, "Specified PKCS#11 token with URI '%s' not found.", uri); - if (r < 0) - return r; - - *ret_cert = TAKE_PTR(data.cert); - *ret_pin_used = TAKE_PTR(data.pin_used); - - return 0; -#else - return log_error_errno(EOPNOTSUPP, "PKCS#11 tokens not supported on this build."); -#endif -} - -static int encrypt_bytes( - EVP_PKEY *pkey, - const void *decrypted_key, - size_t decrypted_key_size, - void **ret_encrypt_key, - size_t *ret_encrypt_key_size) { - - _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = NULL; - _cleanup_free_ void *b = NULL; - size_t l; - - ctx = EVP_PKEY_CTX_new(pkey, NULL); - if (!ctx) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to allocate public key context"); - - if (EVP_PKEY_encrypt_init(ctx) <= 0) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize public key context"); - - if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to configure PKCS#1 padding"); - - if (EVP_PKEY_encrypt(ctx, NULL, &l, decrypted_key, decrypted_key_size) <= 0) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine encrypted key size"); - - b = malloc(l); - if (!b) - return log_oom(); - - if (EVP_PKEY_encrypt(ctx, b, &l, decrypted_key, decrypted_key_size) <= 0) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine encrypted key size"); - - *ret_encrypt_key = TAKE_PTR(b); - *ret_encrypt_key_size = l; - - return 0; -} - -static int add_pkcs11_pin(JsonVariant **v, const char *pin) { - _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL; - _cleanup_(strv_free_erasep) char **pins = NULL; - int r; - - assert(v); - - if (isempty(pin)) - return 0; - - w = json_variant_ref(json_variant_by_key(*v, "secret")); - l = json_variant_ref(json_variant_by_key(w, "pkcs11Pin")); - - r = json_variant_strv(l, &pins); - if (r < 0) - return log_error_errno(r, "Failed to convert PIN array: %m"); - - if (strv_find(pins, pin)) - return 0; - - r = strv_extend(&pins, pin); - if (r < 0) - return log_oom(); - - strv_uniq(pins); - - l = json_variant_unref(l); - - r = json_variant_new_array_strv(&l, pins); - if (r < 0) - return log_error_errno(r, "Failed to allocate new PIN array JSON: %m"); - - json_variant_sensitive(l); - - r = json_variant_set_field(&w, "pkcs11Pin", l); - if (r < 0) - return log_error_errno(r, "Failed to update PIN field: %m"); - - r = json_variant_set_field(v, "secret", w); - if (r < 0) - return log_error_errno(r, "Failed to update secret object: %m"); - - return 1; -} - -static int add_pkcs11_encrypted_key( - JsonVariant **v, - const char *uri, - const void *encrypted_key, size_t encrypted_key_size, - const void *decrypted_key, size_t decrypted_key_size) { - - _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL; - _cleanup_(erase_and_freep) char *base64_encoded = NULL; - _cleanup_free_ char *salt = NULL; - struct crypt_data cd = {}; - char *k; - int r; - - assert(v); - assert(uri); - assert(encrypted_key); - assert(encrypted_key_size > 0); - assert(decrypted_key); - assert(decrypted_key_size > 0); - - r = make_salt(&salt); - if (r < 0) - return log_error_errno(r, "Failed to generate salt: %m"); - - /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends - * expect a NUL terminated string, and we use a binary key */ - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode secret key: %m"); - - errno = 0; - k = crypt_r(base64_encoded, salt, &cd); - if (!k) - return log_error_errno(errno_or_else(EINVAL), "Failed to UNIX hash secret key: %m"); - - r = json_build(&e, JSON_BUILD_OBJECT( - JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri)), - JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)), - JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(k)))); - if (r < 0) - return log_error_errno(r, "Failed to build encrypted JSON key object: %m"); - - w = json_variant_ref(json_variant_by_key(*v, "privileged")); - l = json_variant_ref(json_variant_by_key(w, "pkcs11EncryptedKey")); - - r = json_variant_append_array(&l, e); - if (r < 0) - return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m"); - - r = json_variant_set_field(&w, "pkcs11EncryptedKey", l); - if (r < 0) - return log_error_errno(r, "Failed to set PKCS#11 encrypted key: %m"); - - r = json_variant_set_field(v, "privileged", w); - if (r < 0) - return log_error_errno(r, "Failed to update privileged field: %m"); - - return 0; -} - -static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) { - _cleanup_(json_variant_unrefp) JsonVariant *w = NULL; - _cleanup_strv_free_ char **l = NULL; - int r; - - assert(v); - assert(uri); - - w = json_variant_ref(json_variant_by_key(*v, "pkcs11TokenUri")); - if (w) { - r = json_variant_strv(w, &l); - if (r < 0) - return log_error_errno(r, "Failed to parse PKCS#11 token list: %m"); - - if (strv_contains(l, uri)) - return 0; - } - - r = strv_extend(&l, uri); - if (r < 0) - return log_oom(); - - w = json_variant_unref(w); - r = json_variant_new_array_strv(&w, l); - if (r < 0) - return log_error_errno(r, "Failed to create PKCS#11 token URI JSON: %m"); - - r = json_variant_set_field(v, "pkcs11TokenUri", w); - if (r < 0) - return log_error_errno(r, "Failed to update PKCS#11 token URI list: %m"); - - return 0; -} - -static int add_pkcs11_key_data(JsonVariant **v, const char *uri) { - _cleanup_(erase_and_freep) void *decrypted_key = NULL, *encrypted_key = NULL; - _cleanup_(erase_and_freep) char *pin = NULL; - size_t decrypted_key_size, encrypted_key_size; - _cleanup_(X509_freep) X509 *cert = NULL; - EVP_PKEY *pkey; - RSA *rsa; - int bits; - int r; - - assert(v); - - r = acquire_pkcs11_certificate(uri, &cert, &pin); - if (r < 0) - return r; - - pkey = X509_get0_pubkey(cert); - if (!pkey) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract public key from X.509 certificate."); - - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) - return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key."); - - rsa = EVP_PKEY_get0_RSA(pkey); - if (!rsa) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate."); - - bits = RSA_bits(rsa); - log_debug("Bits in RSA key: %i", bits); - - /* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only - * generate a random key half the size of the RSA length */ - decrypted_key_size = bits / 8 / 2; - - if (decrypted_key_size < 1) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Uh, RSA key size too short?"); - - log_debug("Generating %zu bytes random key.", decrypted_key_size); - - decrypted_key = malloc(decrypted_key_size); - if (!decrypted_key) - return log_oom(); - - r = genuine_random_bytes(decrypted_key, decrypted_key_size, RANDOM_BLOCK); - if (r < 0) - return log_error_errno(r, "Failed to generate random key: %m"); - - r = encrypt_bytes(pkey, decrypted_key, decrypted_key_size, &encrypted_key, &encrypted_key_size); - if (r < 0) - return log_error_errno(r, "Failed to encrypt key: %m"); - - /* Add the token URI to the public part of the record. */ - r = add_pkcs11_token_uri(v, uri); - if (r < 0) - return r; - - /* Include the encrypted version of the random key we just generated in the privileged part of the record */ - r = add_pkcs11_encrypted_key( - v, - uri, - encrypted_key, encrypted_key_size, - decrypted_key, decrypted_key_size); - if (r < 0) - return r; - - /* If we acquired the PIN also include it in the secret section of the record, so that systemd-homed - * can use it if it needs to, given that it likely needs to decrypt the key again to pass to LUKS or - * fscrypt. */ - r = add_pkcs11_pin(v, pin); - if (r < 0) - return r; - - return 0; -} - static int acquire_new_home_record(UserRecord **ret) { _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; _cleanup_(user_record_unrefp) UserRecord *hr = NULL; @@ -1246,7 +926,13 @@ static int acquire_new_home_record(UserRecord **ret) { return r; STRV_FOREACH(i, arg_pkcs11_token_uri) { - r = add_pkcs11_key_data(&v, *i); + r = identity_add_pkcs11_key_data(&v, *i); + if (r < 0) + return r; + } + + STRV_FOREACH(i, arg_fido2_device) { + r = identity_add_fido2_parameters(&v, *i); if (r < 0) return r; } @@ -1423,7 +1109,7 @@ static int create_home(int argc, char *argv[], void *userdata) { r = json_variant_format(hr->json, 0, &formatted); if (r < 0) - return r; + return log_error_errno(r, "Failed to format user record: %m"); r = bus_message_new_method_call(bus, &m, bus_home_mgr, "CreateHome"); if (r < 0) @@ -1437,25 +1123,28 @@ static int create_home(int argc, char *argv[], void *userdata) { r = sd_bus_call(bus, m, HOME_SLOW_BUS_CALL_TIMEOUT_USEC, &error, NULL); if (r < 0) { - if (!sd_bus_error_has_name(&error, BUS_ERROR_LOW_PASSWORD_QUALITY)) - return log_error_errno(r, "Failed to create user home: %s", bus_error_message(&error, r)); - - log_error_errno(r, "%s", bus_error_message(&error, r)); - log_info("(Use --enforce-password-policy=no to turn off password quality checks for this account.)"); - } else - break; /* done */ + if (sd_bus_error_has_name(&error, BUS_ERROR_LOW_PASSWORD_QUALITY)) { + log_error_errno(r, "%s", bus_error_message(&error, r)); + log_info("(Use --enforce-password-policy=no to turn off password quality checks for this account.)"); - r = user_record_set_hashed_password(hr, original_hashed_passwords); - if (r < 0) - return r; + r = user_record_set_hashed_password(hr, original_hashed_passwords); + if (r < 0) + return r; - r = acquire_new_password(hr->user_name, hr, /* suggest = */ false); - if (r < 0) - return r; + r = acquire_new_password(hr->user_name, hr, /* suggest = */ false); + if (r < 0) + return r; - r = user_record_make_hashed_password(hr, hr->password, /* extend = */ true); - if (r < 0) - return log_error_errno(r, "Failed to hash passwords: %m"); + r = user_record_make_hashed_password(hr, hr->password, /* extend = */ true); + if (r < 0) + return log_error_errno(r, "Failed to hash passwords: %m"); + } else { + r = handle_generic_user_record_error(hr->user_name, hr, &error, r, false); + if (r < 0) + return r; + } + } else + break; /* done */ } return 0; @@ -1566,14 +1255,20 @@ static int acquire_updated_home_record( return r; STRV_FOREACH(i, arg_pkcs11_token_uri) { - r = add_pkcs11_key_data(&json, *i); + r = identity_add_pkcs11_key_data(&json, *i); + if (r < 0) + return r; + } + + STRV_FOREACH(i, arg_fido2_device) { + r = identity_add_fido2_parameters(&json, *i); if (r < 0) return r; } /* If the user supplied a full record, then add in lastChange, but do not override. Otherwise always * override. */ - r = update_last_change(&json, !!arg_pkcs11_token_uri, !arg_identity); + r = update_last_change(&json, arg_pkcs11_token_uri || arg_fido2_device, !arg_identity); if (r < 0) return r; @@ -1592,6 +1287,26 @@ static int acquire_updated_home_record( return 0; } +static int home_record_reset_human_interaction_permission(UserRecord *hr) { + int r; + + assert(hr); + + /* When we execute multiple operations one after the other, let's reset the permission to ask the + * user each time, so that if interaction is necessary we will be told so again and thus can print a + * nice message to the user, telling the user so. */ + + r = user_record_set_pkcs11_protected_authentication_path_permitted(hr, -1); + if (r < 0) + return log_error_errno(r, "Failed to reset PKCS#11 protected authentication path permission flag: %m"); + + r = user_record_set_fido2_user_presence_permitted(hr, -1); + if (r < 0) + return log_error_errno(r, "Failed to reset FIDO2 user presence permission flag: %m"); + + return 0; +} + static int update_home(int argc, char *argv[], void *userdata) { _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; _cleanup_(user_record_unrefp) UserRecord *hr = NULL; @@ -1620,6 +1335,12 @@ static int update_home(int argc, char *argv[], void *userdata) { if (r < 0) return r; + /* If we do multiple operations, let's output things more verbosely, since otherwise the repeated + * authentication might be confusing. */ + + if (arg_and_resize || arg_and_change_password) + log_info("Updating home directory."); + for (;;) { _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; @@ -1631,7 +1352,7 @@ static int update_home(int argc, char *argv[], void *userdata) { r = json_variant_format(hr->json, 0, &formatted); if (r < 0) - return r; + return log_error_errno(r, "Failed to format user record: %m"); (void) sd_bus_message_sensitive(m); @@ -1655,13 +1376,16 @@ static int update_home(int argc, char *argv[], void *userdata) { break; } + if (arg_and_resize) + log_info("Resizing home."); + + (void) home_record_reset_human_interaction_permission(hr); + /* Also sync down disk size to underlying LUKS/fscrypt/quota */ while (arg_and_resize) { _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; - log_debug("Resizing"); - r = bus_message_new_method_call(bus, &m, bus_home_mgr, "ResizeHome"); if (r < 0) return bus_log_create_error(r); @@ -1688,13 +1412,16 @@ static int update_home(int argc, char *argv[], void *userdata) { break; } + if (arg_and_change_password) + log_info("Synchronizing passwords and encryption keys."); + + (void) home_record_reset_human_interaction_permission(hr); + /* Also sync down passwords to underlying LUKS/fscrypt */ while (arg_and_change_password) { _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; - log_debug("Propagating password"); - r = bus_message_new_method_call(bus, &m, bus_home_mgr, "ChangePasswordHome"); if (r < 0) return bus_log_create_error(r); @@ -1732,6 +1459,8 @@ static int passwd_home(int argc, char *argv[], void *userdata) { if (arg_pkcs11_token_uri) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "To change the PKCS#11 security token use 'homectl update --pkcs11-token-uri=…'."); + if (arg_fido2_device) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "To change the FIDO2 security token use 'homectl update --fido2-device=…'."); if (identity_properties_specified()) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "The 'passwd' verb does not permit changing other record properties at the same time."); @@ -2182,6 +1911,8 @@ static int help(int argc, char *argv[], void *userdata) { " Specify SSH public keys\n" " --pkcs11-token-uri=URI URI to PKCS#11 security token containing\n" " private key and matching X.509 certificate\n" + " --fido2-device=PATH Path to FIDO2 hidraw device with hmac-secret\n" + " extension\n" "\n%4$sAccount Management User Record Properties:%5$s\n" " --locked=BOOL Set locked account state\n" " --not-before=TIMESTAMP Do not allow logins before\n" @@ -2328,6 +2059,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_EXPORT_FORMAT, ARG_AUTO_LOGIN, ARG_PKCS11_TOKEN_URI, + ARG_FIDO2_DEVICE, ARG_AND_RESIZE, ARG_AND_CHANGE_PASSWORD, }; @@ -2405,6 +2137,7 @@ static int parse_argv(int argc, char *argv[]) { { "json", required_argument, NULL, ARG_JSON }, { "export-format", required_argument, NULL, ARG_EXPORT_FORMAT }, { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI }, + { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE }, { "and-resize", required_argument, NULL, ARG_AND_RESIZE }, { "and-change-password", required_argument, NULL, ARG_AND_CHANGE_PASSWORD }, {} @@ -3365,6 +3098,9 @@ static int parse_argv(int argc, char *argv[]) { case ARG_PKCS11_TOKEN_URI: { const char *p; + if (streq(optarg, "list")) + return list_pkcs11_tokens(); + /* If --pkcs11-token-uri= is specified we always drop everything old */ FOREACH_STRING(p, "pkcs11TokenUri", "pkcs11EncryptedKey") { r = drop_from_identity(p); @@ -3377,10 +3113,19 @@ static int parse_argv(int argc, char *argv[]) { break; } - if (!pkcs11_uri_valid(optarg)) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a valid PKCS#11 URI: %s", optarg); + if (streq(optarg, "auto")) { + _cleanup_free_ char *found = NULL; + + r = find_pkcs11_token_auto(&found); + if (r < 0) + return r; + r = strv_consume(&arg_pkcs11_token_uri, TAKE_PTR(found)); + } else { + if (!pkcs11_uri_valid(optarg)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a valid PKCS#11 URI: %s", optarg); - r = strv_extend(&arg_pkcs11_token_uri, optarg); + r = strv_extend(&arg_pkcs11_token_uri, optarg); + } if (r < 0) return r; @@ -3388,6 +3133,41 @@ static int parse_argv(int argc, char *argv[]) { break; } + case ARG_FIDO2_DEVICE: { + const char *p; + + if (streq(optarg, "list")) + return list_fido2_devices(); + + FOREACH_STRING(p, "fido2HmacCredential", "fido2HmacSalt") { + r = drop_from_identity(p); + if (r < 0) + return r; + } + + if (isempty(optarg)) { + arg_fido2_device = strv_free(arg_fido2_device); + break; + } + + if (streq(optarg, "auto")) { + _cleanup_free_ char *found = NULL; + + r = find_fido2_auto(&found); + if (r < 0) + return r; + + r = strv_consume(&arg_fido2_device, TAKE_PTR(found)); + } else + r = strv_extend(&arg_fido2_device, optarg); + + if (r < 0) + return r; + + strv_uniq(arg_fido2_device); + break; + } + case 'j': arg_json = true; arg_json_format_flags = JSON_FORMAT_PRETTY_AUTO|JSON_FORMAT_COLOR_AUTO; @@ -3458,7 +3238,7 @@ static int parse_argv(int argc, char *argv[]) { } } - if (!strv_isempty(arg_pkcs11_token_uri)) + if (!strv_isempty(arg_pkcs11_token_uri) || !strv_isempty(arg_fido2_device)) arg_and_change_password = true; if (arg_disk_size != UINT64_MAX || arg_disk_size_relative != UINT64_MAX)