1

I noticed that with Linux pam-u2f module whether you are required to input your PIN can be changed by simply editing ~/.config/Yubico/u2f_keys file and either adding +pin to your configuration line or removing it from there. This lead me to wonder if it is also possible to bypass PIN requirement of LUKS device protected by FIDO token (enrolled with systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/DEVICE) with some hex editor magic?

According to my rudimentary experimentation this is not possible, however what I would like to understand is why this (probably?) is not possible. What is really happening under the hood?

Improve this question
New contributor
ojs is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
1
  • I don't have a Fido token nor the module, but I would assume the PIN option on the config file is to allow you to load the module unattended. If you don't put the PIN, it will probably ask you to enter the PIN. Without the PIN, the Fido token will not unlock. Commented 14 hours ago

1 Answer 1

Reset to default
2

You cannot bypass the PIN requirement, because it's baked into the volume key itself.

Under the hood, systemd-cryptenroll generates its FIDO2-based volume keys by obtaining a shared secret from the authenticator through the HMAC Secret Extension. The authenticator calculates the secret with HMAC-SHA-256(CredRandom, salt1), where salt1 is a platform-provided salt, and CredRandom is one of two possible values: If the authenticator has been asked to perform user verification (in your case with a PIN) and has done so successfully, then it chooses CredRandomWithUV, a random value known only to the authenticator. Otherwise, it chooses CredRandomWithoutUV, a different random value. So depending on whether the user has been verified, the authenticator produces two different HMAC Secrets. This in turn leads to different volume keys.

As the feature is implemented by the authenticator itself, it cannot be changed with a systemd configuration or modification. A PIN-protected key will always be different from a key without PIN protection.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.