2 * Example of LUKS2 token storing third party metadata (EXPERIMENTAL EXAMPLE)
4 * Copyright (C) 2016-2023 Milan Broz
5 * Copyright (C) 2021-2023 Vojtech Trefny
8 * - generate ssh example token
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
31 #include <json-c/json.h>
34 #include "libcryptsetup.h"
35 #include "ssh-utils.h"
36 #include "../src/cryptsetup.h"
38 #define TOKEN_NAME "ssh"
40 #define l_err(cd, x...) crypt_logf(cd, CRYPT_LOG_ERROR, x)
41 #define l_dbg(cd, x...) crypt_logf(cd, CRYPT_LOG_DEBUG, x)
43 #define OPT_SSH_SERVER 1
44 #define OPT_SSH_USER 2
45 #define OPT_SSH_PATH 3
46 #define OPT_KEY_PATH 4
48 #define OPT_DEBUG_JSON 6
49 #define OPT_KEY_SLOT 7
51 void tools_cleanup(void)
65 struct crypt_device *cd;
66 json_object *jobj = NULL;
67 json_object *jobj_keyslots = NULL;
68 const char *string_token;
71 r = crypt_init(&cd, device);
75 r = crypt_load(cd, CRYPT_LUKS2, NULL);
77 l_err(cd, _("Device %s is not a valid LUKS device."), device);
82 jobj = json_object_new_object();
86 /* type is mandatory field in all tokens and must match handler name member */
87 json_object_object_add(jobj, "type", json_object_new_string(TOKEN_NAME));
89 jobj_keyslots = json_object_new_array();
91 /* mandatory array field (may be empty and assigned later */
92 json_object_object_add(jobj, "keyslots", jobj_keyslots);
95 json_object_object_add(jobj, "ssh_server", json_object_new_string(server));
96 json_object_object_add(jobj, "ssh_user", json_object_new_string(user));
97 json_object_object_add(jobj, "ssh_path", json_object_new_string(path));
98 json_object_object_add(jobj, "ssh_keypath", json_object_new_string(keypath));
100 string_token = json_object_to_json_string_ext(jobj, JSON_C_TO_STRING_PLAIN);
106 l_dbg(cd, "Token JSON: %s", string_token);
108 r = crypt_token_json_set(cd, CRYPT_ANY_TOKEN, string_token);
110 l_err(cd, _("Failed to write ssh token json."));
115 r = crypt_token_assign_keyslot(cd, token, keyslot);
117 crypt_token_json_set(cd, token, NULL);
121 json_object_put(jobj);
126 const char *argp_program_version = "cryptsetup-ssh " PACKAGE_VERSION;
128 static char doc[] = N_("Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected " \
129 "to an SSH server\v" \
130 "This plugin currently allows only adding a token to an existing key slot.\n\n" \
131 "Specified SSH server must contain a key file on the specified path with " \
132 "a passphrase for an existing key slot on the device.\n" \
133 "Provided credentials will be used by cryptsetup to get the password when " \
134 "opening the device using the token.\n\n" \
135 "Note: The information provided when adding the token (SSH server address, user and paths) " \
136 "will be stored in the LUKS2 header in plaintext.");
138 static char args_doc[] = N_("<action> <device>");
140 static struct argp_option options[] = {
141 {0, 0, 0, 0, N_("Options for the 'add' action:")},
142 {"ssh-server", OPT_SSH_SERVER, "STRING", 0, N_("IP address/URL of the remote server for this token")},
143 {"ssh-user", OPT_SSH_USER, "STRING", 0, N_("Username used for the remote server")},
144 {"ssh-path", OPT_SSH_PATH, "STRING", 0, N_("Path to the key file on the remote server")},
145 {"ssh-keypath", OPT_KEY_PATH, "STRING", 0, N_("Path to the SSH key for connecting to the remote server")},
146 {"key-slot", OPT_KEY_SLOT, "NUM", 0, N_("Keyslot to assign the token to. If not specified, token will "\
147 "be assigned to the first keyslot matching provided passphrase.")},
148 {0, 0, 0, 0, N_("Generic options:")},
149 {"verbose", 'v', 0, 0, N_("Shows more detailed error messages")},
150 {"debug", OPT_DEBUG, 0, 0, N_("Show debug messages")},
151 {"debug-json", OPT_DEBUG_JSON, 0, 0, N_("Show debug messages including JSON metadata")},
152 { NULL, 0, 0, 0, NULL }
169 parse_opt (int key, char *arg, struct argp_state *state) {
170 struct arguments *arguments = state->input;
174 arguments->ssh_server = arg;
177 arguments->ssh_user = arg;
180 arguments->ssh_path = arg;
183 arguments->ssh_keypath = arg;
186 arguments->keyslot = atoi(arg);
189 arguments->verbose = 1;
192 arguments->debug = 1;
195 arguments->debug = 1;
196 arguments->debug_json = 1;
198 case ARGP_KEY_NO_ARGS:
202 arguments->action = arg;
203 arguments->device = state->argv[state->next];
204 state->next = state->argc;
207 return ARGP_ERR_UNKNOWN;
213 static struct argp argp = { options, parse_opt, args_doc, doc };
216 static void _log(int level, const char *msg, void *usrptr)
218 struct arguments *arguments = (struct arguments *)usrptr;
221 case CRYPT_LOG_NORMAL:
222 fprintf(stdout, "%s", msg);
224 case CRYPT_LOG_VERBOSE:
225 if (arguments && arguments->verbose)
226 fprintf(stdout, "%s", msg);
228 case CRYPT_LOG_ERROR:
229 fprintf(stderr, "%s", msg);
231 case CRYPT_LOG_DEBUG_JSON:
232 if (arguments && arguments->debug_json)
233 fprintf(stdout, "# %s", msg);
235 case CRYPT_LOG_DEBUG:
236 if (arguments && arguments->debug)
237 fprintf(stdout, "# %s", msg);
242 static int get_keyslot_for_passphrase(struct arguments *arguments, const char *pin)
247 char *password = NULL;
248 size_t password_len = 0;
249 struct crypt_device *cd = NULL;
250 char *ssh_pass = NULL;
254 r = crypt_init(&cd, arguments->device);
257 crypt_set_log_callback(cd, &_log, arguments);
259 r = ssh_pki_import_privkey_file(arguments->ssh_keypath, pin, NULL, NULL, &pkey);
262 crypt_log(cd, CRYPT_LOG_ERROR, _("Failed to open and import private key:\n"));
266 _log(CRYPT_LOG_ERROR, _("Failed to import private key (password protected?).\n"), NULL);
267 /* TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " */
268 r = asprintf(&prompt, _("%s@%s's password: "), arguments->ssh_user, arguments->ssh_server);
270 crypt_safe_free(ssh_pass);
275 r = tools_get_key(prompt, &ssh_pass, &key_size, 0, 0, NULL, 0, 0, 0, cd);
278 crypt_safe_free(ssh_pass);
283 /* now try again with the password */
284 r = get_keyslot_for_passphrase(arguments, ssh_pass);
286 crypt_safe_free(ssh_pass);
294 ssh = sshplugin_session_init(cd, arguments->ssh_server, arguments->ssh_user);
301 r = sshplugin_public_key_auth(cd, ssh, pkey);
304 if (r != SSH_AUTH_SUCCESS) {
309 r = sshplugin_download_password(cd, ssh, arguments->ssh_path, &password, &password_len);
320 r = crypt_load(cd, CRYPT_LUKS2, NULL);
322 crypt_safe_memzero(password, password_len);
328 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, password, password_len, 0);
330 crypt_safe_memzero(password, password_len);
336 arguments->keyslot = r;
338 crypt_safe_memzero(password, password_len);
345 int main(int argc, char *argv[])
348 struct arguments arguments = { 0 };
349 arguments.keyslot = CRYPT_ANY_SLOT;
351 setlocale(LC_ALL, "");
352 bindtextdomain(PACKAGE, LOCALEDIR);
355 ret = argp_parse (&argp, argc, argv, 0, 0, &arguments);
357 printf(_("Failed to parse arguments.\n"));
361 crypt_set_log_callback(NULL, _log, &arguments);
363 crypt_set_debug_level(CRYPT_DEBUG_ALL);
364 if (arguments.debug_json)
365 crypt_set_debug_level(CRYPT_DEBUG_JSON);
367 if (arguments.action == NULL) {
368 printf(_("An action must be specified\n"));
372 if (strcmp("add", arguments.action) == 0) {
373 if (!arguments.device) {
374 printf(_("Device must be specified for '%s' action.\n"), arguments.action);
378 if (!arguments.ssh_server) {
379 printf(_("SSH server must be specified for '%s' action.\n"), arguments.action);
383 if (!arguments.ssh_user) {
384 printf(_("SSH user must be specified for '%s' action.\n"), arguments.action);
388 if (!arguments.ssh_path) {
389 printf(_("SSH path must be specified for '%s' action.\n"), arguments.action);
393 if (!arguments.ssh_keypath) {
394 printf(_("SSH key path must be specified for '%s' action.\n"), arguments.action);
398 if (arguments.keyslot == CRYPT_ANY_SLOT) {
399 ret = get_keyslot_for_passphrase(&arguments, NULL);
401 printf(_("Failed open %s using provided credentials.\n"), arguments.device);
406 ret = token_add(arguments.device,
407 arguments.ssh_server,
410 arguments.ssh_keypath,
417 printf(_("Only 'add' action is currently supported by this plugin.\n"));