Newly I have got a new Yubikey NEO with the Firmware-Version 3.3 which supports U2F + OTP and CCID at the same time! I’m now using it as a hardware token for 2 factor authentication on websites. I also thought about it, for what more i can use it. Open a LUKS Device at boottime would be really nice. I searched the web a little but it has not really much i can use for my Fedora. At last i found the project from eworm at github, who wrote a c programm, which is a systemd-ask-tty agent and answers the password via systemd.What was missing is a dracut module to make it run for fedora.
I never wrote a module for dracut and this was a good challenge to get into it. Now, how it works:
The yubikey is set up with the callenge response mode, normaly in slot 2. after that, a script will generate a challenge, check it against the yubikey and set the response as the LUKS key. the challenge will be saved in a non-encryptet place (like /boot) and included in the initramfs (through the dracut). At boot-time, the ask-password-agent is started, get the right challenge send it against the yubikey and answer the password for the LUKS open.
The documentation for dracut was not easy to find and read, because its not very big. So i had to figure it out a lot by myself and with the support of the #dracut channel on IRC.
Now, this is cool, but not it is not a 2FA. So, i haven’t figured it out, how to get a password to and combine it. Also i like to improve, that the challenge is changed every boot (without re-generating the initramfs).