diff options
author | Lennart Poettering <lennart@poettering.net> | 2020-08-17 18:19:13 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2020-08-25 18:14:55 +0200 |
commit | 87d7893cfbdebc86f7d47d090231ca58d44a1e01 (patch) | |
tree | c5884a4482d5f97f1df05054e59128a25b0551fa /src/home/homed-home.c | |
parent | aecbc87df4b51e879cd8dfd753c0e55065b5b338 (diff) | |
download | systemd-87d7893cfbdebc86f7d47d090231ca58d44a1e01.tar.gz |
homed: support recovery keys
For discussion around this see: https://pagure.io/fedora-workstation/issue/82
Recovery keys for homed are very similar to regular passwords, except
that they are exclusively generated by the computer, and not chosen by
the user. The idea is that they are printed or otherwise stored
externally and not what users type in every day.
Taking inspiration from Windows and MacOS this uses 256bit keys. We
format them in 64 yubikey modhex characters, in groups of 8 chars
separated by dashes.
Why yubikey modhex? modhex only uses characters that are are located at
the same place in western keyboard designs. This should reduce the
chance for incorrect inputs for a major chunk of our users, though
certainly not all. This is particular relevant during early boot and
recovery situations, where there's a good chance the keyboard mapping is
not correctly set up.
Diffstat (limited to 'src/home/homed-home.c')
-rw-r--r-- | src/home/homed-home.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/home/homed-home.c b/src/home/homed-home.c index 45c2152531..367ac21633 100644 --- a/src/home/homed-home.c +++ b/src/home/homed-home.c @@ -454,6 +454,8 @@ static int convert_worker_errno(Home *h, int e, sd_bus_error *error) { return sd_bus_error_setf(error, BUS_ERROR_BAD_PASSWORD, "Password for home %s is incorrect or not sufficient for authentication.", h->user_name); case -EBADSLT: return sd_bus_error_setf(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN, "Password for home %s is incorrect or not sufficient, and configured security token not found either.", h->user_name); + case -EREMOTEIO: + return sd_bus_error_setf(error, BUS_ERROR_BAD_RECOVERY_KEY, "Recovery key for home %s is incorrect or not sufficient for authentication.", h->user_name); case -ENOANO: return sd_bus_error_setf(error, BUS_ERROR_TOKEN_PIN_NEEDED, "PIN for security token required."); case -ERFKILL: |