| Commit message (Collapse) | Author | Age |
|\ |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
now share a single luks keyslot.
This is achieved by having multiple lines per storage file, one for each user (if the feature is enabled); each of these
lines has the same format as would be the case for the userless authentication, except that they are prepended with a
SHA-512 of the user's id.
|
| |
| |
| |
| | |
update from the previous configuration, convert your crypt-storage file from raw binary to hex.
|
| |
| |
| |
| | |
attributes.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
design specification of
'YubiKey Integration for Full Disk Encryption Pre-Boot Authentication (Copyright) Yubico, 2011 Version: 1.1'.
Used binaries:
* uuidgen - for generation of random sequence numbers
* ykchalresp - for challenging a Yubikey
* ykinfo - to check if a Yubikey is plugged in at boot (fallback to passphrase authentication otherwise)
* openssl - for calculation of SHA-1, HMAC-SHA-1, as well as AES-256-CTR (de/en)cryption
Main differences to the specification mentioned above:
* No user management (yet), only one password+yubikey per LUKS device
* SHA-512 instead of CRC-16 for checksum
Main differences to the previous implementation:
* Instead of changing the key slot of the LUKS device each boot,
the actual key for the LUKS device will be encrypted itself
* Since the response for the new challenge is now calculated
locally with openssl, the MITM-USB-attack with which previously
an attacker could obtain the new response (that was used as the new
encryption key for the LUKS device) by listening to the
Yubikey has ideally become useless (as long as uuidgen can
successfuly generate new random sequence numbers).
Remarks:
* This is not downwards compatible to the previous implementation
|
| |
| |
| |
| | |
supports simple challenge-response and two-factor authentication
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
IIUC, <nixos> is going to be deprecated someday in the future, and as
most of those references are already replaced I guess it's safe to
replace it here as well, as it is only relevant on new/updated
installations.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|\ \
| | |
| | | |
HTTPD: Check for SSL Cert value before building with SSL support.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/
|/| |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
There seems to be some race causing failures if an X command gets in before slim starts the session
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| |
| |
| |
| | |
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| |
| |
| |
| |
| |
| | |
Ugh
Signed-off-by: Shea Levy <shea@shealevy.com>
|
|\ \
| | |
| | | |
Adds a service for haveged, the entropy daemon
|
| | |
| | |
| | |
| | |
| | |
| | | |
Includes configuration option for the threshold beneath which to refill
the entropy pool - defaults to 1024 bits as this is the number used in
other distro's existing service files I looked at.
|
| | |
| | |
| | |
| | |
| | |
| | | |
for vconsole setup
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This will allow overriding package-provided units, or overriding only a
specific instance of a unit template.
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Shea Levy <shea@shealevy.com>
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | | |
Allow the user to execute commands at the beginning of the X session.
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
The difference between xsession and xprofile is that xsession is exec'd and xprofile is sourced.
So with xprofile all commands after sourcing will still be exectued. This allows for instance
autostarting of applications while configuring the start of a window manager via configuration.nix.
|
| | |
| | |
| | |
| | | |
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Thanks to @bennofs for pointing it out
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
With kmscon, it is now possible to have a system without X that still
needs the mesa setup in /run/opengl-driver
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This required some changes to systemd unit handling:
* Add an option to specify that a unit is just a symlink
* Allow specified units to overwrite systemd-provided ones
* Have gettys.target require autovt@1.service instead of getty@1.service
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | | |
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Now that Java is happy with our /etc/localtime, there is no reason to
set $TZ anymore. (See 945849b86fe33474da569b307d7e5880877491b6, 279248f6c562eb88227d22b824c9324683980b96, 1b5e860f65607b4cc7de4b6b5db95460cf144526.)
Fixes #1463.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Some programs (notably the Java Runtime Environment) expect to be able
to extract the name of the time zone from the target of the
/etc/localtime symlink. That doesn't work if /etc/localtime is a
symlink to /etc/static/localtime. So make it a direct symlink.
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
This fixes #1395
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Shea Levy <shea@shealevy.com>
|
|\ \ \ \
| |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is a second attempt at unifying the generic and manual-config
kernel builds (see #412 for the last time).
The set of working kernel packages is a superset of those that work on
master, and as the only objection last time was the size of the $dev
closure and now both $out and $dev combined are 20M smaller than $out on
master (see message for ac2035287fbec30d92165fd3839d1bf71b8edd47), this
should be unobjectionable.
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In most cases, this just meant changing kernelDev (now removed from
linuxPackagesFor) to kernel.dev. Some packages needed more work (though
whether that was because of my changes or because they were already
broken, I'm not sure). Specifics:
* psmouse-alps builds on 3.4 but not 3.10, as noted in the comments that
were already there
* blcr builds on 3.4 but not 3.10, as noted in comments that were
already there
* open-iscsi, ati-drivers, wis-go7007, and openafsClient don't build on
3.4 or 3.10 on this branch or on master, so they're marked broken
* A version-specific kernelHeaders package was added
The following packages were removed:
* atheros/madwifi is superceded by official ath*k modules
* aufs is no longer used by any of our kernels
* broadcom-sta v6 (which was already packaged) replaces broadcom-sta
* exmap has not been updated since 2011 and doesn't build
* iscis-target has not been updated since 2010 and doesn't build
* iwlwifi is part of mainline now and doesn't build
* nivida-x11-legacy-96 hasn't been updated since 2008 and doesn't build
Everything not specifically mentioned above builds successfully on 3.10.
I haven't yet tested on 3.4, but will before opening a pull request.
Signed-off-by: Shea Levy <shea@shealevy.com>
|
| |/ /
|/| | |
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
This patch adds support for the creations of new bond devices, aggregate
pipes of physical devices for extra throughput or failover.
Additionally, add better correction at the startup of a bridge
of vlan interface (delete old, stale interfaces).
|
|\ \
| | |
| | | |
network-interfaces: Add mtu setting support
|
| | |
| | |
| | |
| | |
| | | |
Adds a setting to the network interface configuration for changing the
mtu for each specified interface.
|