Date: Thu, 28 Feb 2019 20:43:52 +0000 From: Tom Jones <thj@freebsd.org> To: "Farhan Khan (F8DA C0DE)" <farhan@farhan.codes> Cc: freebsd-hackers@freebsd.org Subject: Re: Default Yubikey dev permissions Message-ID: <20190228204352.GA14862@tom-desk.erg.abdn.ac.uk> In-Reply-To: <0DC6D5F3-6FCB-427C-AD73-FD561105AFC7@farhan.codes> References: <0DC6D5F3-6FCB-427C-AD73-FD561105AFC7@farhan.codes>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 26, 2019 at 05:25:56PM -0500, Farhan Khan (F8DA C0DE) via freebsd-hackers wrote: > Hi all, > > I am experimenting with a Yubikey, a consumer grade smart card that stores certificates and passwords. I found that running 'gpg --card-status' > does not work without root access. By default /dev/usb/0.2.0 (my yubikey) permission is 0600, owned by root. Without changing these permissions, the normal users would not be able to access the device. > > Of course making the permissions too broad leaves it open to a rogue user with any terminal access (ie, via SSH). However, it is still protected by a 6-digit pin that will lock out after a default of 3 failed attempts. > > Is it worth opening up the default permissions? Thoughts? I use pcscd (pcsc-lite in ports) with ccid to use my yubikey for gpg operations. - [tj]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190228204352.GA14862>