From owner-freebsd-hackers@freebsd.org Thu Feb 28 20:42:32 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C647B1517A3C for ; Thu, 28 Feb 2019 20:42:32 +0000 (UTC) (envelope-from thj@freebsd.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0C14786E5D for ; Thu, 28 Feb 2019 20:42:31 +0000 (UTC) (envelope-from thj@freebsd.org) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 46D0E2200E; Thu, 28 Feb 2019 15:42:25 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 28 Feb 2019 15:42:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=BHwjwV iLePbjNN1qxr98UAQXrPStpQEg5CSGJ2/s0Q0=; b=HNo+IQtWFV2+s1l00kC+nM VY8UE3JAmwDXTsLppM1J+Czd8NcFdlF0p5cqhIqpfC2n7pIHDQLhD88bHhlyjhyU Us8L0ZNjbXdypVywtVeNyp1V305b1pymREMMDITE2HnoSEApqcLR/8YE7MIB/OJf 41o+MlRd/MzmcDOLIC/A1jV7oVtuKL68X4qIKkF2KhF529/iM4ESFLvPIyfXi17A IZMuBnscus6VUtWRPi9BzCRzkawXbC/M6ivlip/tO7Q03ji22lniyL55NuTs3luh hOYD0EKIl/REYO0inLd7VhqTWARrTuoJih5oxzpAHDxhjLo1H5rXAGYyYE7mcniw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrvdefgddugeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomhepvfhomhcu lfhonhgvshcuoehthhhjsehfrhgvvggsshgurdhorhhgqeenucfkphepudefjedrhedtrd dujedruddvnecurfgrrhgrmhepmhgrihhlfhhrohhmpehthhhjsehfrhgvvggsshgurdho rhhgnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from tom-desk.erg.abdn.ac.uk (tom-desk.erg.abdn.ac.uk [137.50.17.12]) by mail.messagingengine.com (Postfix) with ESMTPA id 30E1A10331; Thu, 28 Feb 2019 15:42:24 -0500 (EST) Date: Thu, 28 Feb 2019 20:43:52 +0000 From: Tom Jones To: "Farhan Khan (F8DA C0DE)" Cc: freebsd-hackers@freebsd.org Subject: Re: Default Yubikey dev permissions Message-ID: <20190228204352.GA14862@tom-desk.erg.abdn.ac.uk> References: <0DC6D5F3-6FCB-427C-AD73-FD561105AFC7@farhan.codes> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0DC6D5F3-6FCB-427C-AD73-FD561105AFC7@farhan.codes> User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Queue-Id: 0C14786E5D X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.982,0]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 20:42:32 -0000 On Tue, Feb 26, 2019 at 05:25:56PM -0500, Farhan Khan (F8DA C0DE) via freebsd-hackers wrote: > Hi all, > > I am experimenting with a Yubikey, a consumer grade smart card that stores certificates and passwords. I found that running 'gpg --card-status' > does not work without root access. By default /dev/usb/0.2.0 (my yubikey) permission is 0600, owned by root. Without changing these permissions, the normal users would not be able to access the device. > > Of course making the permissions too broad leaves it open to a rogue user with any terminal access (ie, via SSH). However, it is still protected by a 6-digit pin that will lock out after a default of 3 failed attempts. > > Is it worth opening up the default permissions? Thoughts? I use pcscd (pcsc-lite in ports) with ccid to use my yubikey for gpg operations. - [tj]