Date: Mon, 8 Jan 2024 09:30:05 -0800 From: Xin LI <delphij@gmail.com> To: Warner Losh <imp@bsdimp.com> Cc: Christian Weisgerber <naddy@mips.inka.de>, FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: Move u2f-devd into base? Message-ID: <CAGMYy3vsiy=TjDkB2ebCD6sDsUvruwXJOjOYf=3f4BhqzFySKA@mail.gmail.com> In-Reply-To: <CANCZdfqpbL=QNgTwBveUpBooucX2MbfZnR9dw4w25_TXYOyuDg@mail.gmail.com> References: <ZZwLx1RxlY6xuvFV@lorvorc.mips.inka.de> <CANCZdfqpbL=QNgTwBveUpBooucX2MbfZnR9dw4w25_TXYOyuDg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000001d9909060e728dfc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jan 8, 2024 at 7:19=E2=80=AFAM Warner Losh <imp@bsdimp.com> wrote: > > > On Mon, Jan 8, 2024, 7:55=E2=80=AFAM Christian Weisgerber <naddy@mips.ink= a.de> > wrote: > >> We have FIDO/U2F support for SSH in base. >> >> We also have a group "u2f", 116, in the default /etc/group file. >> >> Why do we keep the devd configuration (to chgrp the device nodes) >> in a port, security/u2f-devd? Can't we just add this to base, too? >> It's just another devd configuration file. >> > > This properly belongs to devfs.conf no? Otherwise it's a race... > That's a good point. But I think in practice the race (if I'm understanding correctly, there would be a window where the device node showed up, but with the standard permissions until devd kicks in and runs "action" steps to change it) would probably not matter because the consumers (Chromium?) would be polling for the device and when opening failed, they would retry, as the security key is not guaranteed to be present when a website asks for it, and it's perfectly natural for the browser to see the security key getting attached and detached while it is running. I would say it's a good idea to have something there in place to support these security keys (possibly also cameras, etc.), especially considering the base OpenSSH now supports U2F devices. It's probably a good idea to have adduser / installer to have a defined "interactive local user" groups (u2f, video, etc. come to mind) that users are added into by default to provide a reasonable out-of-box default too. Cheers, --0000000000001d9909060e728dfc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:monospace,monospace"><br></div></div><br><div class=3D"gmail_quote= "><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jan 8, 2024 at 7:19=E2=80= =AFAM Warner Losh <<a href=3D"mailto:imp@bsdimp.com">imp@bsdimp.com</a>&= gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0= px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div = dir=3D"auto"><div><br><br><div class=3D"gmail_quote"><div dir=3D"ltr" class= =3D"gmail_attr">On Mon, Jan 8, 2024, 7:55=E2=80=AFAM Christian Weisgerber &= lt;<a href=3D"mailto:naddy@mips.inka.de" target=3D"_blank">naddy@mips.inka.= de</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margi= n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex= ">We have FIDO/U2F support for SSH in base.<br> <br> We also have a group "u2f", 116, in the default /etc/group file.<= br> <br> Why do we keep the devd configuration (to chgrp the device nodes)<br> in a port, security/u2f-devd?=C2=A0 Can't we just add this to base, too= ?<br> It's just another devd configuration file.<br></blockquote></div></div>= <div dir=3D"auto"><br></div><div dir=3D"auto">This properly belongs to devf= s.conf no? Otherwise it's a race...</div></div></blockquote><div><br></= div><div class=3D"gmail_default" style=3D"font-family:monospace,monospace">= That's a good point.=C2=A0 But I think in practice the race (if I'm= understanding correctly, there would be a window where the device node sho= wed up, but with the standard permissions until devd kicks in and runs &quo= t;action" steps to change it) would probably not matter because the co= nsumers (Chromium?) would be polling for the device and when opening failed= , they would retry, as the security key is not guaranteed to be present whe= n a website asks for it,=C2=A0and it's perfectly natural for the browse= r to see the security key getting attached and detached while it is running= .</div><div class=3D"gmail_default" style=3D"font-family:monospace,monospac= e"><br></div><div class=3D"gmail_default" style=3D"font-family:monospace,mo= nospace">I would say it's a good idea to have something there in place = to support these security keys (possibly also cameras, etc.), especially co= nsidering the base OpenSSH now supports U2F devices.=C2=A0 It's probabl= y a good idea to have adduser / installer to have a defined "interacti= ve local user" groups (u2f, video, etc. come to mind) that users are a= dded into by default to provide a reasonable out-of-box default too.</div><= div class=3D"gmail_default" style=3D"font-family:monospace,monospace"><br><= /div><div class=3D"gmail_default" style=3D"font-family:monospace,monospace"= >Cheers,</div></div></div> --0000000000001d9909060e728dfc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3vsiy=TjDkB2ebCD6sDsUvruwXJOjOYf=3f4BhqzFySKA>