Date: Wed, 4 Sep 2024 17:44:13 +0200 (CEST) From: henrichhartzer@tuta.io To: Jan Behrens <jbe-mlist@magnetkern.de> Cc: Freebsd Security <freebsd-security@freebsd.org> Subject: Re: Privileges using security tokens through PC/SC-daemon Message-ID: <O5xhHaq--B-9@tuta.io> In-Reply-To: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de>
index | next in thread | previous in thread | raw e-mail
Hi Jan, I have never used Yubikeys on FreeBSD and can't offer a whole lot of insight. I installed security/yubikey-manager-qt. ykman doesn't appear to be setuid, which was my first thought. Since it's not setuid, is there a /dev device for the Yubikey has global read (and write?) access? I'm not aware if/how policykit is involved here. -Henrich Sep 4, 2024, 08:42 by jbe-mlist@magnetkern.de: > Hello, > > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > "pcscd_enable" to "YES" in "/etc/rc.conf". > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > to it. When I create an unprivileged user account and log in from a > remote machine (through ssh), then this unprivileged user account can > use "ykman" to access my security key and, for example, list stored > credentials, generate one-time tokens, erase or temporariliy block the > device (by providing a wrong PIN), or even effectively brick it (if no > configuration password is set). > > As far as I understand, polkit should prohibit this. pcsc-lite installs > a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" > with the following contents: > > ------------ > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE policyconfig PUBLIC > "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" > "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">; > <policyconfig> > <vendor>The PCSC-lite Project</vendor> > <vendor_url>https://pcsclite.apdu.fr/</vendor_url>; > <!-- <icon_name>smart-card</icon_name> --> > > <action id="org.debian.pcsc-lite.access_pcsc"> > <description>Access to the PC/SC daemon</description> > <message>Authentication is required to access the PC/SC daemon</message> > <defaults> > <allow_any>no</allow_any> > <allow_inactive>no</allow_inactive> > <allow_active>yes</allow_active> > </defaults> > </action> > > <action id="org.debian.pcsc-lite.access_card"> > <description>Access to the smart card</description> > <message>Authentication is required to access the smart card</message> > <defaults> > <allow_any>no</allow_any> > <allow_inactive>no</allow_inactive> > <allow_active>yes</allow_active> > </defaults> > </action> > > </policyconfig> > ------------ > > Changing "allow_active" from "yes" to "no" and restarting "pcscd" has > no impact either. > > I don't understand what is going on, but this behavior doesn't seem to > be correct. A non-privileged user (that isn't even member of group > "u2f") should not gain access to a security token plugged into the > machine. > > Is this behavior reproducible by others, or maybe just a configuration > mistake by me? > > I previously mentioned this issue here: > https://forums.FreeBSD.org/threads/94605/post-670209 > > Kind Regards, > Jan Behrens >home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?O5xhHaq--B-9>