Date: Wed, 4 Sep 2024 18:08:07 +0200 From: Tomek CEDRO <tomek@cedro.info> To: Jan Behrens <jbe-mlist@magnetkern.de> Cc: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-ID: <CAFYkXj=zSvCczRckLM%2BV0ZV_jhDhvFKDeo-_Uwf_9eutC1Driw@mail.gmail.com> In-Reply-To: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 4, 2024 at 10:42=E2=80=AFAM Jan Behrens <jbe-mlist@magnetkern.d= e> wrote: > Hello, > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > "pcscd_enable" to "YES" in "/etc/rc.conf". > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > to it. When I create an unprivileged user account and log in from a > remote machine (through ssh), then this unprivileged user account can > use "ykman" to access my security key and, for example, list stored > credentials, generate one-time tokens, erase or temporariliy block the > device (by providing a wrong PIN), or even effectively brick it (if no > configuration password is set). If the YubiKey is plugged to the USB port on the host where you run ykman then usb read/write permissions may be the problem? If the YubiKey is plugged to your local machine, you use gpg-agent to ssh to a remote machine, and on that remote machine you can make ykman to work on your local machine's YubiKey thats magic. By the way there is a loud bug in various YubiKey tokens that allows cloning the physical tokens and/or private key access/recovery caused by bug in Infineon's library [1]. [1] https://www.yubico.com/support/security-advisories/ysa-2024-03/ --=20 CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFYkXj=zSvCczRckLM%2BV0ZV_jhDhvFKDeo-_Uwf_9eutC1Driw>