From nobody Wed Sep 4 16:08:07 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzS8P138Wz5V9jH for ; Wed, 04 Sep 2024 16:08:21 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzS8N6B6cz4ck8 for ; Wed, 4 Sep 2024 16:08:20 +0000 (UTC) (envelope-from tomek@cedro.info) Authentication-Results: mx1.freebsd.org; none Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-6d7073a39dcso8499107b3.1 for ; Wed, 04 Sep 2024 09:08:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; t=1725466100; x=1726070900; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=vU+FUiCj0/dL/+f+PtnukLwSiA2+9CKZpQbGUqTxd1g=; b=d4afuA5XOltOij8yaDf5F6iZarHd2w+rhyk+iFgWcP7WMoPNsoZS18d0596G61iQJW X+eaMovGu3Eupj1Je0EVx41fCO+TlVr/9aaNodzdqZ3R8/Q61258vQPyOhTKe5BVf103 OVfzdu9IHfOPAXa3MDe4VuHMFbHhYWz8GpL+FtYbqBm2GinwD/0wDA9OPWLMSNrbGrwP G1SujQLVT/kl8w6/M9Si/UorAIAid2GMNYdt+bhMUePnTwd0QWuRDUyma02GxV5kSRJb fwGBp/CTHqpZNDttxNY3GqPqwE7lHwOm37HCCKImcJ9mraVsEqcGZ2nsr5syKnW5eMsr WmWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725466100; x=1726070900; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vU+FUiCj0/dL/+f+PtnukLwSiA2+9CKZpQbGUqTxd1g=; b=VqxL+vXJO+chYWTo8zL4cMVPmqGkCSrXIz1xv2DS4ovYG3d66VGnClQ+iyLIyU8igu sfnpX/f4mnOy3nbw5W1DATd5ZSw9ECEfoUHPFy7Afr9jzlXxYzaQf08f7Ji0svDyovEB n37hwU1/jCgd6n6OpkcM3/MSceCL9z15bYmOY2gPxBFdh+b/pnRoA7eM3a/RiJ4XRspl V0EzlD6WXkKg4jUYxT5zPFqQCRZ2EbRGs/r1ii9sVn9ny/ojYcgoojsEdBMOvo909zw6 osbor1Wiq8FR64XKNFoc3yAWcZ8KAfRjhN7Ds/1EvKYTX1pFonKEf60mPQ5AKlhaz4KM O5Xw== X-Gm-Message-State: AOJu0Yw5t5SbVvcy1F8c3zVBTpCo4N5AcnKRdW4jNVOM85oL6xfrBsUX uSxeSfjVHV/wa4FoJTG+Ya41G74Vsb9w1XoxBqp6n+Fq5GxFcM7SFTbmLdSHwehonPzQYM5An24 = X-Google-Smtp-Source: AGHT+IEamJEYCjFnYAB1gqsU9o6i/k4t3vGzmc5DhsM9V1/YOyhNZZR0KhCmn5r1/nQFRbpkNIh6ww== X-Received: by 2002:a05:690c:39a:b0:6b7:f467:e0f5 with SMTP id 00721157ae682-6db25f8e164mr19259427b3.9.1725466099789; Wed, 04 Sep 2024 09:08:19 -0700 (PDT) Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com. [209.85.128.180]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d3fa3c35sm24429587b3.51.2024.09.04.09.08.19 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Sep 2024 09:08:19 -0700 (PDT) Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-6cdae28014dso7731297b3.1 for ; Wed, 04 Sep 2024 09:08:19 -0700 (PDT) X-Received: by 2002:a05:690c:690a:b0:618:691b:d261 with SMTP id 00721157ae682-6db25fa1e96mr19630717b3.13.1725466098811; Wed, 04 Sep 2024 09:08:18 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> In-Reply-To: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> From: Tomek CEDRO Date: Wed, 4 Sep 2024 18:08:07 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Privileges using security tokens through PC/SC-daemon To: Jan Behrens Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4WzS8N6B6cz4ck8 On Wed, Sep 4, 2024 at 10:42=E2=80=AFAM Jan Behrens wrote: > Hello, > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > "pcscd_enable" to "YES" in "/etc/rc.conf". > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > to it. When I create an unprivileged user account and log in from a > remote machine (through ssh), then this unprivileged user account can > use "ykman" to access my security key and, for example, list stored > credentials, generate one-time tokens, erase or temporariliy block the > device (by providing a wrong PIN), or even effectively brick it (if no > configuration password is set). If the YubiKey is plugged to the USB port on the host where you run ykman then usb read/write permissions may be the problem? If the YubiKey is plugged to your local machine, you use gpg-agent to ssh to a remote machine, and on that remote machine you can make ykman to work on your local machine's YubiKey thats magic. By the way there is a loud bug in various YubiKey tokens that allows cloning the physical tokens and/or private key access/recovery caused by bug in Infineon's library [1]. [1] https://www.yubico.com/support/security-advisories/ysa-2024-03/ --=20 CeDeROM, SQ7MHZ, http://www.tomek.cedro.info