Date: Mon, 8 Jan 2024 11:39:32 -0700 From: Warner Losh <imp@bsdimp.com> To: Xin LI <delphij@gmail.com> Cc: Christian Weisgerber <naddy@mips.inka.de>, FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: Move u2f-devd into base? Message-ID: <CANCZdfp=GXN%2BsYYSKGp6NUhHokCQC7-1NKPeV1ecJMae-ghySw@mail.gmail.com> In-Reply-To: <CAGMYy3vsiy=TjDkB2ebCD6sDsUvruwXJOjOYf=3f4BhqzFySKA@mail.gmail.com> References: <ZZwLx1RxlY6xuvFV@lorvorc.mips.inka.de> <CANCZdfqpbL=QNgTwBveUpBooucX2MbfZnR9dw4w25_TXYOyuDg@mail.gmail.com> <CAGMYy3vsiy=TjDkB2ebCD6sDsUvruwXJOjOYf=3f4BhqzFySKA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--00000000000079eb54060e7385d7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jan 8, 2024 at 10:30=E2=80=AFAM Xin LI <delphij@gmail.com> wrote: > On Mon, Jan 8, 2024 at 7:19=E2=80=AFAM Warner Losh <imp@bsdimp.com> wrote= : > >> On Mon, Jan 8, 2024, 7:55=E2=80=AFAM Christian Weisgerber <naddy@mips.in= ka.de> >> wrote: >> >>> We have FIDO/U2F support for SSH in base. >>> >>> We also have a group "u2f", 116, in the default /etc/group file. >>> >>> Why do we keep the devd configuration (to chgrp the device nodes) >>> in a port, security/u2f-devd? Can't we just add this to base, too? >>> It's just another devd configuration file. >>> >> >> This properly belongs to devfs.conf no? Otherwise it's a race... >> > > That's a good point. But I think in practice the race (if I'm > understanding correctly, there would be a window where the device node > showed up, but with the standard permissions until devd kicks in and runs > "action" steps to change it) would probably not matter because the > consumers (Chromium?) would be polling for the device and when opening > failed, they would retry, as the security key is not guaranteed to be > present when a website asks for it, and it's perfectly natural for the > browser to see the security key getting attached and detached while it is > running. > I just don't like this depending on devd not dropping the arrival bit (due to too much congestion of events) and having a resulting broken system. It's half-assed today, but it's half-assed enough that it works enough of the time the issue hasn't been pressing (which is my way of agreeing with you: its imperfect, but it works almost all the time today). Working well enough suggests we shouldn't 'gate' this change to a perfect solution.... Especially since we're a bit short handed in the usb world after Hans' tragic passing. > I would say it's a good idea to have something there in place to support > these security keys (possibly also cameras, etc.), especially considering > the base OpenSSH now supports U2F devices. It's probably a good idea to > have adduser / installer to have a defined "interactive local user" group= s > (u2f, video, etc. come to mind) that users are added into by default to > provide a reasonable out-of-box default too. > Totally agree here. Warner --00000000000079eb54060e7385d7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jan 8, 2024 at 10:30=E2=80=AF= AM Xin LI <<a href=3D"mailto:delphij@gmail.com">delphij@gmail.com</a>>= ; wrote:</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px= 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D= "ltr"><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On M= on, Jan 8, 2024 at 7:19=E2=80=AFAM Warner Losh <<a href=3D"mailto:imp@bs= dimp.com" target=3D"_blank">imp@bsdimp.com</a>> wrote:</div><blockquote = class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol= id rgb(204,204,204);padding-left:1ex"><div dir=3D"auto"><div><div class=3D"= gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jan 8, 2024, 7:5= 5=E2=80=AFAM Christian Weisgerber <<a href=3D"mailto:naddy@mips.inka.de"= target=3D"_blank">naddy@mips.inka.de</a>> wrote:<br></div><blockquote c= lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli= d rgb(204,204,204);padding-left:1ex">We have FIDO/U2F support for SSH in ba= se.<br> <br> We also have a group "u2f", 116, in the default /etc/group file.<= br> <br> Why do we keep the devd configuration (to chgrp the device nodes)<br> in a port, security/u2f-devd?=C2=A0 Can't we just add this to base, too= ?<br> It's just another devd configuration file.<br></blockquote></div></div>= <div dir=3D"auto"><br></div><div dir=3D"auto">This properly belongs to devf= s.conf no? Otherwise it's a race...</div></div></blockquote><div><br></= div><div style=3D"font-family:monospace,monospace">That's a good point.= =C2=A0 But I think in practice the race (if I'm understanding correctly= , there would be a window where the device node showed up, but with the sta= ndard permissions until devd kicks in and runs "action" steps to = change it) would probably not matter because the consumers (Chromium?) woul= d be polling for the device and when opening failed, they would retry, as t= he security key is not guaranteed to be present when a website asks for it,= =C2=A0and it's perfectly natural for the browser to see the security ke= y getting attached and detached while it is running.</div></div></div></blo= ckquote><div><br></div><div>I just don't like this depending on devd no= t dropping the arrival bit (due to too much congestion of events) and havin= g a resulting broken system. It's half-assed today, but it's half-a= ssed enough that it works enough of the time the issue hasn't been pres= sing (which is my way of agreeing with you: its imperfect, but it works alm= ost all the time today). Working well enough suggests we shouldn't '= ;gate' this change to a perfect solution.... Especially since we're= a bit short handed in the usb world after Hans' tragic passing.</div><= div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0= px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir= =3D"ltr"><div class=3D"gmail_quote"><div style=3D"font-family:monospace,mon= ospace">I would say it's a good idea to have something there in place t= o support these security keys (possibly also cameras, etc.), especially con= sidering the base OpenSSH now supports U2F devices.=C2=A0 It's probably= a good idea to have adduser / installer to have a defined "interactiv= e local user" groups (u2f, video, etc. come to mind) that users are ad= ded into by default to provide a reasonable out-of-box default too.</div></= div></div></blockquote><div><br></div><div>Totally agree here.=C2=A0</div><= div><br></div><div>Warner</div></div></div> --00000000000079eb54060e7385d7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfp=GXN%2BsYYSKGp6NUhHokCQC7-1NKPeV1ecJMae-ghySw>