Date: Mon, 8 Jan 2024 11:39:32 -0700 From: Warner Losh <imp@bsdimp.com> To: Xin LI <delphij@gmail.com> Cc: Christian Weisgerber <naddy@mips.inka.de>, FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: Move u2f-devd into base? Message-ID: <CANCZdfp=GXN%2BsYYSKGp6NUhHokCQC7-1NKPeV1ecJMae-ghySw@mail.gmail.com> In-Reply-To: <CAGMYy3vsiy=TjDkB2ebCD6sDsUvruwXJOjOYf=3f4BhqzFySKA@mail.gmail.com> References: <ZZwLx1RxlY6xuvFV@lorvorc.mips.inka.de> <CANCZdfqpbL=QNgTwBveUpBooucX2MbfZnR9dw4w25_TXYOyuDg@mail.gmail.com> <CAGMYy3vsiy=TjDkB2ebCD6sDsUvruwXJOjOYf=3f4BhqzFySKA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Mon, Jan 8, 2024 at 10:30 AM Xin LI <delphij@gmail.com> wrote: > On Mon, Jan 8, 2024 at 7:19 AM Warner Losh <imp@bsdimp.com> wrote: > >> On Mon, Jan 8, 2024, 7:55 AM Christian Weisgerber <naddy@mips.inka.de> >> wrote: >> >>> We have FIDO/U2F support for SSH in base. >>> >>> We also have a group "u2f", 116, in the default /etc/group file. >>> >>> Why do we keep the devd configuration (to chgrp the device nodes) >>> in a port, security/u2f-devd? Can't we just add this to base, too? >>> It's just another devd configuration file. >>> >> >> This properly belongs to devfs.conf no? Otherwise it's a race... >> > > That's a good point. But I think in practice the race (if I'm > understanding correctly, there would be a window where the device node > showed up, but with the standard permissions until devd kicks in and runs > "action" steps to change it) would probably not matter because the > consumers (Chromium?) would be polling for the device and when opening > failed, they would retry, as the security key is not guaranteed to be > present when a website asks for it, and it's perfectly natural for the > browser to see the security key getting attached and detached while it is > running. > I just don't like this depending on devd not dropping the arrival bit (due to too much congestion of events) and having a resulting broken system. It's half-assed today, but it's half-assed enough that it works enough of the time the issue hasn't been pressing (which is my way of agreeing with you: its imperfect, but it works almost all the time today). Working well enough suggests we shouldn't 'gate' this change to a perfect solution.... Especially since we're a bit short handed in the usb world after Hans' tragic passing. > I would say it's a good idea to have something there in place to support > these security keys (possibly also cameras, etc.), especially considering > the base OpenSSH now supports U2F devices. It's probably a good idea to > have adduser / installer to have a defined "interactive local user" groups > (u2f, video, etc. come to mind) that users are added into by default to > provide a reasonable out-of-box default too. > Totally agree here. Warner [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 8, 2024 at 10:30 AM Xin LI <<a href="mailto:delphij@gmail.com">delphij@gmail.com</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 8, 2024 at 7:19 AM Warner Losh <<a href="mailto:imp@bsdimp.com" target="_blank">imp@bsdimp.com</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 8, 2024, 7:55 AM Christian Weisgerber <<a href="mailto:naddy@mips.inka.de" target="_blank">naddy@mips.inka.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">We have FIDO/U2F support for SSH in base.<br> <br> We also have a group "u2f", 116, in the default /etc/group file.<br> <br> Why do we keep the devd configuration (to chgrp the device nodes)<br> in a port, security/u2f-devd? Can't we just add this to base, too?<br> It's just another devd configuration file.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">This properly belongs to devfs.conf no? Otherwise it's a race...</div></div></blockquote><div><br></div><div style="font-family:monospace,monospace">That's a good point. But I think in practice the race (if I'm understanding correctly, there would be a window where the device node showed up, but with the standard permissions until devd kicks in and runs "action" steps to change it) would probably not matter because the consumers (Chromium?) would be polling for the device and when opening failed, they would retry, as the security key is not guaranteed to be present when a website asks for it, and it's perfectly natural for the browser to see the security key getting attached and detached while it is running.</div></div></div></blockquote><div><br></div><div>I just don't like this depending on devd not dropping the arrival bit (due to too much congestion of events) and having a resulting broken system. It's half-assed today, but it's half-assed enough that it works enough of the time the issue hasn't been pressing (which is my way of agreeing with you: its imperfect, but it works almost all the time today). Working well enough suggests we shouldn't 'gate' this change to a perfect solution.... Especially since we're a bit short handed in the usb world after Hans' tragic passing.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div style="font-family:monospace,monospace">I would say it's a good idea to have something there in place to support these security keys (possibly also cameras, etc.), especially considering the base OpenSSH now supports U2F devices. It's probably a good idea to have adduser / installer to have a defined "interactive local user" groups (u2f, video, etc. come to mind) that users are added into by default to provide a reasonable out-of-box default too.</div></div></div></blockquote><div><br></div><div>Totally agree here. </div><div><br></div><div>Warner</div></div></div>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfp=GXN%2BsYYSKGp6NUhHokCQC7-1NKPeV1ecJMae-ghySw>