Date: Tue, 26 Feb 2019 12:41:10 -1000 From: Romain =?iso-8859-1?Q?Tarti=E8re?= <romain@freebsd.org> To: freebsd-hackers@freebsd.org Subject: Re: Default Yubikey dev permissions Message-ID: <20190226224110.GA74842@blogreen.org> In-Reply-To: <0DC6D5F3-6FCB-427C-AD73-FD561105AFC7@farhan.codes> References: <0DC6D5F3-6FCB-427C-AD73-FD561105AFC7@farhan.codes>
next in thread | previous in thread | raw e-mail | index | archive | help
--CE+1k2dSO48ffgeK Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 26, 2019 at 05:25:56PM -0500, Farhan Khan (F8DA C0DE) via freeb= sd-hackers wrote: > I am experimenting with a Yubikey, a consumer grade smart card that > stores certificates and passwords. I found that running 'gpg > --card-status' does not work without root access. By default > /dev/usb/0.2.0 (my yubikey) permission is 0600, owned by root. Without > changing these permissions, the normal users would not be able to > access the device. >=20 > Of course making the permissions too broad leaves it open to a rogue > user with any terminal access (ie, via SSH). However, it is still > protected by a 6-digit pin that will lock out after a default of 3 > failed attempts. >=20 > Is it worth opening up the default permissions? Thoughts? Have a look at security/u2f-devd, it adds devd rules allowing access to u2f (including Yubikey) devices to the u2f group. You can also set your own rules if you want to tune them. --=20 Romain Tarti=E8re <romain@FreeBSD.org> http://people.FreeBSD.org/~romain/ pgp: 8234 9A78 E7C0 B807 0B59 80FF BA4D 1D95 5112 336F (ID: 0x5112336F) (plain text =3Dnon-HTML=3D PGP/GPG encrypted/signed e-mail much appreciated) --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEgjSaeOfAuAcLWYD/uk0dlVESM28FAlx1wIMACgkQuk0dlVES M29uLQwAuq3ZkQ152OV9Z78nukC2P63o4XEHRuDQfBhG7OVBM0gHhRXJg23hIbPt pYqQkcPkPS2pxb59b+NkkHjF2D7qVTfbiMOCvnr7z/CXtZ5qLY4o09vIYhen+hn5 YGXbdbkEX96gRQnvQgZqx/MrnwR1v9sHDHxl/jqos+RYhltEOTwSLvjPwugscSPz jk6/lZ9BGFdmGdl1vhN0CEomvPDaxeIrmO84krBznZncpWN5Ru2iZo3BehEjbqeG zceQDaJ0DnOnpBNLik3TGPZl8LL1Wlracy/++rrKN/Mk+nR3bo2q1FKj6WLO6PHJ 9t2FL53GSPUL6Bof+N5uyy7EqNcYlFX7zIdwYOdWMMA1cwlqJcGRtNovLfZvR4c0 qgYCLIcvlvCJLY09J3l9Ghx5N91PpvgNtptJ4Uzy3YAxfPTEz2eajAzbwni1u8UG t8uCrgAwoYdKLpsGSX4ZiCWz8Jr1QRr3ABPx48RWP53X2kH4rdQL/hMW0exgpID+ R3D8dn4A =BuZ9 -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190226224110.GA74842>