From owner-freebsd-hackers@freebsd.org  Tue Feb 26 22:41:19 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 09EE11506443
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Tue, 26 Feb 2019 22:41:19 +0000 (UTC)
 (envelope-from romain@blogreen.org)
Received: from marvin.blogreen.org (unknown
 [IPv6:2a01:e35:8a13:be40:6631:50ff:fed3:111d])
 by mx1.freebsd.org (Postfix) with ESMTP id 03E7077088
 for <freebsd-hackers@freebsd.org>; Tue, 26 Feb 2019 22:41:17 +0000 (UTC)
 (envelope-from romain@blogreen.org)
Received: by marvin.blogreen.org (Postfix, from userid 1001)
 id 3857A9980A; Tue, 26 Feb 2019 23:41:10 +0100 (CET)
Date: Tue, 26 Feb 2019 12:41:10 -1000
From: Romain =?iso-8859-1?Q?Tarti=E8re?= <romain@freebsd.org>
To: freebsd-hackers@freebsd.org
Subject: Re: Default Yubikey dev permissions
Message-ID: <20190226224110.GA74842@blogreen.org>
Mail-Followup-To: freebsd-hackers@freebsd.org
References: <0DC6D5F3-6FCB-427C-AD73-FD561105AFC7@farhan.codes>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline
In-Reply-To: <0DC6D5F3-6FCB-427C-AD73-FD561105AFC7@farhan.codes>
X-PGP-Key: http://romain.blogreen.org/pubkey.asc
User-Agent: Mutt/1.11.2 (2019-01-07)
X-Rspamd-Queue-Id: 03E7077088
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 spf=pass (mx1.freebsd.org: domain of romain@blogreen.org designates
 2a01:e35:8a13:be40:6631:50ff:fed3:111d as permitted sender)
 smtp.mailfrom=romain@blogreen.org
X-Spamd-Result: default: False [-2.61 / 15.00]; ARC_NA(0.00)[];
 RDNS_NONE(1.00)[]; RCVD_COUNT_TWO(0.00)[2];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[freebsd.org];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-0.999,0];
 IP_SCORE(-1.19)[ipnet: 2a01:e00::/26(-3.66), asn: 12322(-2.29), country:
 FR(-0.01)]; MX_GOOD(-0.01)[mx.blogreen.org];
 NEURAL_HAM_SHORT(-0.91)[-0.908,0]; SIGNED_PGP(-2.00)[];
 FORGED_SENDER(0.30)[romain@freebsd.org,romain@blogreen.org];
 RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+];
 ASN(0.00)[asn:12322, ipnet:2a01:e00::/26, country:FR];
 FROM_NEQ_ENVFROM(0.00)[romain@freebsd.org,romain@blogreen.org];
 HFILTER_HOSTNAME_UNKNOWN(2.50)[]; TO_DOM_EQ_FROM_DOM(0.00)[]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 22:41:19 -0000


--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 26, 2019 at 05:25:56PM -0500, Farhan Khan (F8DA C0DE) via freeb=
sd-hackers wrote:
> I am experimenting with a Yubikey, a consumer grade smart card that
> stores certificates and passwords. I found that running 'gpg
> --card-status' does not work without root access. By default
> /dev/usb/0.2.0 (my yubikey) permission is 0600, owned by root. Without
> changing these permissions, the normal users would not be able to
> access the device.
>=20
> Of course making the permissions too broad leaves it open to a rogue
> user with any terminal access (ie, via SSH). However, it is still
> protected by a 6-digit pin that will lock out after a default of 3
> failed attempts.
>=20
> Is it worth opening up the default permissions? Thoughts?

Have a look at security/u2f-devd, it adds devd rules allowing access to
u2f (including Yubikey) devices to the u2f group.

You can also set your own rules if you want to tune them.

--=20
Romain Tarti=E8re <romain@FreeBSD.org>  http://people.FreeBSD.org/~romain/
pgp: 8234 9A78 E7C0 B807 0B59  80FF BA4D 1D95 5112 336F (ID: 0x5112336F)
(plain text =3Dnon-HTML=3D PGP/GPG encrypted/signed e-mail much appreciated)

--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAABCAAdFiEEgjSaeOfAuAcLWYD/uk0dlVESM28FAlx1wIMACgkQuk0dlVES
M29uLQwAuq3ZkQ152OV9Z78nukC2P63o4XEHRuDQfBhG7OVBM0gHhRXJg23hIbPt
pYqQkcPkPS2pxb59b+NkkHjF2D7qVTfbiMOCvnr7z/CXtZ5qLY4o09vIYhen+hn5
YGXbdbkEX96gRQnvQgZqx/MrnwR1v9sHDHxl/jqos+RYhltEOTwSLvjPwugscSPz
jk6/lZ9BGFdmGdl1vhN0CEomvPDaxeIrmO84krBznZncpWN5Ru2iZo3BehEjbqeG
zceQDaJ0DnOnpBNLik3TGPZl8LL1Wlracy/++rrKN/Mk+nR3bo2q1FKj6WLO6PHJ
9t2FL53GSPUL6Bof+N5uyy7EqNcYlFX7zIdwYOdWMMA1cwlqJcGRtNovLfZvR4c0
qgYCLIcvlvCJLY09J3l9Ghx5N91PpvgNtptJ4Uzy3YAxfPTEz2eajAzbwni1u8UG
t8uCrgAwoYdKLpsGSX4ZiCWz8Jr1QRr3ABPx48RWP53X2kH4rdQL/hMW0exgpID+
R3D8dn4A
=BuZ9
-----END PGP SIGNATURE-----

--CE+1k2dSO48ffgeK--