Default Yubikey dev permissions

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Default Yubikey dev permissions

freebsd-hackers mailing list
Hi all,

I am experimenting with a Yubikey, a consumer grade smart card that stores certificates and passwords. I found that running 'gpg --card-status'
does not work without root access. By default /dev/usb/0.2.0 (my yubikey) permission is 0600, owned by root. Without changing these permissions, the normal users would not be able to access the device.

Of course making the permissions too broad leaves it open to a rogue user with any terminal access (ie, via SSH). However, it is still protected by a 6-digit pin that will lock out after a default of 3 failed attempts.

Is it worth opening up the default permissions? Thoughts?
---
Farhan Khan
PGP Fingerprint: 1312 89CE 663E 1EB2 179C  1C83 C41D 2281 F8DA C0DE
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Default Yubikey dev permissions

Romain Tartière-3
On Tue, Feb 26, 2019 at 05:25:56PM -0500, Farhan Khan (F8DA C0DE) via freebsd-hackers wrote:

> I am experimenting with a Yubikey, a consumer grade smart card that
> stores certificates and passwords. I found that running 'gpg
> --card-status' does not work without root access. By default
> /dev/usb/0.2.0 (my yubikey) permission is 0600, owned by root. Without
> changing these permissions, the normal users would not be able to
> access the device.
>
> Of course making the permissions too broad leaves it open to a rogue
> user with any terminal access (ie, via SSH). However, it is still
> protected by a 6-digit pin that will lock out after a default of 3
> failed attempts.
>
> Is it worth opening up the default permissions? Thoughts?
Have a look at security/u2f-devd, it adds devd rules allowing access to
u2f (including Yubikey) devices to the u2f group.

You can also set your own rules if you want to tune them.

--
Romain Tartière <[hidden email]>  http://people.FreeBSD.org/~romain/
pgp: 8234 9A78 E7C0 B807 0B59  80FF BA4D 1D95 5112 336F (ID: 0x5112336F)
(plain text =non-HTML= PGP/GPG encrypted/signed e-mail much appreciated)

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Default Yubikey dev permissions

Tom Jones-3
In reply to this post by freebsd-hackers mailing list
On Tue, Feb 26, 2019 at 05:25:56PM -0500, Farhan Khan (F8DA C0DE) via freebsd-hackers wrote:
> Hi all,
>
> I am experimenting with a Yubikey, a consumer grade smart card that stores certificates and passwords. I found that running 'gpg --card-status'
> does not work without root access. By default /dev/usb/0.2.0 (my yubikey) permission is 0600, owned by root. Without changing these permissions, the normal users would not be able to access the device.
>
> Of course making the permissions too broad leaves it open to a rogue user with any terminal access (ie, via SSH). However, it is still protected by a 6-digit pin that will lock out after a default of 3 failed attempts.
>
> Is it worth opening up the default permissions? Thoughts?

I use pcscd (pcsc-lite in ports) with ccid to use my yubikey for gpg
operations.

- [tj]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"