Default Yubikey dev permissions
Romain Tartière
romain at freebsd.org
Tue Feb 26 22:41:19 UTC 2019
On Tue, Feb 26, 2019 at 05:25:56PM -0500, Farhan Khan (F8DA C0DE) via freebsd-hackers wrote:
> I am experimenting with a Yubikey, a consumer grade smart card that
> stores certificates and passwords. I found that running 'gpg
> --card-status' does not work without root access. By default
> /dev/usb/0.2.0 (my yubikey) permission is 0600, owned by root. Without
> changing these permissions, the normal users would not be able to
> access the device.
>
> Of course making the permissions too broad leaves it open to a rogue
> user with any terminal access (ie, via SSH). However, it is still
> protected by a 6-digit pin that will lock out after a default of 3
> failed attempts.
>
> Is it worth opening up the default permissions? Thoughts?
Have a look at security/u2f-devd, it adds devd rules allowing access to
u2f (including Yubikey) devices to the u2f group.
You can also set your own rules if you want to tune them.
--
Romain Tartière <romain at FreeBSD.org> http://people.FreeBSD.org/~romain/
pgp: 8234 9A78 E7C0 B807 0B59 80FF BA4D 1D95 5112 336F (ID: 0x5112336F)
(plain text =non-HTML= PGP/GPG encrypted/signed e-mail much appreciated)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20190226/a8ff5902/attachment.sig>
More information about the freebsd-hackers
mailing list