Re: Move u2f-devd into base?

On Mon, Jan 8, 2024 at 7:19 AM Warner Losh <imp@bsdimp.com> wrote:

>
>
> On Mon, Jan 8, 2024, 7:55 AM Christian Weisgerber <naddy@mips.inka.de>
> wrote:
>
>> We have FIDO/U2F support for SSH in base.
>>
>> We also have a group "u2f", 116, in the default /etc/group file.
>>
>> Why do we keep the devd configuration (to chgrp the device nodes)
>> in a port, security/u2f-devd?  Can't we just add this to base, too?
>> It's just another devd configuration file.
>>
>
> This properly belongs to devfs.conf no? Otherwise it's a race...
>

That's a good point.  But I think in practice the race (if I'm
understanding correctly, there would be a window where the device node
showed up, but with the standard permissions until devd kicks in and runs
"action" steps to change it) would probably not matter because the
consumers (Chromium?) would be polling for the device and when opening
failed, they would retry, as the security key is not guaranteed to be
present when a website asks for it, and it's perfectly natural for the
browser to see the security key getting attached and detached while it is
running.

I would say it's a good idea to have something there in place to support
these security keys (possibly also cameras, etc.), especially considering
the base OpenSSH now supports U2F devices.  It's probably a good idea to
have adduser / installer to have a defined "interactive local user" groups
(u2f, video, etc. come to mind) that users are added into by default to
provide a reasonable out-of-box default too.

Cheers,