From nobody Mon Jan 08 17:30:05 2024 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T81Km4SD1z56BVC for ; Mon, 8 Jan 2024 17:30:20 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T81Km2ntHz4nhY for ; Mon, 8 Jan 2024 17:30:20 +0000 (UTC) (envelope-from delphij@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a2ac304e526so99795966b.0 for ; Mon, 08 Jan 2024 09:30:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704735017; x=1705339817; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5fKGiePU5/3GlfkFA8vz+QWP6Mb9rqO/9IkmM1SMfhY=; b=fr5b4pF55uLDKYlkJTXuTnBYrIRVgdHYBhzO163FSFWJhtUboRme6PIN5oLPQXrOIp M6B0dl1f/OML9cvJmXKCVuhKI5NnraY6Vpj9TY5eYCillZ2ppJSPKsFI7nKIISqOkHU3 PaD0tQc2tjIk1yHfxDa4IPS7w1DlAVY4oTzoAsFkYWfX9zKbCr02lvHNRhHVuxU3a6J0 8j9BqsG0P9vK30+HJf/3r4R6CtNh+VWwKtFN5tJ2scZFpZG/Zx9tqjo/6oPjI9xG4VGU uSxRArzpv/q6X+fEvWZJiCY+Di0s0hFBDdm2ad/WT0ATP7bebcLCJ97w3DiWsWKN9IM0 mEQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704735017; x=1705339817; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5fKGiePU5/3GlfkFA8vz+QWP6Mb9rqO/9IkmM1SMfhY=; b=KlfDyi1N+t7/mchcxU0WNT8/imEHa5iD6BUzrNvkNOlRdKk4uPvoYT9SbWYI97w1j8 nkXbSDuhkmzeE+cOmYwX/BSTZPhKrbJLoxyxFJwiDsRJyecoWDrmFveV04Jg5KfDlszB Pw1WXeFqmb3b9eyW+rVK4tn+RyEOh95PxRToDUATtqknaZfszs3C5d6oXr95jaCYvlko REet0KRR1g27IMXyXzdgtflqbuEWZAktr0DyoPWNuU6TajSFFopKxihC6XVsBeZogqrS j97RjIZXMwqDFNlKr5u1WyvOEPiGwMVGMj5KbD3r7oaA1MOQE19KDllEde6BcOHlFx1z G4oQ== X-Gm-Message-State: AOJu0Ywr/raYFmvVD3QFJuNQLrhMFaQ5VPJg8mGuo9mR8bBTzYQfXXX0 IYTu9UdUUlZWK9F882e6/DPoQMx4fgczSb+/jJI1ufO5 X-Google-Smtp-Source: AGHT+IF5jFSASMbUgjx2t7tJgetZIwcjem1vDeaeVp2ypVeRWH94iZcgLI4dbkypozUjB7gFgRsOf43aBj1lZy2XP0c= X-Received: by 2002:a17:906:25d0:b0:a27:65bf:7448 with SMTP id n16-20020a17090625d000b00a2765bf7448mr1984635ejb.2.1704735016849; Mon, 08 Jan 2024 09:30:16 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Xin LI Date: Mon, 8 Jan 2024 09:30:05 -0800 Message-ID: Subject: Re: Move u2f-devd into base? To: Warner Losh Cc: Christian Weisgerber , FreeBSD Current Content-Type: multipart/alternative; boundary="0000000000001d9909060e728dfc" X-Rspamd-Queue-Id: 4T81Km2ntHz4nhY X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] --0000000000001d9909060e728dfc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jan 8, 2024 at 7:19=E2=80=AFAM Warner Losh wrote: > > > On Mon, Jan 8, 2024, 7:55=E2=80=AFAM Christian Weisgerber > wrote: > >> We have FIDO/U2F support for SSH in base. >> >> We also have a group "u2f", 116, in the default /etc/group file. >> >> Why do we keep the devd configuration (to chgrp the device nodes) >> in a port, security/u2f-devd? Can't we just add this to base, too? >> It's just another devd configuration file. >> > > This properly belongs to devfs.conf no? Otherwise it's a race... > That's a good point. But I think in practice the race (if I'm understanding correctly, there would be a window where the device node showed up, but with the standard permissions until devd kicks in and runs "action" steps to change it) would probably not matter because the consumers (Chromium?) would be polling for the device and when opening failed, they would retry, as the security key is not guaranteed to be present when a website asks for it, and it's perfectly natural for the browser to see the security key getting attached and detached while it is running. I would say it's a good idea to have something there in place to support these security keys (possibly also cameras, etc.), especially considering the base OpenSSH now supports U2F devices. It's probably a good idea to have adduser / installer to have a defined "interactive local user" groups (u2f, video, etc. come to mind) that users are added into by default to provide a reasonable out-of-box default too. Cheers, --0000000000001d9909060e728dfc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon, Jan 8, 2024 at 7:19=E2=80= =AFAM Warner Losh <imp@bsdimp.com&= gt; wrote:


On Mon, Jan 8, 2024, 7:55=E2=80=AFAM Christian Weisgerber &= lt;naddy@mips.inka.= de> wrote:

This properly belongs to devf= s.conf no? Otherwise it's a race...

= That's a good point.=C2=A0 But I think in practice the race (if I'm= understanding correctly, there would be a window where the device node sho= wed up, but with the standard permissions until devd kicks in and runs &quo= t;action" steps to change it) would probably not matter because the co= nsumers (Chromium?) would be polling for the device and when opening failed= , they would retry, as the security key is not guaranteed to be present whe= n a website asks for it,=C2=A0and it's perfectly natural for the browse= r to see the security key getting attached and detached while it is running= .

I would say it's a good idea to have something there in place = to support these security keys (possibly also cameras, etc.), especially co= nsidering the base OpenSSH now supports U2F devices.=C2=A0 It's probabl= y a good idea to have adduser / installer to have a defined "interacti= ve local user" groups (u2f, video, etc. come to mind) that users are a= dded into by default to provide a reasonable out-of-box default too.
<= div class=3D"gmail_default" style=3D"font-family:monospace,monospace">
<= /div>
Cheers,
--0000000000001d9909060e728dfc--