Re: Move u2f-devd into base?
- In reply to: Xin LI : "Re: Move u2f-devd into base?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Jan 2024 18:39:32 UTC
On Mon, Jan 8, 2024 at 10:30 AM Xin LI <delphij@gmail.com> wrote: > On Mon, Jan 8, 2024 at 7:19 AM Warner Losh <imp@bsdimp.com> wrote: > >> On Mon, Jan 8, 2024, 7:55 AM Christian Weisgerber <naddy@mips.inka.de> >> wrote: >> >>> We have FIDO/U2F support for SSH in base. >>> >>> We also have a group "u2f", 116, in the default /etc/group file. >>> >>> Why do we keep the devd configuration (to chgrp the device nodes) >>> in a port, security/u2f-devd? Can't we just add this to base, too? >>> It's just another devd configuration file. >>> >> >> This properly belongs to devfs.conf no? Otherwise it's a race... >> > > That's a good point. But I think in practice the race (if I'm > understanding correctly, there would be a window where the device node > showed up, but with the standard permissions until devd kicks in and runs > "action" steps to change it) would probably not matter because the > consumers (Chromium?) would be polling for the device and when opening > failed, they would retry, as the security key is not guaranteed to be > present when a website asks for it, and it's perfectly natural for the > browser to see the security key getting attached and detached while it is > running. > I just don't like this depending on devd not dropping the arrival bit (due to too much congestion of events) and having a resulting broken system. It's half-assed today, but it's half-assed enough that it works enough of the time the issue hasn't been pressing (which is my way of agreeing with you: its imperfect, but it works almost all the time today). Working well enough suggests we shouldn't 'gate' this change to a perfect solution.... Especially since we're a bit short handed in the usb world after Hans' tragic passing. > I would say it's a good idea to have something there in place to support > these security keys (possibly also cameras, etc.), especially considering > the base OpenSSH now supports U2F devices. It's probably a good idea to > have adduser / installer to have a defined "interactive local user" groups > (u2f, video, etc. come to mind) that users are added into by default to > provide a reasonable out-of-box default too. > Totally agree here. Warner