Re: Privileges using security tokens through PC/SC-daemon

In reply to: henrichhartzer_a_tuta.io: "Re: Privileges using security tokens through PC/SC-daemon"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jan Behrens <jbe-mlist_at_magnetkern.de>
Date: Wed, 04 Sep 2024 16:50:55 UTC
Answering two e-mails in one (hope that's okay).

On Wed, 4 Sep 2024 17:44:13 +0200 (CEST)
henrichhartzer@tuta.io wrote:

> Hi Jan,
> 
> I have never used Yubikeys on FreeBSD and can't offer a whole lot of insight.
> 
> I installed security/yubikey-manager-qt. ykman doesn't appear to be setuid, which was my first thought.

I forgot to mention which package I used for "ykman". I use package
"py311-yubikey-manager-5.2.0", but this issue should apply to any
software using the PC/SC-daemon.

> 
> Since it's not setuid, is there a /dev device for the Yubikey has global read (and write?) access?

It doesn't need setuid. As far as I understand, it accesses the pcscd
through "/var/run/pcscd.comm". I didn't find any configuration option
to restrict access to that socket.

> 
> I'm not aware if/how policykit is involved here.

Apparently polkit is supposed to manage under which circumstances pcscd
allows access to the device (but that doesn't seem to be working
properly). 

> 
> -Henrich

Regards
Jan

P.S.: Also answering CEDRO's e-mail below:

On Wed, 4 Sep 2024 18:08:07 +0200
Tomek CEDRO <tomek@cedro.info> wrote:

> If the YubiKey is plugged to the USB port on the host where you run
> ykman then usb read/write permissions may be the problem?

See above. This goes through /var/run/pcscd.comm (and then supposedly
through polkit).

> 
> If the YubiKey is plugged to your local machine, you use gpg-agent to
> ssh to a remote machine, and on that remote machine you can make ykman
> to work on your local machine's YubiKey thats magic.

Not my scenario though. I logged into the machine with the security key
from a separate machine (that has no security key inserted).

> 
> By the way there is a loud bug in various YubiKey tokens that allows
> cloning the physical tokens and/or private key access/recovery caused
> by bug in Infineon's library [1].
> 
> [1] https://www.yubico.com/support/security-advisories/ysa-2024-03/
> 
> -- 
> CeDeROM, SQ7MHZ, http://www.tomek.cedro.info

Yep, also noted on the forum:
https://forums.FreeBSD.org/threads/94605/post-670262

It's a different class of attack though.

Kind regards,
Jan

> 
> Sep 4, 2024, 08:42 by jbe-mlist@magnetkern.de:
> 
> > Hello,
> >
> > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set
> > "pcscd_enable" to "YES" in "/etc/rc.conf".
> >
> > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected
> > to it. When I create an unprivileged user account and log in from a
> > remote machine (through ssh), then this unprivileged user account can
> > use "ykman" to access my security key and, for example, list stored
> > credentials, generate one-time tokens, erase or temporariliy block the
> > device (by providing a wrong PIN), or even effectively brick it (if no
> > configuration password is set).
> >
> > As far as I understand, polkit should prohibit this. pcsc-lite installs
> > a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy"
> > with the following contents:
> >
> > ------------
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!DOCTYPE policyconfig PUBLIC
> >  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
> >  "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
> > <policyconfig>
> >  <vendor>The PCSC-lite Project</vendor>
> >  <vendor_url>https://pcsclite.apdu.fr/</vendor_url>
> > <!--  <icon_name>smart-card</icon_name> -->
> >
> >  <action id="org.debian.pcsc-lite.access_pcsc">
> >  <description>Access to the PC/SC daemon</description>
> >  <message>Authentication is required to access the PC/SC daemon</message>
> >  <defaults>
> >  <allow_any>no</allow_any>
> >  <allow_inactive>no</allow_inactive>
> >  <allow_active>yes</allow_active>
> >  </defaults>
> >  </action>
> >
> >  <action id="org.debian.pcsc-lite.access_card">
> >  <description>Access to the smart card</description>
> >  <message>Authentication is required to access the smart card</message>
> >  <defaults>
> >  <allow_any>no</allow_any>
> >  <allow_inactive>no</allow_inactive>
> >  <allow_active>yes</allow_active>
> >  </defaults>
> >  </action>
> >
> > </policyconfig>
> > ------------
> >
> > Changing "allow_active" from "yes" to "no" and restarting "pcscd" has
> > no impact either.
> >
> > I don't understand what is going on, but this behavior doesn't seem to
> > be correct. A non-privileged user (that isn't even member of group
> > "u2f") should not gain access to a security token plugged into the
> > machine.
> >
> > Is this behavior reproducible by others, or maybe just a configuration
> > mistake by me?
> >
> > I previously mentioned this issue here:
> > https://forums.FreeBSD.org/threads/94605/post-670209
> >
> > Kind Regards,
> > Jan Behrens
> >
>