From nobody Wed Sep 04 16:50:55 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzT5b4RyBz5VDhg for ; Wed, 04 Sep 2024 16:50:59 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [IPv6:2a01:4f8:c012:f130::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4WzT5b27k5z4lR9 for ; Wed, 4 Sep 2024 16:50:59 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; none Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id 27BAA5F400; Wed, 4 Sep 2024 18:50:58 +0200 (CEST) Date: Wed, 4 Sep 2024 18:50:55 +0200 From: Jan Behrens To: henrichhartzer@tuta.io, Tomek CEDRO , Freebsd Security Subject: Re: Privileges using security tokens through PC/SC-daemon Message-Id: <20240904185055.708f90e8d3478bd10f51242b@magnetkern.de> In-Reply-To: References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE] X-Rspamd-Queue-Id: 4WzT5b27k5z4lR9 Answering two e-mails in one (hope that's okay). On Wed, 4 Sep 2024 17:44:13 +0200 (CEST) henrichhartzer@tuta.io wrote: > Hi Jan, > > I have never used Yubikeys on FreeBSD and can't offer a whole lot of insight. > > I installed security/yubikey-manager-qt. ykman doesn't appear to be setuid, which was my first thought. I forgot to mention which package I used for "ykman". I use package "py311-yubikey-manager-5.2.0", but this issue should apply to any software using the PC/SC-daemon. > > Since it's not setuid, is there a /dev device for the Yubikey has global read (and write?) access? It doesn't need setuid. As far as I understand, it accesses the pcscd through "/var/run/pcscd.comm". I didn't find any configuration option to restrict access to that socket. > > I'm not aware if/how policykit is involved here. Apparently polkit is supposed to manage under which circumstances pcscd allows access to the device (but that doesn't seem to be working properly). > > -Henrich Regards Jan P.S.: Also answering CEDRO's e-mail below: On Wed, 4 Sep 2024 18:08:07 +0200 Tomek CEDRO wrote: > If the YubiKey is plugged to the USB port on the host where you run > ykman then usb read/write permissions may be the problem? See above. This goes through /var/run/pcscd.comm (and then supposedly through polkit). > > If the YubiKey is plugged to your local machine, you use gpg-agent to > ssh to a remote machine, and on that remote machine you can make ykman > to work on your local machine's YubiKey thats magic. Not my scenario though. I logged into the machine with the security key from a separate machine (that has no security key inserted). > > By the way there is a loud bug in various YubiKey tokens that allows > cloning the physical tokens and/or private key access/recovery caused > by bug in Infineon's library [1]. > > [1] https://www.yubico.com/support/security-advisories/ysa-2024-03/ > > -- > CeDeROM, SQ7MHZ, http://www.tomek.cedro.info Yep, also noted on the forum: https://forums.FreeBSD.org/threads/94605/post-670262 It's a different class of attack though. Kind regards, Jan > > Sep 4, 2024, 08:42 by jbe-mlist@magnetkern.de: > > > Hello, > > > > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > > "pcscd_enable" to "YES" in "/etc/rc.conf". > > > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > > to it. When I create an unprivileged user account and log in from a > > remote machine (through ssh), then this unprivileged user account can > > use "ykman" to access my security key and, for example, list stored > > credentials, generate one-time tokens, erase or temporariliy block the > > device (by providing a wrong PIN), or even effectively brick it (if no > > configuration password is set). > > > > As far as I understand, polkit should prohibit this. pcsc-lite installs > > a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" > > with the following contents: > > > > ------------ > > > > > "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" > > "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> > > > > The PCSC-lite Project > > https://pcsclite.apdu.fr/ > > > > > > > > Access to the PC/SC daemon > > Authentication is required to access the PC/SC daemon > > > > no > > no > > yes > > > > > > > > > > Access to the smart card > > Authentication is required to access the smart card > > > > no > > no > > yes > > > > > > > > > > ------------ > > > > Changing "allow_active" from "yes" to "no" and restarting "pcscd" has > > no impact either. > > > > I don't understand what is going on, but this behavior doesn't seem to > > be correct. A non-privileged user (that isn't even member of group > > "u2f") should not gain access to a security token plugged into the > > machine. > > > > Is this behavior reproducible by others, or maybe just a configuration > > mistake by me? > > > > I previously mentioned this issue here: > > https://forums.FreeBSD.org/threads/94605/post-670209 > > > > Kind Regards, > > Jan Behrens > > >