My questions are about the yubikeyedup (-0.20201226p0) package.
I'm running kern.version=OpenBSD 7.1-beta (GENERIC.MP) #445: Mon
Mar 28 10:37:41 MDT 2022
Briefly, my first question is how to best change permissions in
/dev to avoid running tools/flash.py as root (and also flashing a
yubikey in general). My second question is about the permissions
set by the port for tools/dbconf.py.
1. Using root when flashing key:
/usr/local/lib/python3.9/site-packages/yubikeyedup/tools/flash.py
seems to require root or sudo as shown below
# prefer sudo over running this script with root privileges
if os.getuid() != 0:
if not distutils.spawn.find_executable('sudo'):
print('Root privileges required.')
sys.exit(1)
cmd = [ 'sudo' ] + cmd
(Although README.rst does show it being called as a regular
user.)
I commented those lines out and ran the script as a regular user.
But in order to do so, I first ran usbdevs to see where my Yubikey
was and then did
# /bin/chmod g+w /dev/usb0
(my user was already in the wheel group).
I also had to
# /bin/chmod g+rw /dev/ugen*
I have never been able to write to the Yubikey using either
flash.py or yubikey-personalization-gui without those changes to
/dev/ugen* and /dev/usbX (X in 0 or 1).
After writing to the Yubikey, I then do
# /bin/sh /dev/MAKEDEV all
to restore the permissions on /dev/ugen*, and then restore the write permissions on /dev/usbX with e.g.
# /bin/chmod g+w /dev/usb0
Is this (chmod'ing) the correct way to handle flashing to the
Yubikey? I've never been able to narrow it down to anything
less then chmod g+rw /dev/ugen* and chmod g+rw /dev/usbX.
This seems possibly more secure than running flash.py or
yubikey-personalization-gui as root, but is it? I very much
appreciate your patience and feedback.
2. After I install yubikeyedup,
/usr/local/lib/python3.9/site-packages/yubikeyedup/tools/dbconf.py
has permission 644. But when one calls flash.py, it assumes
dbconf.py is executable, so I just did chmod 755 on it and then
flash.py worked. I hope to soon learn more about ports and helping
directly, but I just wanted to see whether this permission change
would be something that would need to be set by the installation
process.
Thanks for all the work on this package and making using the
Yubikey more secure!!
No comments:
Post a Comment