Conversation

Notices

1. Embed this notice
   release_candidate (release_candidate@mastodon.bsd.cafe)'s status on Saturday, 19-Oct-2024 03:04:58 JST release_candidate

   After some pam configs, I can use the USB keys to authenticate `login` and `doas` instead of password.

   #u2f #pam #fido #fido2 #NetBSD

   • Embed this notice
     feld (feld@friedcheese.us)'s status on Saturday, 19-Oct-2024 03:04:55 JST feld

     in reply to
     @release_candidate it could be done with the smartcard part of a yubikey instead of u2f which then lets you require that the device be unlocked with a passphrase before the touches will work
     dilbert 1 likes this.
   • Embed this notice
     release_candidate (release_candidate@mastodon.bsd.cafe)'s status on Saturday, 19-Oct-2024 03:04:56 JST release_candidate

     in reply to

     Of course, anyone with the key in their hands is root if my laptop drive is already decrypted.

     Something that may not look too secure. I have to think a bit more if this is the setup I really want.

     It's just like "anyone can be the driver if they found the bike keys"

   • Embed this notice
     feld (feld@friedcheese.us)'s status on Saturday, 19-Oct-2024 05:49:15 JST feld

     in reply to

     • Norma3
     @Norma3 @release_candidate at least if I unplug it or lock my computer the touches won't work until the passphrase is entered again
   • Embed this notice
     Norma3 (norma3@mastodon.social)'s status on Saturday, 19-Oct-2024 05:49:17 JST Norma3

     in reply to

     • feld

     @feld @release_candidate That’s an interesting approach! Using the smartcard functionality of a YubiKey instead of U2F for authentication adds a layer of security by incorporating a passphrase. With the smartcard feature, you can require the device to be unlocked using the passphrase, ensuring that physical presence (touches) alone isn’t enough to access sensitive information or systems.