On Wed, Sep 4, 2024 at 10:42 AM Jan Behrens <jbe-ml...@magnetkern.de> wrote: > Hello, > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > "pcscd_enable" to "YES" in "/etc/rc.conf". > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > to it. When I create an unprivileged user account and log in from a > remote machine (through ssh), then this unprivileged user account can > use "ykman" to access my security key and, for example, list stored > credentials, generate one-time tokens, erase or temporariliy block the > device (by providing a wrong PIN), or even effectively brick it (if no > configuration password is set).
If the YubiKey is plugged to the USB port on the host where you run ykman then usb read/write permissions may be the problem? If the YubiKey is plugged to your local machine, you use gpg-agent to ssh to a remote machine, and on that remote machine you can make ykman to work on your local machine's YubiKey thats magic. By the way there is a loud bug in various YubiKey tokens that allows cloning the physical tokens and/or private key access/recovery caused by bug in Infineon's library [1]. [1] https://www.yubico.com/support/security-advisories/ysa-2024-03/ -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
