← Back to context

Comment by wkat4242

10 days ago

I have because I use it for a ton of stuff. Password manager, sudo locally, ssh logins, sudo remotely, openpgp decrypt etc.

It happens sometimes that I forget that's what it's waiting for. I'm no longer on Mac though. I have KDE. I don't always see the key flashing either because sometimes it's buried under the mess on my desk (I know...)

It's a bit annoying that yubikeys don't just trigger a hid event or something, as far as i understand the only way to tell is by looking for some obscure log entries.

4 comments

wkat4242

Reply
likeabatterycar  10 days ago

Yubikey is an event based token. You tap it with explicit intent. If you aren't expecting to tap it, then the fail safe is you don't. It works that way by design.

You can't use a screwdriver handle as a hammer then complain it doesn't work to your expectations.

  • noperator  10 days ago

    I just like to be notified when I need to tap something with explicit intent.

    • agwa  10 days ago

      The concern is that if you don't know how many times you should be tapping the YubiKey when you clone a git repo, then an attacker could slip in its own signing requests and you would dutifully tap the YubiKey to authorize them. If you do know how many times to tap, do you still need the notification?

      (It's true that if an attacker slipped in a request right before I was expecting to tap my YubiKey, I would tap it a second time to get my operation to succeed under the assumption that it didn't detect my touch the first time. But I would become suspicious if that kept happening.)

  • wkat4242  9 days ago

    It's a bad design for that anyway. It should show me info about what I'm signing on a little display. That would also make it easier to see it needs a touch.

    But yeah like someone said below, many actions like github pull would need it. I just want something that makes it easier to see it's waiting for me.