While firefox runs the authenticator as Rust code in the main process, OpenSSH at least uses an external ssh-sk-helper for accessing the device. While this helper provides a good separation, it still runs as the same user and requires raw access to uhid on any OS except OpenBSD.
-
-
Prikaži ovu nit
-
Theo also just removed non-root read/write access to usb(4), uhid(4), and ugen(4). It was group-writable for the wheel group which was a dangerous misuse of the group. fido(4) is world-read-/writable.
Prikaži ovu nit -
And here’s the next iteration of the firefox path to support fido(4) on OpenBSD https://marc.info/?l=openbsd-ports&m=157666694220206&w=2 …
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Alternative take: it's unbelievable that device-specific code running with kernel privs should be needed just because there isn't a better way to hand off access per-device to admin-specified userland software. Ok it's simple enough code for u2f but not for other USB devices.
-
FIDO/U2F is not admin-specific.
- Još 1 odgovor
Novi razgovor -
-
-
as would a keylogger, lol
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.