Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to set touch policy to "cache" #55

Closed
wants to merge 1 commit into from
Closed

Add option to set touch policy to "cache" #55

wants to merge 1 commit into from

Conversation

smlx
Copy link

@smlx smlx commented Sep 9, 2020
edited
Loading

This adds an optional setup flag that allows the touch policy to be set. to "cache for 15 seconds" instead of "always".

I've tried to add this feature in the least obtrusive way possible, but the command line is getting a little complex for the plain old flag package. Would there be any interest in using a CLI library in yubikey-agent?

Closes: #52

@joneskoo
Copy link

joneskoo commented Sep 9, 2020

My 2 cents. I'd expose all 3 values for pin policy if an option is added.

https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#Policies874grl

@smlx
Copy link
Author

smlx commented Sep 10, 2020

I was trying to avoid exposing the no-touch option for security reasons before I read through your other PR and saw that use-case. I'll update this to add the three touch policy options

@rys
Copy link

rys commented Sep 28, 2020

It is possible to set the touch policy after initial setup?

@joneskoo
Copy link

It is possible to set the touch policy after initial setup?

No.

Similar to the PIN policy, the touch policy must be set upon key generation or importation

https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual

@eviscares
Copy link

eviscares commented Dec 7, 2020
edited
Loading

Hey, is there any reason why this is not merged? I'm looking into the topic atm, and thisis the only blocker for my usecase (don't wanna touch all the time when using polysh to connect to to 100 machines).

@theblazehen
Copy link

Yep, waiting on this as well

@theblazehen
Copy link

As an addition to this, might be useful to have a notification on each successful ssh authentication, as you don't have the "forced awareness" of it as tapping the button would provide

Base automatically changed from master to main February 11, 2021 12:14
markstos
markstos approved these changes May 13, 2021
View reviewed changes
Copy link

@markstos markstos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the diff. Looks sound to me, and welcome!

@markstos
Copy link

Flagging some related issues and PRs:

With more flexible touch policy support, you can support lower-security cases with no-touch support, and high-security cases with always touch.

@FiloSottile
Copy link
Owner

Thank you for the PR. I don't want to add options to -setup, but I came around to adding a configurable -new-key for additional keys with more flexibility. See #95.

@smlx smlx deleted the touch-policy branch July 28, 2021 01:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markstos markstos markstos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Please allow specifying a touch policy
7 participants
@smlx @joneskoo @rys @eviscares @theblazehen @markstos @FiloSottile