YubiKey + udev follow-ups

· security
This blog post is more than two years old. It is preserved here in the hope that it is useful to someone, but please be aware that links may be broken and that opinions expressed here may not reflect my current views. If this is a technical article, it may no longer reflect current best practice.

In my previous post, I talked about the udev hack I had used with the YubiKey and how it was not the correct way to do things. I recieved a lot of feedback on this post, and here I’m hoping to summarise what the correct way to do it is.

The rule I was originally using was:

SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050",ATTRS{idProduct}=="0111", OWNER="irl"

The problem with this rule was that it always made my own username the owner of the YubiKey. For my use on my laptop, this was fine, as I’m the only user ever logged into my laptop, but this is not the right way to do this.

On a multi-user system you would want the user logged into the console, and so the one that has plugged in the USB device by implication, to be the owner of the device.

Sam Morris followed up to my last post by e-mail to suggest the following rule:

SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", TAG+="uaccess"

The difference here is that instead of explicitly setting an owner, the uaccess tag is added to the device. This tag has meaning to systemd-logind and will add the necessary ACLs to the device to allow the console user to access it. The ACL should also be removed by systemd-logind when you log out.

He also suggested using getfacl (from the acl package) to check the ACLs that have been assigned to devices.

irl@orbiter$ getfacl /dev/hidraw0    
# file: hidraw0
# owner: irl
# group: root

Here we can see that the device has been set to being owned by my username. (Note that on your system, the YubiKey may have a different path, check your dmesg output to see what device name it is assigned.)

If you don’t have systemd-logind available, fear not as there is an alternative approach you can take that was suggested by Simon Josefsson, who actually wrote a blog post in 2014 about using an offline GnuPG master key with subkeys on a YubiKey. If you install the pcscd package this will provide you with a daemon that runs as root and provides access to the smartcard for ordinary users. I haven’t looked at how pcscd handles limiting access to the device for other users as this isn’t an approach I’ve taken.

Thanks to everyone who gave feedback, I feel like I’ve learnt something and taken another step closer to doing things The Right Way™.

If you would like to contact me with comments, please send me an email.
If you would like to support my free software work, you can support me on Patreon or donate via PayPal.

This post was syndicated on: