Bug 2162909
| Summary: | I'm prompted to touch the Yubikey twice. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Björn Persson <bjorn> |
| Component: | ykocli | Assignee: | Gerald Cox <gbcox> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | gbcox |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ykocli-1.2.0-1.fc38 ykocli-1.3.1-1.fc37 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-23 15:21:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Björn Persson
2023-01-21 23:30:17 UTC
I'll take a look at that. I have never configured my yubikeys to require a touch for a totp code. Curious, why you would configure your yubikey to require a touch for that.... *** Bug 2162898 has been marked as a duplicate of this bug. *** (In reply to Gerald Cox from comment #1) > Curious, why you would configure your yubikey to > require a touch for that.... To prevent malware from generating codes at will, of course. If I wouldn't require touch, then there would be no practical difference from storing the secret on an ordinary disk, SSD, USB memory or whatever. Then I could just as well use Pass-OTP or some simple script around Oathtool, and not bother with the Yubikey. FEDORA-2023-d27c76f394 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-d27c76f394 FEDORA-2023-d27c76f394 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. According to yubico, once your secret is on the key, it's safe. It can't be extracted. So that's a big difference. As far as the touch option itself, the default is "no touch". I suppose an attack is theoretically possible, but IMO for the vast majority of users, the convenience of no-touch outweighs the risk of not having it - and apparently yubico believes the same since that is the default. That said, I agree it's a good capability to add. Thanks for recommending. FEDORA-2023-e2e6e622af has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-e2e6e622af FEDORA-2023-208b0260aa has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-208b0260aa FEDORA-2023-208b0260aa has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-208b0260aa` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-208b0260aa See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-cdf5d80cbb has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-cdf5d80cbb` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-cdf5d80cbb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-cdf5d80cbb has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. |