Change -setup to generate a key with "touch policy" of "cached" instead of "always" #146

gene1wood · 2023-12-03T03:13:45Z

Would it make sense to have the -setup argument default to using the cached touch policy instead of the always policy?

https://github.com/FiloSottile/yubikey-agent/blob/2e5376c5ec006250c12c1b6de65fa91de9afe687/setup.go#L143C20-L143C37

Cached: a touch is not needed if the YubiKey had been touched in the last 15 seconds, otherwise a touch is needed

Only suggesting as I ended up in this situation

Generated a key using yubikey-agent
Deployed it to a bunch of servers
Discovered that when doing a set of git actions that connect to GitHub 3 or 4 times, the always touch policy that the key was generated with requires touching the yubikey 4 times in a row to make 4 connections

It's very possible though that choosing the always touch policy is intentional and there's a good security story for this choice in which case feel free to disregard my suggestion.

The text was updated successfully, but these errors were encountered:

This will change the key that's generated when running `yubikey-agent -setup` to a key with a touch policy of "cached". This will mean that "a touch is not needed if the YubiKey had been touched in the last 15 seconds, otherwise a touch is needed" Fixes FiloSottile#146

gene1wood linked a pull request Dec 3, 2023 that will close this issue

Change touch policy from always to cached #147

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Change -setup to generate a key with "touch policy" of "cached" instead of "always" #146

Change -setup to generate a key with "touch policy" of "cached" instead of "always" #146

gene1wood commented Dec 3, 2023

Change -setup to generate a key with "touch policy" of "cached" instead of "always" #146

Change -setup to generate a key with "touch policy" of "cached" instead of "always" #146

Comments

gene1wood commented Dec 3, 2023