Avoid using udev for monitoring TKey presence, notifying tkey-ssh-agent

Question

Avoid using udev for monitoring TKey presence, notifying tkey-ssh-agent

quite opened this issue 2 years ago · 7 comments

Instead we should detect and (re)connect to TKey when we the agent service gets an actual command. We have time to do this. sshd does have a LoginGraceTime setting which could time out signing takes too long time, but the default is 120 seconds. In the code, the duration seems to span all sorts of authentication including keyboard interactive. Also currently user must already touch the TKey to confirm signing/authentication for log-in within this time.

Getting rid the use of udev for this purpose will simplify porting to other OSes. Though we still need (at least on Linux) a udev rule to make TKey's serial port readable by logged in user.

Answer 1 · 2022-12-22T17:40:26.000Z

Please see branch simplify-agent for a first stab at this. It works fine on Linux. What about macOS?

Answer 2 · 2022-12-23T14:32:50.000Z

Nice! I noticed one thing. Re-plugging TKey while agent is running causes it to appear on the next /dev/ttyACMx. I guess it happens because we have the dev open, and when TKey is plugged in again, the next available has to be used. Would be nice to avoid this happening. But not sure if that's doable. We can't detect if a serial port is "alive", can we? Maybe if we had some flow control? If not, perhaps it would have to be done on a higher level. In this case USB, but that would lead us towards platform-specifics right?

Another work around could be to have tkey-ssh-agent continuously talk ping/pong with TKey, to detect when it disappears. But that might introduce other complexities...

Answer 3 · 2023-01-25T14:24:46.000Z

@mchack-work I've pushed to the simplify-agent branch. No more hogging of the serial port.

I did not add any "pinning" of the pubkey. I think it has to be thought through. What should it accomplish, how it can in reality help the user, UX etc. It is also tricky to do it consistently, because the signerapp might already be loaded when tkey-ssh-agent starts.

Answer 4 · 2023-01-26T08:56:17.000Z

@mchack-work i pushed a WIP commit that tries to explore pinning/notification possibilites. It's now also a draft PR #48

Answer 5 · 2023-02-01T14:06:29.000Z

I moved that WIP commit to simplify-agent-wip.

Would you try out how this simplify-agent branch works on macos @johan-carlberg ? (same signer/app.bin as before)

Answer 6 · 2023-02-01T14:32:48.000Z

@quite Works fine on my macOS from simplify-agent, both building and running.

Answer 7 · 2023-02-09T11:16:45.000Z

We've merged this. The pubkey pinning is left out for now, saved in branch agent-pubkey-pinning