Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keychain caching on macOS should be opt-in #93

Closed
FiloSottile opened this issue Jul 23, 2021 · 1 comment
Closed

Keychain caching on macOS should be opt-in #93

FiloSottile opened this issue Jul 23, 2021 · 1 comment

Comments

@FiloSottile
Copy link
Owner

#46 introduced opt-in external caching of the PIN by passing allow-external-password-cache to pinenetry. pinenetry-mac regrettably checks that box by default. We should find a way to disable that.

We should also document that this is supported, as it makes for a nice flow where a very complex PIN is used to tie a YubiKey Nano to the machine it's plugged in.
wbonis pushed a commit to styliteag/yubikey-agent that referenced this issue Jul 26, 2021
@FiloSottile @wbonis
yubikey-agent: drop pinentry dependency on macOS
6e95969 
pinentry-mac is a large GnuPG-derived dependency and it has the fairly
incorrect default of saving the PIN in the Keychain, against even the
pinentry docs. Instead, on macOS just use AppleScript.

Fixes FiloSottile#93
@jacobvosmaer
Copy link

I accidentally upgraded my yubikey-agent installation and spent quite some time trying to understand why it no longer uses the macOS Keychain. It appears that the reason is c9e9f88, which closed this issue. I am now confused by the messaging.

  1. This issue says Keychain use should be possible as an opt-in
  2. c9e9f88 locks Darwin into using AppleScript without any apparent Keychain support, and the commit message suggests using the Keychain is bad
  3. c9e9f88 simultaneously adds opt-in Keychain support for !darwin builds

So is using a keychain good or bad?

@FiloSottile As a user, I'd like to have Keychain support back, and I could see if I can rig something up where yubikey-agent shells out to the macos security command. Would you be open to that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FiloSottile @jacobvosmaer