3 Oct 2024 |
emily | they're the hot new thing in the form of passkeys, but they were very uncommon for a very long time | 18:13:42 |
emily | WebAuthn used as a second factor is non-resident | 18:13:48 |
emily | it's still an explicit opt-in to get resident keys | 18:13:58 |
emily | but yeah "passkeys" are resident | 18:14:02 |
ElvishJerricco | ah, I'm thinking of passkeys | 18:14:04 |
ElvishJerricco | I thought passkeys was just the marketing term for WebAuthn | 18:14:12 |
emily | they're the marketing term for WebAuthn resident keys, usually WebAuthn resident keys that are backed by multi-device-synced cloud storage | 18:14:40 |
ElvishJerricco | ah ok interesting | 18:15:15 |
ElvishJerricco | i know trying to use passkeys with a yubikey can be a problem because yubikeys can only store like 32 of them or something so it basically sucks. Makes me wonder why browsers don't just store the resident stuff themselves and then use the yubikey for decryption. | 18:16:33 |
emily | (sometimes very fancy syncing protocols, like "confirming via Secure Enclave attestation that the receiving end is a legitimate device that we want to smuggle our precious private keys directly encrypted to it to") | 18:16:47 |
ElvishJerricco | In reply to @emilazy:matrix.org (sometimes very fancy syncing protocols, like "confirming via Secure Enclave attestation that the receiving end is a legitimate device that we want to smuggle our precious private keys directly encrypted to it to") I'm sure that won't ever get cracked :P | 18:17:09 |
emily | (to maintain the "no private key exfiltration" properties of hardware FIDO2 keys) | 18:17:12 |
emily | In reply to @elvishjerricco:matrix.org I'm sure that won't ever get cracked :P if you have a Secure Enclave vulnerability Apple will pay you a lot of money for it | 18:17:31 |
emily | it's sure better than all the TPM-spec stuff you can buy | 18:17:45 |
ElvishJerricco | that's fair | 18:17:57 |
raitobezarius | In reply to @elvishjerricco:matrix.org yes but nixos doesn't implement that right now because systemd wants you to be booting ukis for their tpm stuff to work UKIs are not needed | 22:34:06 |
raitobezarius | I have a Lanzaboote PR for systemd credentials | 22:34:15 |
raitobezarius | It's just stuck alas | 22:34:38 |
ElvishJerricco | raitobezarius: I know it's not needed but the reason it's not as trivial as it could be is because of Condition=measured-uki on all the TPM related systemd units | 22:35:13 |
ElvishJerricco | though I think lanzaboote fills that condition | 22:35:26 |
raitobezarius | There's a PR that fixes the measurements which just need a rebase, yes | 22:36:26 |
raitobezarius | I may have spoons at some point | 22:36:37 |
4 Oct 2024 |
| @ajcxz0:matrix.org left the room. | 01:00:46 |
5 Oct 2024 |
ElvishJerricco | Jan Tojnar: Hey, did you have anything worth sharing on the luks gnome keyring thing? I know you didn't get very far but I'm bored and want to take a look into it tonight :P | 01:16:22 |
emily | oh, I never reached out to Arch about that… :( | 01:16:43 |
ElvishJerricco | ok, so the pam_gdm auth module gets the key out of the keyring and sets the authtok. Then pam_gnome_keyring reads that, forks off the daemon, which switches to your user, and the authtok is piped in to child from parent. Or if the daemon was already running, it just sends the authtok over the control socket. | 03:16:40 |
ElvishJerricco | so there is definitely at least a moment where the password is being piped to a process owned by your user | 03:16:56 |
emily | did you find jtojnar's WIP NixOS test thing? | 03:17:00 |
emily | https://gist.github.com/jtojnar/d1c98d5d803cee3998f68e2e1761c8f8 | 03:17:25 |
ElvishJerricco | I didn't. Figured I'd rather get familiar with how it works before testing anything out | 03:17:28 |