Me and my new #yubikey5 part 2:

Now we get to the nitty-gritty parts. I'm using #mbsync to sync multiple #imap accounts to local #maildir and I am automating this via #systemd : a timer calls a service very 5 minutes, that will call mbsync on all mail accounts if connected to the internet.

Providing the passwords via #pass that is encrypted with #yubikey will need that yubikey to be unlocked (i.e. a pin needs to be provided). When providing this pin (e.g. by manually calling mbsync on one of my mail accounts), it will be stored for at least 12h, and up to 24h (on my home pc; mobile and remote devices will of course hav different settings).

However, if I never manually provide the PIN, the systemd automated scripts will fail. E.g. I just connected the key, but not used it.

First I thought, this was due to me using the `curses` version #pinentry . But that's not the whole truth. Even with `pinentry-gtk` the systemd script will not trigger a PIN entry. I didn't quite understand why, and therefore ran a different direction:

Could I just auto-unlock the yubikey if I connected it? I wrote a #udev rule that would recognize the yubikey. Learning that I need to put scripts for udev in certain dirs, and being unhappy with it, I then wrote a systemd service for the udev to call instead, and with that I maanged to finally get a PIN entry request using the gtk version.

And then it got me thinking. Why did that work, but my mailsync that basically has the same things involved (script instead of udev that triggers systemd that wants to decrypt something using yubikey triggering PIN entry). And then it hit me: My mailsync systemd service was missing the `DISPLAY=:0` environment variable, thus the script can't trigger the GUI. Half a days worth of work, all for nothing  

But hey, the weekend is young. Next up: If triggered via CLI i want gpg to trigger `pinentry-curses` instead of `pinentry-gtk`. Sounds easy: have a `pinentry-auto` script figuring out where it has been called from. Well... not really #wip

Things you do ‘cause cats can be jerks.

I used to have a #yubikey5 nano hooked with a little kitty pendant to my phone.

At least until my cats decided the pendant is a threat to their dominance of the house, broke the metal links and abducted the pendant. I got lucky because the yubikey was firmly plugged into my phone’s USB-C port.

Now I made a tiny USB-C (faux) leather pouch and attached it to one of my leather double-tour bracelets.

Because I can.

#leatherwork #yubikey #catsAreMean

Well.. things you do in Hospitals.
Just a little cutter knife here and super glue there and.. my phone now carries a YubiCat5c security dongle.

#yubikey5 #yubikey #mfa #diy #caseMod #cats

Yay! I finally got my Yubikeys. I've been putting it off for far too long.

#yubikey #yubikey5 #yubico #3d_print #fido2

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

#yubikey #yubikey5 #vulnerability

This whole #yubikey5 debacle gave me an excuse to finally purchase two Solokeys 2+ NFC with the Trussed Rust-based (!) open source firmware..

What will be a pain is discovering where exactly I need to switch out the keys and then actually removing and enrolling the replacements 🙈

Boosting this summary of the Yubi Key vulnerability to show how difficult it is to carry out in real life. #YubiKey #YubiKey5

From: @rysiek
https://mstdn.social/@rysiek/113075472648375180