Update README and CHANGELOG for PIN cache changes

This commit is contained in:
Jack Grigg
2023-01-02 16:39:22 +00:00
parent 00ab2c756e
commit 04c0418c02
2 changed files with 27 additions and 6 deletions
+10
View File
@@ -9,6 +9,16 @@ to 0.3.0 are beta releases.
## [Unreleased] ## [Unreleased]
### Changed ### Changed
- MSRV is now 1.60.0. - MSRV is now 1.60.0.
- The YubiKey PIV PIN and touch caches are now preserved across processes in
most cases. See [README.md](README.md#agent-support) for exceptions. This has
several usability effects:
- If a YubiKey's PIN is cached by an agent like `yubikey-agent`, and then
`age-plugin-yubikey` is run (either directly or as a plugin), the agent
won't request a PIN entry on its next use.
- If a YubiKey's PIN was requested by either a previous invocation of
`age-plugin-yubikey` or an agent like `yubikey-agent`, subsequent calls to
`age-plugin-yubikey` won't request a PIN entry to decrypt a file with an
identity that has a PIN policy of `once`.
## [0.3.2] - 2023-01-01 ## [0.3.2] - 2023-01-01
### Changed ### Changed
+17 -6
View File
@@ -115,13 +115,24 @@ age client as normal (e.g. `rage -d -i yubikey-identity.txt`).
### Agent support ### Agent support
`age-plugin-yubikey` does not provide or interact with an agent for decryption. `age-plugin-yubikey` does not provide or interact with an agent for decryption.
As age plugin binaries have short lifetimes (they only run while the age client It does however preserve the PIN cache by not soft-resetting the YubiKey after a
is running), this means that YubiKey identities configured with a PIN policy of decryption or read-only operation, which enables YubiKey identities configured
`once` will actually prompt for the PIN on every decryption. with a PIN policy of `once` to not prompt for the PIN on every decryption.
A decryption agent will most likely be implemented as a separate age plugin that The session that corresponds to the `once` policy can be ended in several ways,
interacts with [`yubikey-agent`](https://github.com/FiloSottile/yubikey-agent), not all of which are necessarily intuitive:
enabling YubiKeys to be used simultaneously with age and SSH.
- Unplugging the YubiKey (the obvious way).
- Using a different applet (e.g. FIDO2). This causes the PIV applet to be closed
which clears its state.
- Generating a new age identity via `age-plugin-yubikey --generate` or the CLI
interface. This is to avoid leaving the YubiKey authenticated with the
management key.
If the current PIN UX proves to be insufficient, a decryption agent will most
likely be implemented as a separate age plugin that interacts with
[`yubikey-agent`](https://github.com/FiloSottile/yubikey-agent), enabling
YubiKeys to be used simultaneously with age and SSH.
### Manual setup and technical details ### Manual setup and technical details