TUI: Warn YubiKey 4 users of issue with PIN policy "Once"
This commit is contained in:
@@ -76,6 +76,14 @@ cli-setup-name-identity = 📛 Name this identity
|
|||||||
cli-setup-select-pin-policy = 🔤 Select a PIN policy
|
cli-setup-select-pin-policy = 🔤 Select a PIN policy
|
||||||
cli-setup-select-touch-policy = 👆 Select a touch policy
|
cli-setup-select-touch-policy = 👆 Select a touch policy
|
||||||
|
|
||||||
|
cli-setup-yk4-pin-policy =
|
||||||
|
⚠️ Your {-yubikey} is a {-yubikey} 4 series. With ephemeral applications like
|
||||||
|
{-age-plugin-yubikey}, a PIN policy of "Once" behaves like a PIN policy of
|
||||||
|
"Always", and your PIN will be requested for every decryption. However, you
|
||||||
|
might still benefit from a PIN policy of "Once" in long-running applications
|
||||||
|
like agents.
|
||||||
|
cli-setup-yk4-pin-policy-confirm = Use PIN policy of "Once" with {-yubikey} 4?
|
||||||
|
|
||||||
cli-setup-generate-new = Generate new identity in slot {$slot_index}?
|
cli-setup-generate-new = Generate new identity in slot {$slot_index}?
|
||||||
cli-setup-use-existing = Use existing identity in slot {$slot_index}?
|
cli-setup-use-existing = Use existing identity in slot {$slot_index}?
|
||||||
|
|
||||||
|
|||||||
+48
-23
@@ -487,29 +487,54 @@ fn main() -> Result<(), Error> {
|
|||||||
.report(true)
|
.report(true)
|
||||||
.interact_text()?;
|
.interact_text()?;
|
||||||
|
|
||||||
let pin_policy = match Select::new()
|
let mut displayed_yk4_warning = false;
|
||||||
.with_prompt(fl!("cli-setup-select-pin-policy"))
|
let pin_policy = loop {
|
||||||
.items(&[
|
let pin_policy = match Select::new()
|
||||||
fl!("pin-policy-always"),
|
.with_prompt(fl!("cli-setup-select-pin-policy"))
|
||||||
fl!("pin-policy-once"),
|
.items(&[
|
||||||
fl!("pin-policy-never"),
|
fl!("pin-policy-always"),
|
||||||
])
|
fl!("pin-policy-once"),
|
||||||
.default(
|
fl!("pin-policy-never"),
|
||||||
[PinPolicy::Always, PinPolicy::Once, PinPolicy::Never]
|
])
|
||||||
.iter()
|
.default(
|
||||||
.position(|p| {
|
[PinPolicy::Always, PinPolicy::Once, PinPolicy::Never]
|
||||||
p == &flags.pin_policy.unwrap_or(builder::DEFAULT_PIN_POLICY)
|
.iter()
|
||||||
})
|
.position(|p| {
|
||||||
.unwrap(),
|
p == &flags.pin_policy.unwrap_or(builder::DEFAULT_PIN_POLICY)
|
||||||
)
|
})
|
||||||
.report(true)
|
.unwrap(),
|
||||||
.interact_opt()?
|
)
|
||||||
{
|
.report(true)
|
||||||
Some(0) => PinPolicy::Always,
|
.interact_opt()?
|
||||||
Some(1) => PinPolicy::Once,
|
{
|
||||||
Some(2) => PinPolicy::Never,
|
Some(0) => PinPolicy::Always,
|
||||||
Some(_) => unreachable!(),
|
Some(1) => PinPolicy::Once,
|
||||||
None => return Ok(()),
|
Some(2) => PinPolicy::Never,
|
||||||
|
Some(_) => unreachable!(),
|
||||||
|
None => return Ok(()),
|
||||||
|
};
|
||||||
|
|
||||||
|
// We can't preserve the PIN cache for YubiKey 4 series, because to
|
||||||
|
// retrieve the serial we switch to the OTP applet.
|
||||||
|
match (pin_policy, yubikey.version().major) {
|
||||||
|
(PinPolicy::Once, 4) => {
|
||||||
|
if !displayed_yk4_warning {
|
||||||
|
eprintln!();
|
||||||
|
eprintln!("{}", fl!("cli-setup-yk4-pin-policy"));
|
||||||
|
eprintln!();
|
||||||
|
displayed_yk4_warning = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if Confirm::new()
|
||||||
|
.with_prompt(fl!("cli-setup-yk4-pin-policy-confirm"))
|
||||||
|
.report(true)
|
||||||
|
.interact()?
|
||||||
|
{
|
||||||
|
break pin_policy;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
_ => break pin_policy,
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
let touch_policy = match Select::new()
|
let touch_policy = match Select::new()
|
||||||
|
|||||||
Reference in New Issue
Block a user