TUI: Warn YubiKey 4 users of issue with PIN policy "Once"

This commit is contained in:
Jack Grigg
2023-02-11 22:04:14 +00:00
parent 762adfe098
commit 4e053b5efc
2 changed files with 56 additions and 23 deletions
+8
View File
@@ -76,6 +76,14 @@ cli-setup-name-identity = 📛 Name this identity
cli-setup-select-pin-policy = 🔤 Select a PIN policy
cli-setup-select-touch-policy = 👆 Select a touch policy
cli-setup-yk4-pin-policy =
⚠️ Your {-yubikey} is a {-yubikey} 4 series. With ephemeral applications like
{-age-plugin-yubikey}, a PIN policy of "Once" behaves like a PIN policy of
"Always", and your PIN will be requested for every decryption. However, you
might still benefit from a PIN policy of "Once" in long-running applications
like agents.
cli-setup-yk4-pin-policy-confirm = Use PIN policy of "Once" with {-yubikey} 4?
cli-setup-generate-new = Generate new identity in slot {$slot_index}?
cli-setup-use-existing = Use existing identity in slot {$slot_index}?
+25
View File
@@ -487,6 +487,8 @@ fn main() -> Result<(), Error> {
.report(true)
.interact_text()?;
let mut displayed_yk4_warning = false;
let pin_policy = loop {
let pin_policy = match Select::new()
.with_prompt(fl!("cli-setup-select-pin-policy"))
.items(&[
@@ -512,6 +514,29 @@ fn main() -> Result<(), Error> {
None => return Ok(()),
};
// We can't preserve the PIN cache for YubiKey 4 series, because to
// retrieve the serial we switch to the OTP applet.
match (pin_policy, yubikey.version().major) {
(PinPolicy::Once, 4) => {
if !displayed_yk4_warning {
eprintln!();
eprintln!("{}", fl!("cli-setup-yk4-pin-policy"));
eprintln!();
displayed_yk4_warning = true;
}
if Confirm::new()
.with_prompt(fl!("cli-setup-yk4-pin-policy-confirm"))
.report(true)
.interact()?
{
break pin_policy;
}
}
_ => break pin_policy,
}
};
let touch_policy = match Select::new()
.with_prompt(fl!("cli-setup-select-touch-policy"))
.items(&[