Document that PIN cache preservation doesn't work for YubiKey 4

This commit is contained in:
Jack Grigg
2023-02-11 21:26:44 +00:00
parent 70c109aa1d
commit 762adfe098
2 changed files with 7 additions and 4 deletions
+1 -1
View File
@@ -11,7 +11,7 @@ to 0.3.0 are beta releases.
- MSRV is now 1.60.0. - MSRV is now 1.60.0.
- The YubiKey PIV PIN and touch caches are now preserved across processes in - The YubiKey PIV PIN and touch caches are now preserved across processes in
most cases. See [README.md](README.md#agent-support) for exceptions. This has most cases. See [README.md](README.md#agent-support) for exceptions. This has
several usability effects: several usability effects (not applicable to YubiKey 4 series):
- If a YubiKey's PIN is cached by an agent like `yubikey-agent`, and then - If a YubiKey's PIN is cached by an agent like `yubikey-agent`, and then
`age-plugin-yubikey` is run (either directly or as a plugin), the agent `age-plugin-yubikey` is run (either directly or as a plugin), the agent
won't request a PIN entry on its next use. won't request a PIN entry on its next use.
+6 -3
View File
@@ -123,9 +123,10 @@ age client as normal (e.g. `rage -d -i yubikey-identity.txt`).
### Agent support ### Agent support
`age-plugin-yubikey` does not provide or interact with an agent for decryption. `age-plugin-yubikey` does not provide or interact with an agent for decryption.
It does however preserve the PIN cache by not soft-resetting the YubiKey after a It does however attempt to preserve the PIN cache by not soft-resetting the
decryption or read-only operation, which enables YubiKey identities configured YubiKey after a decryption or read-only operation, which enables YubiKey
with a PIN policy of `once` to not prompt for the PIN on every decryption. identities configured with a PIN policy of `once` to not prompt for the PIN on
every decryption. **This does not work for YubiKey 4 series.**
The session that corresponds to the `once` policy can be ended in several ways, The session that corresponds to the `once` policy can be ended in several ways,
not all of which are necessarily intuitive: not all of which are necessarily intuitive:
@@ -133,6 +134,8 @@ not all of which are necessarily intuitive:
- Unplugging the YubiKey (the obvious way). - Unplugging the YubiKey (the obvious way).
- Using a different applet (e.g. FIDO2). This causes the PIV applet to be closed - Using a different applet (e.g. FIDO2). This causes the PIV applet to be closed
which clears its state. which clears its state.
- This is why the YubiKey 4 series does not support PIN cache preservation:
their serial can only be obtained by switching to the OTP applet.
- Generating a new age identity via `age-plugin-yubikey --generate` or the CLI - Generating a new age identity via `age-plugin-yubikey --generate` or the CLI
interface. This is to avoid leaving the YubiKey authenticated with the interface. This is to avoid leaving the YubiKey authenticated with the
management key. management key.