Support for Yubikey-like devices in containers/boxes #223
Replies: 3 comments 3 replies
-
|
Thanks Chris for taking care of the hardware, @EyeCantCU and @KyleGospo will be dipping into this! |
Beta Was this translation helpful? Give feedback.
-
|
Some suggested use/test cases
|
Beta Was this translation helpful? Give feedback.
-
|
This isn't necessarily an issue with ublue-os - but it is an issue with the model we are pursuing that I think we need to sort, either directly, or suggest solutions to other upstream projects. |
Beta Was this translation helpful? Give feedback.
-
|
Did the keys arrive? |
Beta Was this translation helpful? Give feedback.
-
|
Nothing here yet, we have some ideas of how to get them working though. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you so much for sending these out our way. Received mine and am already at work on things |
Beta Was this translation helpful? Give feedback.
-
One of the blockers in an immutable OS is the isolation between host and container when using a hardware-based cryptographic token, such as a Yubikey for various functions. The problem is that that token needs to be shared between both the host and various containers for various purposes, such as:
Some of these naturally sit in containers/boxes/flatpacks, others sit in the host. However, smartcard daemons usually try and grab exclusive lock on these tokens, making shared access difficult if not impossible. It can be done, as some VM environments have this working - but it is an open issue in ChromeOS for years now, and is a currently blocking issue in silverblue and here.
I mentioned this to @castrojo, and based on that conversation, am sending 4 yubikeys to the devs to start playing with. Happy to discuss potential avenues.
Beta Was this translation helpful? Give feedback.
All reactions