'needs manual reloading every time the YubiKey is unplugged or the machine goes to sleep' is not accurate

FiloSottile / yubikey-agent

yubikey-agent is a seamless ssh-agent for YubiKeys.

https://filippo.io/yubikey-agent

BSD 3-Clause "New" or "Revised" License

2.6k stars 124 forks source link

'needs manual reloading every time the YubiKey is unplugged or the machine goes to sleep' is not accurate #131

Closed ThomasHabets closed 1 year ago

ThomasHabets commented 1 year ago

At least on Linux PKCS#11 with opensc works great through suspends. One pinentry per boot, using

I also don't know what this means:

The UX of this solution is poor: it requires calling ssh-add to load the PKCS#11 module and to unlock it with the PIN (as the agent has no way of requesting input from the client during use

How could the UX possibly be better than that?

FiloSottile commented 1 year ago

That's not my experience on macOS. It's also weird it would cache across suspends, as that would mean the PIN lives in memory, which is not great.

How could the UX possibly be better than that?

As the next words in the sentence you quoted explain, by being always running and using a graphical Pinentry.

ThomasHabets commented 1 year ago

Yeah i didnt understand that either. I get graphical pinentry by default on Linux.

And what's not always running in that method?