Cached: a touch is not needed if the YubiKey had been touched in the last 15 seconds, otherwise a touch is needed
Only suggesting as I ended up in this situation
Generated a key using yubikey-agent
Deployed it to a bunch of servers
Discovered that when doing a set of git actions that connect to GitHub 3 or 4 times, the always touch policy that the key was generated with requires touching the yubikey 4 times in a row to make 4 connections
It's very possible though that choosing the always touch policy is intentional and there's a good security story for this choice in which case feel free to disregard my suggestion.
Would it make sense to have the
-setup
argument default to using thecached
touch policy instead of thealways
policy?https://github.com/FiloSottile/yubikey-agent/blob/2e5376c5ec006250c12c1b6de65fa91de9afe687/setup.go#L143C20-L143C37
Only suggesting as I ended up in this situation
yubikey-agent
git
actions that connect to GitHub 3 or 4 times, thealways
touch policy that the key was generated with requires touching the yubikey 4 times in a row to make 4 connectionsIt's very possible though that choosing the
always
touch policy is intentional and there's a good security story for this choice in which case feel free to disregard my suggestion.