Cached: a touch is not needed if the YubiKey had been touched in the last 15 seconds, otherwise a touch is needed
Only suggesting as I ended up in this situation
Generated a key using yubikey-agent
Deployed it to a bunch of servers
Discovered that when doing a set of git actions that connect to GitHub 3 or 4 times, the always touch policy that the key was generated with requires touching the yubikey 4 times in a row to make 4 connections
It's very possible though that choosing the always touch policy is intentional and there's a good security story for this choice in which case feel free to disregard my suggestion.
Would it make sense to have the
-setupargument default to using thecachedtouch policy instead of thealwayspolicy?https://github.com/FiloSottile/yubikey-agent/blob/2e5376c5ec006250c12c1b6de65fa91de9afe687/setup.go#L143C20-L143C37
Only suggesting as I ended up in this situation
yubikey-agentgitactions that connect to GitHub 3 or 4 times, thealwaystouch policy that the key was generated with requires touching the yubikey 4 times in a row to make 4 connectionsIt's very possible though that choosing the
alwaystouch policy is intentional and there's a good security story for this choice in which case feel free to disregard my suggestion.