What is the expected behavior when computer has multiple YubiKeys?

[dcopso]

I most often work from a laptop (with a YubiKey Nano USB-C) with an external monitor (with a standard YubiKey USB). This means there are two YubiKeys plugged in. I'm using the One or multiple YubiKeys with the same secret (and same master key) approach.

What is the expected behavior when the challenge is presented? Should I be able to touch either key, or do I need to touch a specific key? How is that device determined?

Thanks.

[Frederick888]

You have to have only one key plugged in to be certain.

git-credential-keepassxc relies on yubico-manager [1], and it simply grabs the first YubiKey it finds [2]. In terms of their order, this list comes from libusb_get_device_list() [3], which I think ultimately relies on the kernel. It might be in the same order of lsusb output.

I am aware that when using FIDO2/WebAuthn/U2F, all connected YubiKeys flash and you can tap on any of them. Not sure if this can be implemented for HMAC-SHA1 as I don't know if this request can be cancelled or not. (Even using ykchalresp you can't cancel a request. YubiKey keeps flashing after you kill the ykchalresp process. Of course it's possible that the only missing piece of the puzzle is signal handling in ykchalresp though.)

I'm not sure how your monitor played a role in this. Are you using the built-in USB hub in your monitor, or this is actually a multi-seat situation? If latter, maybe you can play around with udev to make different YubiKeys available to different seats?

[1] https://github.com/wisespace-io/yubico-manager [2] https://github.com/wisespace-io/yubico-manager/blob/287814ab5365e9bf1911058c88768f78b990517f/src/lib.rs#L55-L68 [3] https://libusb.sourceforge.io/api-1.0/group__libusb__dev.html#gac0fe4b65914c5ed036e6cbec61cb0b97

On 17/1/23 18:15, dcopso wrote:

I most often work from a laptop (with a YubiKey Nano USB-C) with an external monitor (with a standard YubiKey USB). This means there are two YubiKeys plugged in. I'm using the One or multiple YubiKeys with the same secret (and same master key) https://github.com/Frederick888/git-credential-keepassxc/wiki/Encryption#one-or-multiple-yubikeys-with-the-same-secret-and-same-master-key approach.

What is the expected behavior when the challenge is presented? Should I be able to touch either key, or do I need to touch a specific key? How is that device determined?

Thanks.

— Reply to this email directly, view it on GitHub https://github.com/Frederick888/git-credential-keepassxc/issues/64, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCMP72VJYHDAT5IH5B4C43WSZBIDANCNFSM6AAAAAAT5QCMSQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Frederick Zhang

PGP: 8BFB EA5B 4C44 BFAC C8EC 5F93 1F92 8BE6 0D8B C11D

[dcopso]

Thanks, @Frederick888 . I appreciate the detailed response and the links. It does look like there is no ordering guarantee promised by libusb_get_device_list, and the appropriate place to allow some deterministic behavior would be in the yubico-manager package.

I notice that git-credential-keepassxc is storing a serial number in the config file. When there are multiple yubikeys with the same secret, is the serial # used for anything?

Thanks! This package is solving a real problem for me so I appreciate that you have written it.

[Frederick888]

It's used at [1] by [2] when adding new encryption profiles.

On one hand it prevents more than one encryption profiles from being created for the same key/slot; on the other hand it allows creating new profiles if you are using a different key (we don't know if your second key has the same HMAC-SHA1 secret or not, since there may not be anything to decrypt yet at this point so we cannot check it).

[1] https://github.com/Frederick888/git-credential-keepassxc/blob/668a4e48c0b44117b3e8b4e5b6f74123edc16e1a/src/config.rs#L358-L361 [2] https://github.com/Frederick888/git-credential-keepassxc/blob/668a4e48c0b44117b3e8b4e5b6f74123edc16e1a/src/config.rs#L391-L392