I've seen other systems which use smartcards for authentication, where the computer automatically locks itself when the user removes their card from the reader (or accidentally unplugs a USB card reader from the comptuer).
I built a brand new Debian machine earlier today, and rather than using foks key new and foks key assist to add it as a new permanent device on my account (because I'm not sure if I'm going to stick with Debian or try some other Linux distro), I used foks key use-yubikey to sign it into my account. It spoke with the Yubikey for a bit, and then signed right into my account (I had to tell it the hostname but it already knew my username), and I was able to access my encrypted git repos right away.
When I removed the Yubikey, some things immediately stopped working (i.e. I wasn't able to git fetch from an encrypted repo that I hadn't been using while the Yubikey was plugged in, and foks kv ls / didn't work - both gave me this error:
$ foks kv ls /
Error: connecting to smart card: the specified reader name is not recognized
However, I was still able to access things that had been working while the Yubikey was plugged in. I'm assuming the background service caches things, and the data I was asking for, was being served from a cache.
So my question is ... is there a way for the background service to detect when the Yubikey it's currently using, has been removed? I'm sure the details would be different based on which OS it's running on, but it seems like there should be a way to receive asynchronous notifications from the OS when the Yubikey is removed ... and when that happens, if the signed-in session is using keys which came from that Yubikey, it should "log out" the current session and clear any cached data that was encrypted using a key from the Yubikey.
It just seems to me that, if the Yubikey is removed, then any data that depended on that Yubikey should also be removed. (Data that has already been encrypted but hasn't been uploaded yet should still be sent, obviously.)
I've seen other systems which use smartcards for authentication, where the computer automatically locks itself when the user removes their card from the reader (or accidentally unplugs a USB card reader from the comptuer).
I built a brand new Debian machine earlier today, and rather than using
foks key newandfoks key assistto add it as a new permanent device on my account (because I'm not sure if I'm going to stick with Debian or try some other Linux distro), I usedfoks key use-yubikeyto sign it into my account. It spoke with the Yubikey for a bit, and then signed right into my account (I had to tell it the hostname but it already knew my username), and I was able to access my encrypted git repos right away.When I removed the Yubikey, some things immediately stopped working (i.e. I wasn't able to
git fetchfrom an encrypted repo that I hadn't been using while the Yubikey was plugged in, andfoks kv ls /didn't work - both gave me this error:However, I was still able to access things that had been working while the Yubikey was plugged in. I'm assuming the background service caches things, and the data I was asking for, was being served from a cache.
So my question is ... is there a way for the background service to detect when the Yubikey it's currently using, has been removed? I'm sure the details would be different based on which OS it's running on, but it seems like there should be a way to receive asynchronous notifications from the OS when the Yubikey is removed ... and when that happens, if the signed-in session is using keys which came from that Yubikey, it should "log out" the current session and clear any cached data that was encrypted using a key from the Yubikey.
It just seems to me that, if the Yubikey is removed, then any data that depended on that Yubikey should also be removed. (Data that has already been encrypted but hasn't been uploaded yet should still be sent, obviously.)