<{^_^}>
#82471 (by danderson, 3 days ago, open): vorbis-tools: bump debian patchseries from -6 to -11.
FRidh2 has quit [Ping timeout: 246 seconds]
FRidh2 has joined #nixos-security
hmpffff has joined #nixos-security
hmpffff_ has joined #nixos-security
hmpffff has quit [Ping timeout: 246 seconds]
zarel has quit [Ping timeout: 250 seconds]
zarel has joined #nixos-security
hmpffff has joined #nixos-security
hmpffff_ has quit [Ping timeout: 250 seconds]
<andi->
There will be an OpenSSL update today IIRC
<andi->
danderson: tested & merged
rsa has joined #nixos-security
kleisli has quit [Remote host closed the connection]
kleisli has joined #nixos-security
kleisli has quit [Remote host closed the connection]
kleisli has joined #nixos-security
kleisli has quit [Remote host closed the connection]
kleisli has joined #nixos-security
FRidh2 has quit [Ping timeout: 246 seconds]
FRidh has joined #nixos-security
KeiraT has quit [Ping timeout: 240 seconds]
KeiraT has joined #nixos-security
FRidh has quit [Ping timeout: 250 seconds]
FRidh2 has joined #nixos-security
hmpffff_ has joined #nixos-security
hmpffff has quit [Ping timeout: 272 seconds]
kleisli has quit [Ping timeout: 264 seconds]
justanotheruser has joined #nixos-security
hmpffff has joined #nixos-security
hmpffff_ has quit [Ping timeout: 272 seconds]
hmpffff has quit [Remote host closed the connection]
hmpffff has joined #nixos-security
hmpffff_ has joined #nixos-security
hmpffff has quit [Ping timeout: 246 seconds]
<gchristensen>
andi-: question for you .. :)
* andi-
hides
<gchristensen>
so my laptop-local vault
<gchristensen>
it needs 3 tokens to unlock, I'm thinking I'd encrypt one using my laptop's TPM, one using my yubikey as a TPM, and one just in `pass`. does this seem reasonable / overkill / silly?
<andi->
What is your threat model? What is your recovery situation if you are stuck somewhere (e.g. asia) and the yubikey gave up?
<andi->
side note: my latest yubikey gave up after <1y of usage.. too many times of plugging in and out it seems..
<gchristensen>
threat model: mostly pretending, but aware that adding an API which is a token vending machine shouldn't be taken lightly. yubikey gives up: nothing in there is unreplaceable, but I'd have to use `pass` to log in to services and get API keys by hand
<andi->
more precisely to your question: I'd probably never require 3/3 factors for my computer to be unlocked. I would probably just require 1/3 or 2/3 depending on the "state" it is trying to protect
<gchristensen>
this isn't unlocking the computer itself
<andi->
Ah, I read it as "my laptop requires all 3 to be useful"
<gchristensen>
just the API token vending machine
<andi->
If you are just pretending that is probably fine. Keep in mind that the weakest link will probably limit the overall system. Is your pass using a plain old text file?
<gchristensen>
you mean, is it a .gpg file in ~/.password-store ?
<andi->
that + where does your gpg key come from?
<gchristensen>
right, that is not using my yubikey right now
<gchristensen>
so yes, file-on-disk
<andi->
So yeah, It is probably reasonable. I'd remove the file based auth and replace that with a 2nd hardware token (for resilience / while travelling /…)
<gchristensen>
sounds nice
<gchristensen>
or maybe a backup token I keep around
<andi->
Yeah, that is my current "hate" towards forced 2fa.. You can't properly backup your tokens in some reasonable way. You can most likely enroll multiple tokens but only if you carry all of them with you. Humans (or just me) are very bad at remembering to enroll the 2nd token once back at "safe location with backup tokens".
<andi->
And usually you don't want any additional tokens to be enrolled without proof of ownership.
justanotheruser has quit [Ping timeout: 256 seconds]
justanotheruser has joined #nixos-security
<hexa->
> OpenSSL version 1.1.1e published
<{^_^}>
undefined variable 'OpenSSL' at (string):289:1