security/u2f-devd: Devd hotplug rules for Universal 2nd Factor (U2F) tokens

Automatic device permission handling for Universal 2nd Factor (U2F) USB
authentication tokens.

PR:		224199
Submitted by:	Greg V <greg@unrelenting.technology>

security/Makefile

@@ -1237,6 +1237,7 @@
     SUBDIR += truecrypt
     SUBDIR += tsshbatch
     SUBDIR += tthsum
+    SUBDIR += u2f-devd
     SUBDIR += umit
     SUBDIR += unhide
     SUBDIR += unicornscan

security/u2f-devd/Makefile

@@ -0,0 +1,25 @@
+# Created by: Greg V <greg@unrelenting.technology>
+# $FreeBSD$
+
+PORTNAME=	u2f-devd
+PORTVERSION=	1.0.0
+CATEGORIES=	security
+MASTER_SITES=	#
+DISTFILES=	#
+
+MAINTAINER=	greg@unrelenting.technology
+COMMENT=	Devd hotplug rules for Universal 2nd Factor (U2F) tokens
+
+LICENSE=	BSD2CLAUSE
+
+NO_BUILD=	yes
+SUB_FILES=	pkg-message
+
+GROUPS=		u2f
+
+PLIST_FILES=	etc/devd/u2f.conf
+
+do-install:
+	${INSTALL_DATA} ${FILESDIR}/u2f.conf ${STAGEDIR}${PREFIX}/etc/devd
+
+.include <bsd.port.mk>

security/u2f-devd/files/pkg-message.in

@@ -0,0 +1,14 @@
+======================================================================
+
+U2F authentication requires read/write access to USB devices. To
+facilitate such access it comes with a devd.conf(5) file, but you
+still need to restart devd(8), add the desired users to "u2f" group
+and log those out of the current session. For example:
+
+# service devd restart
+# pw group mod u2f -m <user>
+$ exit
+
+For details, see %%PREFIX%%/etc/devd/u2f.conf
+
+======================================================================

security/u2f-devd/files/u2f.conf

@@ -0,0 +1,163 @@
+# Allow members of group u2f to access U2F authentication tokens.
+# 'notify' rules work on /dev/usb/* (used by libu2f-host),
+# 'attach' rules work on /dev/uhid* (used by web browsers)
+
+# Yubico Yubikey
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x1050";
+	match "product"		"(0x0113|0x0114|0x0115|0x0116|0x0120|0x0200|0x0420|0x0403|0x0406|0x0407|0x0410)";
+	action	"chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x1050";
+	match "product"		"(0x0113|0x0114|0x0115|0x0116|0x0120|0x0200|0x0420|0x0403|0x0406|0x0407|0x0410)";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# Happlink (formerly Plug-Up) Security KEY
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x2581";
+	match "product"		"0xf1d0";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x2581";
+	match "product"		"0xf1d0";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# Neowave Keydo and Keydo AES
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x1e0d";
+	match "product"		"(0xf1d0|0xf1ae)";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x1e0d";
+	match "product"		"(0xf1d0|0xf1ae)";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# HyperSecu HyperFIDO
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"(0x096e|0x2ccf)";
+	match "product"		"0x0880";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"(0x096e|0x2ccf)";
+	match "product"		"0x0880";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# Feitian ePass FIDO
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x096e";
+	match "product"		"(0x0850|0x0852|0x0853|0x0854|0x0856|0x0858|0x085a|0x085b)";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x096e";
+	match "product"		"(0x0850|0x0852|0x0853|0x0854|0x0856|0x0858|0x085a|0x085b)";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# JaCarta U2F
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x24dc";
+	match "product"		"0x0101";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x24dc";
+	match "product"		"0x0101";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# U2F Zero
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x10c4";
+	match "product"		"0x8acf";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x10c4";
+	match "product"		"0x8acf";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# VASCO SeccureClick
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x1a44";
+	match "product"		"0x00bb";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x1a44";
+	match "product"		"0x00bb";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# Bluink Key
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x2abe";
+	match "product"		"0x1002";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x2abe";
+	match "product"		"0x1002";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};
+
+# Thetis Key
+notify 100 {
+	match "system"		"USB";
+	match "subsystem"	"DEVICE";
+	match "type"		"ATTACH";
+	match "vendor"		"0x1ea8";
+	match "product"		"0xf025";
+	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
+};
+
+attach 100 {
+	match "vendor"		"0x1ea8";
+	match "product"		"0xf025";
+	action	"chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
+};

security/u2f-devd/pkg-descr

@@ -0,0 +1,2 @@
+Automatic device permission handling for Universal 2nd Factor (U2F) USB
+authentication tokens.