Allow limited key validity window for authenticated keys #252
Conversation
|
This is awesome, but would you consider adding more options? The gap between "1 hour" and "1 day" is pretty extreme. I don't generally care about 1 minute vs 5 minutes -- for just 1-5 minutes it's not even worth the time to tell it to unlock -- but for my normal use case "1 hour" is too short and "1 day" is too long. Ideally I'd probably want 6-8 hours. It would also be nice to be able to configure this in the UI rather than on the notification -- that's an annoying workflow and I'd rather be able to just add a setting that says "for this key when I unlock it leave it unlocked for __ minutes" Let me know if this would be a separate issue request, but I'd also want it to lock itself again if the computer is locked -- maybe it already does that. |
|
@taxilian the 1 min case is mostly for like "I need to run this script that will call 1000x within 3 seconds" type cases. That being said, the 1 day case might be going away anyway due to technician issues, so I'll be playing with those durations. 4+ hours will probably be running into the same issues, but we'll see. With regards to unlocking from UI, this is actually a bit of a weird quirk I'm dealing with now: there's no way to know ahead of time (that I can see) unless I recorded it elsewhere before creating the key. It's in the notification because I observe how long the signing process took: if it's more than a second or so, I can assume an authentication occurred. |
|
Pretty sure the relock behavior is how it works now, but that's a good idea, I can double check that. |
|
#332 for that one. |
|
Interesting; it's hard to tell from the user perspective (not being familiar with the APIs you're using) how much control you have over what is going on =] |
|
I've updated to 2.2.0 and this does not seem to work for me. I am able to see the option on the notification but I'm still prompted to re-unlock. |
|
@zachberger When you select a duration, you'll be prompted once more to authorize the temporary unlock, but you should't any more after that point. Seeing something else? |
|
@zachberger also note that the unlock seems to be a "per-process" thing, or at least per-process-name. If you look at the window you'll see the name of the process requesting the unlock, if it doesn't match then you'll be prompted again. I just tested with 2.2.0 and it's working for me, FWIW |
|
I don't seem to get the second prompt. Here is a quick video secretive.mov |
|
@zachberger thats definitely Not what it's supposed to be doing (thanks for the video, that was helpful). Tracking this separately in #354 |
Fixes #251