Hi, in contrast to this post I like the Idea of requiring an elevated mode for making changes to the configuration in general and the current feature of setting the slot only in config mode is a good step in this direction.
However I found that I still could wipe the slot after I put the onlykey in sysadmin mode.
I have to switch to config mode to set the slot, but not to wipe it.
It would be great if you could fix this. should I open an issue in github for that?
The purpose of the config mode requirement is to prevent a situation where possibly malicious keystrokes could be written to device. Wiping data does not pose this risk so we intentionally allow that.
i understand your reasoning, but In my opinion it’s half baked.
I don’t think anyone would expect it to work like that from what’s given by the documentation.
Also based on the scenario you described the system admin would be very happy when he/she returns to the computer finding the login-phrase has been deleted.
I still consider it a somewhat bug!
@xokc Thanks for your opinion. If there is a hacker inside of your computer and all they decide to do is delete your password you should consider yourself lucky, now you know you’ve been hacked.