Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create key when age-yubikey-plug has created key on yubikey #139

Open
trexxeon opened this issue Feb 23, 2023 · 9 comments
Open

Unable to create key when age-yubikey-plug has created key on yubikey #139

trexxeon opened this issue Feb 23, 2023 · 9 comments

Comments

@trexxeon
Copy link

When I have created an age encryption key on yubikey with the age-yubikey-plugin and try to use yubikey-agent it says that the card is already configured and that I’ll need to use wipe flag which results in that everything is wiped so the age encryption key is gone
@mutlusun
Copy link

In my case, the error looks like that:

❯ yubikey-agent -setup
🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!
❌ The key will be lost if the PIN and PUK are locked after 3 incorrect tries.

Choose a new PIN/PUK: 
Repeat PIN/PUK: 

🧪 Reticulating splines...
‼️  The default Management Key did not work

If you know what you're doing, reset PIN, PUK, and
Management Key to the defaults before retrying.

If you want to wipe all PIV keys and start fresh,
use --really-delete-all-piv-keys ⚠️

Is it the same for you?

@mutlusun
Copy link

mutlusun commented May 1, 2023

@FiloSottile / @str4d Is there any way to workaround this limitation? Or a way to manually generate a correct key?

Thanks for your help!

@bcvanmeurs
Copy link

bcvanmeurs commented Jun 2, 2023
edited
Loading

@mutlusun @trexxeon

In my case, the error looks like that:

Is it the same for you?

I tried this this morning, and I get exactly the same error, I also have some Age keys on the YubiKey. I think it would be a nice feature to bypass the creation of new PIN and PUK and supply them with your own.

I think I found a workaround by manually (as suggested here) generating a key and certificate in slot 9a (which happens in setup.go) with ykman, (but I am by no means an expert in this).

  • ykman piv info to see what slots are used. (in my case slot 82 and 83 for Age keys)
  • ykman piv -h shows the help page where I got the inspiration for commands from
  • ykman piv keys info 9a should show that there is no key, (I assume, I only found this command after generating the key.)
    • for example when I now do slot 84 I get this, I assume it would be the same for 9a 
      ❯ ykman piv keys info 84
ERROR: No key stored in slot 84 (RETIRED3).
  • ykman piv keys generate --algorithm ECCP256 9a pubkey.pem --pin-policy once --touch-policy always generates a key with the settings as supplied in setup.go. enter your PIN. It generates the pubkey.pem, which is the public key in pem format.
  • ykman piv keys info 9a now shows: 
    ❯ ykman piv keys info 9a
Key slot:               9A (AUTHENTICATION)
Algorithm:              ECCP256
Origin:                 GENERATED
PIN required for use:   ONCE
Touch required for use: ALWAYS
  • ykman piv certificates generate --subject "O=yubikey-agent" 9a pubkey.pem to generate the certificate. I used this subject based on setup.go, but I don't know what the recommended setting is here.
  • ykman piv info now lists the certificate in slot 9a. 
    Slot 9A (AUTHENTICATION):
 Algorithm:   ECCP256
 Subject DN:  O=yubikey-agent
 Issuer DN:   O=yubikey-agent
 Serial:      XXXX
 Fingerprint: XXXX
 Not before:  2023-06-02T07:38:43
 Not after:   2024-06-01T07:38:43
  • The last step is to convert the PEM formatted public key to a SSH formatted public key. After some searching I found this command: ssh-keygen -f pubkey.pem -i -m PKCS8 it prints the public key in the ecdsa-sha2-nistp256 format.
  • By the way, you can always re-export the public key by using: ykman piv keys export 9a -

I verified that this works with Github by setting the key there, and using the IdentityAgent /usr/local/var/run/yubikey-agent.sock in my ssh config.

I hope this helps! Let me know if you face any challenges.

@mutlusun
Copy link

mutlusun commented Jun 4, 2023

Dear @bcvanmeurs ,

Thanks for helping out! Your guide worked for me as well and I am able to log in to other hosts via ssh successfully.

One remark: In my version of ykman the command piv keys info 9a does not exist. It is also not listed in the official online documentation: https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html However, the piv info command worked and was totally sufficient (even though the newly created key in 9a was not directly displayed. I needed to execute the command a second time / wait a bit).

I'm happy to provide a PR to extend the docs with the guide above, if @FiloSottile is interested in this.

@bcvanmeurs
Copy link

Hi @mutlusun ,
Glad to hear it works!

Are you using a recent version of ykman? I used ykman version 5.1.0 and checked the ykman piv keys info command here, I can see that this command was added just 4 months ago (Yubico/yubikey-manager@14ae687), so maybe you are using an older version and I believe that the documentation is out of date.

@bcvanmeurs
Copy link

bcvanmeurs commented Jun 5, 2023
edited
Loading

Oh I see now that it is also mentioned in the release notes of version 5.1.0, released on April 17th.

  • "Add PIV key info command to CLI"

https://github.com/Yubico/yubikey-manager/releases/tag/5.1.0

@mutlusun
Copy link

Dear @bcvanmeurs ,
Sorry for my late reply! I can confirm that my ykman is rather old (I'm on Debian). So in this version the command doesn't exist. Thanks again for your guide!

@squirmy
Copy link

squirmy commented Aug 15, 2023

Just sharing another workaround for this issue. I reset my yubikey back to the default PIN/PUK & Management Key. As per the instructions in the error message.

If you know what you're doing, reset PIN, PUK, and
Management Key to the defaults before retrying.

Despite not knowing what I was doing I tried it anyway.

The defaults are here:
https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

There are 3 commands, each will prompt you to enter the values.

# Change this to 123456
ykman piv access change-pin

# Change this to 12345678
ykman piv access change-puk

# Change this to 010203040506070801020304050607080102030405060708
ykman piv access change-management-key

After this you can run the setup in this project as per the documentation. Changing your PIN & PUK back to your previous non-default value. The management key is also updated to be protected by the PIN during setup.

@beep-beep-beep-boop
Copy link

beep-beep-beep-boop commented Aug 10, 2024
edited
Loading

@bcvanmeurs
thank you, this helped a lot! one thing i might add, when you generate the certificate here:

ykman piv certificates generate --subject "O=yubikey-agent" 9a pubkey.pem to generate the certificate. I used this subject based on setup.go, but I don't know what the recommended setting is here.

by default, it will only be valid for one year. idk if this really matters for SSH keys, but you can add the -d argument to set the number of days it will be valid for. age-plugin-yubikey seems to set them to be valid until the year 9999. to make it valid for the next 5000 years, you could use -d 1825000.

ykman piv certificates generate --subject "O=yubikey-agent" -d 1825000 9a pubkey.pem

Also, once you've generated it you should just be able to use ssh-add -L to get the public key. if it doesn't work, you could try restarting the yubikey agent and/or running ssh-add -D, which seemed to fix it for me. (the docs say it makes yubikey-agent release its "lock" on the yubikey. maybe it caches something and needs to be restarted to work with the new key?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@squirmy @bcvanmeurs @mutlusun @beep-beep-beep-boop @trexxeon