Comments (8)
Dear @bcvanmeurs ,
Thanks for helping out! Your guide worked for me as well and I am able to log in to other hosts via ssh successfully.
One remark: In my version of ykman
the command piv keys info 9a
does not exist. It is also not listed in the official online documentation: https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html However, the piv info
command worked and was totally sufficient (even though the newly created key in 9a was not directly displayed. I needed to execute the command a second time / wait a bit).
I'm happy to provide a PR to extend the docs with the guide above, if @FiloSottile is interested in this.
from yubikey-agent.
Dear @bcvanmeurs ,
Sorry for my late reply! I can confirm that my ykman
is rather old (I'm on Debian). So in this version the command doesn't exist. Thanks again for your guide!
from yubikey-agent.
In my case, the error looks like that:
❯ yubikey-agent -setup
🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!
❌ The key will be lost if the PIN and PUK are locked after 3 incorrect tries.
Choose a new PIN/PUK:
Repeat PIN/PUK:
🧪 Reticulating splines...
‼️ The default Management Key did not work
If you know what you're doing, reset PIN, PUK, and
Management Key to the defaults before retrying.
If you want to wipe all PIV keys and start fresh,
use --really-delete-all-piv-keys ⚠️
Is it the same for you?
from yubikey-agent.
@FiloSottile / @str4d Is there any way to workaround this limitation? Or a way to manually generate a correct key?
Thanks for your help!
from yubikey-agent.
In my case, the error looks like that:
Is it the same for you?
I tried this this morning, and I get exactly the same error, I also have some Age keys on the YubiKey. I think it would be a nice feature to bypass the creation of new PIN and PUK and supply them with your own.
I think I found a workaround by manually (as suggested here) generating a key and certificate in slot 9a (which happens in setup.go) with ykman, (but I am by no means an expert in this).
ykman piv info
to see what slots are used. (in my case slot 82 and 83 for Age keys)ykman piv -h
shows the help page where I got the inspiration for commands fromykman piv keys info 9a
should show that there is no key, (I assume, I only found this command after generating the key.)- for example when I now do slot 84 I get this, I assume it would be the same for 9a
❯ ykman piv keys info 84 ERROR: No key stored in slot 84 (RETIRED3).
- for example when I now do slot 84 I get this, I assume it would be the same for 9a
ykman piv keys generate --algorithm ECCP256 9a pubkey.pem --pin-policy once --touch-policy always
generates a key with the settings as supplied in setup.go. enter your PIN. It generates the pubkey.pem, which is the public key in pem format.ykman piv keys info 9a
now shows:❯ ykman piv keys info 9a Key slot: 9A (AUTHENTICATION) Algorithm: ECCP256 Origin: GENERATED PIN required for use: ONCE Touch required for use: ALWAYS
ykman piv certificates generate --subject "O=yubikey-agent" 9a pubkey.pem
to generate the certificate. I used this subject based on setup.go, but I don't know what the recommended setting is here.ykman piv info
now lists the certificate in slot 9a.Slot 9A (AUTHENTICATION): Algorithm: ECCP256 Subject DN: O=yubikey-agent Issuer DN: O=yubikey-agent Serial: XXXX Fingerprint: XXXX Not before: 2023-06-02T07:38:43 Not after: 2024-06-01T07:38:43
- The last step is to convert the PEM formatted public key to a SSH formatted public key. After some searching I found this command:
ssh-keygen -f pubkey.pem -i -m PKCS8
it prints the public key in the ecdsa-sha2-nistp256 format. - By the way, you can always re-export the public key by using:
ykman piv keys export 9a -
I verified that this works with Github by setting the key there, and using the IdentityAgent /usr/local/var/run/yubikey-agent.sock
in my ssh config.
I hope this helps! Let me know if you face any challenges.
from yubikey-agent.
Hi @mutlusun ,
Glad to hear it works!
Are you using a recent version of ykman? I used ykman version 5.1.0 and checked the ykman piv keys info
command here, I can see that this command was added just 4 months ago (Yubico/yubikey-manager@14ae687), so maybe you are using an older version and I believe that the documentation is out of date.
from yubikey-agent.
Oh I see now that it is also mentioned in the release notes of version 5.1.0, released on April 17th.
- "Add PIV key info command to CLI"
https://github.com/Yubico/yubikey-manager/releases/tag/5.1.0
from yubikey-agent.
Just sharing another workaround for this issue. I reset my yubikey back to the default PIN/PUK & Management Key. As per the instructions in the error message.
If you know what you're doing, reset PIN, PUK, and
Management Key to the defaults before retrying.
Despite not knowing what I was doing I tried it anyway.
The defaults are here:
https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
There are 3 commands, each will prompt you to enter the values.
# Change this to 123456
ykman piv access change-pin
# Change this to 12345678
ykman piv access change-puk
# Change this to 010203040506070801020304050607080102030405060708
ykman piv access change-management-key
After this you can run the setup in this project as per the documentation. Changing your PIN & PUK back to your previous non-default value. The management key is also updated to be protected by the PIN during setup.
from yubikey-agent.
Related Issues (20)
- Error when starting agent on ArchLinux with OpenSSH 8.9
- How do I get the Public key from the Yubikey? - AGAIN? HOT 2
- Yubikey Password Entry Window isn't pre selected any more.
- sk-ssh-ed25519 not supported HOT 2
- IdentityAgent option has no effect HOT 2
- yubikey-agent -setup fails with error about default HOT 1
- 'needs manual reloading every time the YubiKey is unplugged or the machine goes to sleep' is not accurate HOT 2
- verify pin: smart card error 6983: authentication method blocked
- Cannot Find Package for Ubuntu 20.04.5 LTS
- Pinentry prompt does not show up HOT 2
- Possible incompatibility with macOS 13.1 HOT 2
- nixOS: Failed to connect to the YubiKey: connecting to pscs: the Smart card resource manager is not running HOT 10
- How can I start yubikey-agent as a service on Mac (without brew) HOT 1
- Power-cycling a key while the system is asleep breaks the connection HOT 2
- Use host yubikey-agent inside a docker container HOT 1
- Installation on Steamdeck?
- Change -setup to generate a key with "touch policy" of "cached" instead of "always"
- Is this project still maintained? HOT 1
- "error fetching identities: agent refused operation" on Arch
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubikey-agent.