yubico-piv-tool: Pin-policy seems to be ignored for ssh keys
Roughly following the instructions here I generate my key using --pin-policy=never:
yubico-piv-tool -a generate -s 9e -A RSA2048 --pin-policy=never --touch-policy=always -o public.pem
I also store it in slot 9e, which apparently has no pin policy by default.
And yet, when I try to use the key, I get asked for a PIN:
$ ssh -I /usr/lib/x86_64-linux-gnu/libykcs11.so private@localhost
Enter PIN for 'YubiKey PIV #15426330':
Is there any way to use SSH login with only touch and no PIN requirement?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 4
- Comments: 20 (12 by maintainers)
I am having this exact issue. I don’t know if I misunderstood the documentation or what but the ykcs11.so seems to be ignoring the pin-policy=never and pin-policy=once. It correctly evaluates the touch policy but ignores the pin policy.
I would love to know how this was tested in the documentation because I can’t find a way to make it work
I apologize, I was wrong in saying all others have pin policy ‘once’. Slot 9c has ‘always’ by default, slot 9e has ‘never’ by default, and the others have ‘once’ by default. Im talking about PIN policy that actually gets set on new keys in PIV when generated or imported. Touch policy is always ‘never’ by default. libykcs11 currently only supports the CKA_ALWAYS_AUTHENTICATE attribute in relation to this, driven by a static table that returns TRUE for slot 9c and false for all others, which is correct for the default policies, but potentially wrong for other cases. There is however https://github.com/Yubico/yubico-piv-tool/pull/345 which will improve this by making CKA_ALWAYS_AUTHENTICATE base it’s return value on metadata from the YubiKey (if it supports it), and also add vendor-specific attributes that allow you to retrieve the pin- and touch policy directly. You will also be able to specify the policies when generating or importing keys.