yubico-piv-tool: SSH keygen errors (unable to sign keys)
I can’t seem to be able to sign my SSH keys with my certs.
Exact steps to reproduce:
- Generated keys and certs using ykman (straight from documentation)
- To convert to a proper SSH format for ssh-keygen:
ssh-keygen -i -m PKCS8 -f ca.pem
- Started ssh-agent
ssh-agent -c -d -P "/*"
- Switched to separate window and set the ssh agent manually to sign using ssh-keygen
ssh-add
ssh-add -s /usr/local/lib/libykcs11.dylib
ssh-keygen -U -s ~/certs/ca.pub -n mbp.max.fan -vvv -V +1w -I mbp.max.fan ~/.ssh/id_rsa.pub
Using macOS.
Logs: From ssh-agent:
setenv SSH_AUTH_SOCK /var/folders/n6/3v_jtjs90rv4s2b9_l0cr4kw0000gn/T//ssh-Sv6CHEyKEjU2/agent.76140;
echo Agent pid 76140;
debug2: fd 3 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 17
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug1: process_add_smartcard_key: add /usr/local/Cellar/yubico-piv-tool/2.0.0/lib/libykcs11.1.dylib
debug1: pkcs11_start_helper: starting /usr/local/Cellar/openssh/8.0p1_1/libexec/ssh-pkcs11-helper -vvv
debug1: process_add
debug1: provider /usr/local/Cellar/yubico-piv-tool/2.0.0/lib/libykcs11.1.dylib: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.0
debug1: provider /usr/local/Cellar/yubico-piv-tool/2.0.0/lib/libykcs11.1.dylib slot 0: label <YubiKey PIV #10974650> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial <10974650> flags 0x40d
debug1: have 1 keys
debug1: have 2 keys
debug1: have 3 keys
debug1: pkcs11_k11_free: parent 0x7fb9d9e09ad0 ptr 0x7fb9d9e099c0 idx 0
debug1: pkcs11_provider_unref: 0x7fb9d9c0bed0 refcount 4
debug1: pkcs11_k11_free: parent 0x7fb9d9e09da0 ptr 0x7fb9d9e091a0 idx 0
debug1: pkcs11_provider_unref: 0x7fb9d9c0bed0 refcount 4
debug1: pkcs11_k11_free: parent 0x7fb9d9e09e90 ptr 0x7fb9d9e0a070 idx 0
debug1: pkcs11_provider_unref: 0x7fb9d9c0bed0 refcount 4
debug1: pkcs11_k11_free: parent 0x7fb9d9e0a5e0 ptr 0x7fb9d9e09540 idx 0
debug1: pkcs11_provider_unref: 0x7fb9d9c0bed0 refcount 4
debug1: pkcs11_k11_free: parent 0x7fb9d9e0a7a0 ptr 0x7fb9d9e0a180 idx 0
debug1: pkcs11_provider_unref: 0x7fb9d9c0bed0 refcount 4
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign
debug1: check 0x7fb9d9e09e50 /usr/local/Cellar/yubico-piv-tool/2.0.0/lib/libykcs11.1.dylib
debug1: check 0x7fb9d9e09e70 /usr/local/Cellar/yubico-piv-tool/2.0.0/lib/libykcs11.1.dylib
debug1: pkcs11_check_obj_bool_attrib: provider 0x7fb9d9c0bed0 slot 0 object 87: attrib 514 = 1
debug1: pkcs11_get_key: always-auth key
need pin entry
login failed for always-auth key
pkcs11_get_key failed
debug1: pkcs11_k11_free: parent 0x7fb9d9e08170 ptr 0x0 idx 0
process_sign_request2: sshkey_sign: error in libcrypto
From ssh-keygen:
debug3: add_flag_option: permit-X11-forwarding
debug3: add_flag_option: permit-agent-forwarding
debug3: add_flag_option: permit-port-forwarding
debug3: add_flag_option: permit-pty
debug3: add_flag_option: permit-user-rc
Couldn't certify key /Users/max/.ssh/id_rsa.pub via agent: agent refused operation
I suspect this may be a problem with touch – not sure though. You guys certainly have more experience than me.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 19 (12 by maintainers)
FYI, I’ve done a few tests with
jarsignerjust now. To my surprise, now it works.This issue can stay closed.
Finally, if a key has a pin policy that means it requires PIN every time (always-auth in ykkcs11) this means the PIN must literally be verified just before performing a sign command, every time. Any command performed after that de-authenticates that PIN (including the sign operation). This behavior is per the PIV spec. According to the PKCS11 spec you are not allowed to call C_Login in the logged in state, unless you use the CONTEXT_SPECIFIC user type. With YKCS11 this user type is only allowed when you have an ongoing sign or decrypt operation (You have called C_SignInit or C_DecryptInit). Ykcs11 enforces these rules. To enable this with non-default PIN policy configured the implementation does not check that the key has the always_auth flag set. If the key doesn’t actually require always auth it will still succeed (providing the PIN is correct).
In regard to always-auth, the only thing that ykcs11 does in that regard is to return the flag from static information compiled-in into the ykcs11 library, based on the default PIN policy of the Yubikey. That means that slot 9c returns always-authenticate, the rest not, regardless of how you configure the YubiKey. You can only specify PIN policy when a key is created, and you can’t do it at all through ykcs11. If you want non-default policy you must create the key using yubico-piv-tool (or write your own application). Touch policy is not visible to the software, as it is handled by the YubiKey itself. If you don’t touch it within the timeout it will eventually time out, but otherwise it is transparent.