Open trexxeon opened 1 year ago
In my case, the error looks like that:
❯ yubikey-agent -setup
🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!
❌ The key will be lost if the PIN and PUK are locked after 3 incorrect tries.
Choose a new PIN/PUK:
Repeat PIN/PUK:
🧪 Reticulating splines...
‼️ The default Management Key did not work
If you know what you're doing, reset PIN, PUK, and
Management Key to the defaults before retrying.
If you want to wipe all PIV keys and start fresh,
use --really-delete-all-piv-keys ⚠️
Is it the same for you?
@FiloSottile / @str4d Is there any way to workaround this limitation? Or a way to manually generate a correct key?
Thanks for your help!
@mutlusun @trexxeon
In my case, the error looks like that:
Is it the same for you?
I tried this this morning, and I get exactly the same error, I also have some Age keys on the YubiKey. I think it would be a nice feature to bypass the creation of new PIN and PUK and supply them with your own.
I think I found a workaround by manually (as suggested here) generating a key and certificate in slot 9a (which happens in setup.go) with ykman, (but I am by no means an expert in this).
ykman piv info
to see what slots are used. (in my case slot 82 and 83 for Age keys)ykman piv -h
shows the help page where I got the inspiration for commands fromykman piv keys info 9a
should show that there is no key, (I assume, I only found this command after generating the key.)
❯ ykman piv keys info 84
ERROR: No key stored in slot 84 (RETIRED3).
ykman piv keys generate --algorithm ECCP256 9a pubkey.pem --pin-policy once --touch-policy always
generates a key with the settings as supplied in setup.go. enter your PIN. It generates the pubkey.pem, which is the public key in pem format.ykman piv keys info 9a
now shows:
❯ ykman piv keys info 9a
Key slot: 9A (AUTHENTICATION)
Algorithm: ECCP256
Origin: GENERATED
PIN required for use: ONCE
Touch required for use: ALWAYS
ykman piv certificates generate --subject "O=yubikey-agent" 9a pubkey.pem
to generate the certificate. I used this subject based on setup.go, but I don't know what the recommended setting is here.ykman piv info
now lists the certificate in slot 9a.
Slot 9A (AUTHENTICATION):
Algorithm: ECCP256
Subject DN: O=yubikey-agent
Issuer DN: O=yubikey-agent
Serial: XXXX
Fingerprint: XXXX
Not before: 2023-06-02T07:38:43
Not after: 2024-06-01T07:38:43
ssh-keygen -f pubkey.pem -i -m PKCS8
it prints the public key in the ecdsa-sha2-nistp256 format.ykman piv keys export 9a -
I verified that this works with Github by setting the key there, and using the IdentityAgent /usr/local/var/run/yubikey-agent.sock
in my ssh config.
I hope this helps! Let me know if you face any challenges.
Dear @bcvanmeurs ,
Thanks for helping out! Your guide worked for me as well and I am able to log in to other hosts via ssh successfully.
One remark: In my version of ykman
the command piv keys info 9a
does not exist. It is also not listed in the official online documentation: https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html However, the piv info
command worked and was totally sufficient (even though the newly created key in 9a was not directly displayed. I needed to execute the command a second time / wait a bit).
I'm happy to provide a PR to extend the docs with the guide above, if @FiloSottile is interested in this.
Hi @mutlusun , Glad to hear it works!
Are you using a recent version of ykman? I used ykman version 5.1.0 and checked the ykman piv keys info
command here, I can see that this command was added just 4 months ago (https://github.com/Yubico/yubikey-manager/commit/14ae687678f2e4d207ca05b357196e6f6de5a460), so maybe you are using an older version and I believe that the documentation is out of date.
Oh I see now that it is also mentioned in the release notes of version 5.1.0, released on April 17th.
https://github.com/Yubico/yubikey-manager/releases/tag/5.1.0
Dear @bcvanmeurs ,
Sorry for my late reply! I can confirm that my ykman
is rather old (I'm on Debian). So in this version the command doesn't exist. Thanks again for your guide!
Just sharing another workaround for this issue. I reset my yubikey back to the default PIN/PUK & Management Key. As per the instructions in the error message.
If you know what you're doing, reset PIN, PUK, and
Management Key to the defaults before retrying.
Despite not knowing what I was doing I tried it anyway.
The defaults are here: https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
There are 3 commands, each will prompt you to enter the values.
# Change this to 123456
ykman piv access change-pin
# Change this to 12345678
ykman piv access change-puk
# Change this to 010203040506070801020304050607080102030405060708
ykman piv access change-management-key
After this you can run the setup in this project as per the documentation. Changing your PIN & PUK back to your previous non-default value. The management key is also updated to be protected by the PIN during setup.
When I have created an age encryption key on yubikey with the age-yubikey-plugin and try to use yubikey-agent it says that the card is already configured and that I’ll need to use wipe flag which results in that everything is wiped so the age encryption key is gone