Closed jezzaaa closed 1 month ago
NoMoreFood
commented
1 month ago If unloading and reloading Pageant doesn't work (and even certutil doesn't), this sounds like a bug with the Yubikey minidriver that must not exist in the PKCS library. Any change you tried contacting them?
jezzaaa
commented
1 month ago I haven't installed the minidriver.
Interestingly, I get these errors at the end of "certutil -scinfo":
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Microsoft Base Smart Card Crypto Provider: Missing stored keyset
Microsoft Smart Card Key Storage Provider: Missing stored keyset
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not existGoogling this error doesn't shed any light. Although I'm not entirely sure what I'm searching for.
My guess is that it's a Microsoft CAPI fault. But I don't know how to dig any deeper. I'm much more comfortable troubleshooting under Linux.
NoMoreFood
commented
1 month ago @jezzaaa Where did you see that last message about the scam download? Looks like it may have been deleted (good), but just wanted to make sure.
NoMoreFood
commented
1 month ago @jezzaaa Can you provider a screenshot of this part your registry (displaying the subkeys):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards
jezzaaa
commented
1 month ago @jezzaaa Where did you see that last message about the scam download? Looks like it may have been deleted (good), but just wanted to make sure.
The message is what I replied to. I submitted a spam report to Github, and they cleaned it up pretty quickly. There were about 2000 messages exactly the same all posted to newly opened issues.
jezzaaa
commented
1 month ago @jezzaaa Can you provider a screenshot of this part your registry (displaying the subkeys):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards
NoMoreFood
commented
1 month ago Gotcha. So it's using the default minidriver since probably passing the generic NIST PIV identifier. You may want to try the Yubikey minidriver just so see if it's reproducible in the event it is a bug with the Microsoft one -- I assume the Yubikey one will set itself up to override the default Microsoft one (even for PIV). The "NTE_BAD_KEYSET" is pretty much the CAPI subsystem saying that it can't find a way to access the private key or that the private key does not exist (despite CAPI thinking it should).
jezzaaa
commented
1 month ago Thanks so much for your insight. I'll try the Yubikey minidriver once I'm able to. Unfortunately, my computer is locked down by my work and I can't install software myself; I need an exemption to have extra software installed, which will take some time for review and approval.
Using a Yubikey/PIV cert via CAPI fails after a while. Switching to PKCS to use the same key works OK.
Fails with both PuTTY-CAC (with or without Pageant-CAC) and plink-CAC (with Pageant-CAC).
Example using CAPI:
I get this pop-up:
Pressing OK or Cancel doesn't help. The pop-up repeats four more times.
Example using PKCS:
Initially everything works fine. After a day, a week, or a month, the key is no longer working. I have a second Yubikey, and I can switch over to that, and it typically works. But after a while, the second key stops working also, with the same symptoms.
Unloading and re-loading Pageant doesn't help. Removing and re-adding the key into Pageant doesn't help. Using PuTTY-CAC without Pageant fails in the same way as when using Pageant directly. Unplugging and re-plugging the Yubikey doesn't help.
If I run "certutil -sc" it doesn't prompt me for a PIN, like it normally would.
On the ssh server, the log shows "error: key_verify: invalid argument" instead of "Accepted publickey for ..."
A reboot of Windows seems to be the only fix.
I'm not sure what the problem is. I'd be grateful for any guidance for how to troubleshoot this.