search

keybase / keybase-issues

A single repo for managing publicly recognized issues with the keybase client, installer, and website.
899 stars 37 forks source link

How do I use keybase with Yubikey? #2909

Open steinbitglis opened 7 years ago

steinbitglis commented 7 years ago

How do I log in when my private key isn't on my machine, but my signing key is on a yubikey?

- ERROR Sorry, your account is already established with a PGP public key, but this utility cannot find the corresponding private key on this machine. This is the fingerprint of the PGP key in your account:

maxtaco commented 7 years ago

Cc: @zapu

maxtaco commented 7 years ago

Do a keybase log send and we can take a look

steinbitglis commented 7 years ago

727d661977473e2df03f4b1c

zapu commented 7 years ago

Could you describe your YubiKey setup (which private keys are offline, which are on yubi etc.) and what are you trying to do so I can try to reproduce the issue? Thank you

steinbitglis commented 7 years ago

I have subkeys on the yubikey, something like this: https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/

steinbitglis commented 7 years ago

It's a while since I made it, but I remember that this was my inspiration: https://alexcabal.com/creating-the-perfect-gpg-keypair/

steinbitglis commented 7 years ago

for my setup: Secret key is available.

pub 2048R/D3DA6FCB created: 2015-11-18 expires: 2017-12-17 usage: SC trust: ultimate validity: ultimate sub 2048R/9113138F created: 2015-11-18 expires: 2017-12-17 usage: E sub 2048R/39812C75 created: 2015-11-18 expires: 2017-12-17 usage: A sub 2048R/D9F2ECC8 created: 2015-11-18 expires: 2017-12-17 usage: S [ultimate] (1). Fredrik Ludvigsen post@fredrik.ludvigsen.name [ultimate] (2) Fredrik Ludvigsen (offline master key) post@fredrik.ludvigsen.name [ultimate] (3) Fredrik Ludvigsen fredrik@rain-games.com

The sub keys are located on the yubikey.

zapu commented 7 years ago

This is what I see when I do gpg2 --list-secret-keys on my test setup (both primary signing key and encryption subkey have secret keys on yubikey):

sec>  rsa2048 2017-03-14 [SC]
      BDD071E86CD184E326E4528F7384033FA8BBB1F4
      Card serial no. = 0006 05297442
uid           [ultimate] Michał Yubi <yubiman@keybase.io>
ssb>  rsa2048 2017-03-14 [E]

do you have something similar? IIRC > indicates that this key has a stub private key to know it's on device.

steinbitglis commented 7 years ago 
--------------------------------------------------
sec#  2048R/D3DA6FCB 2015-11-18 [expires: 2016-11-17]
uid                  Fredrik Ludvigsen (offline master key) <post@fredrik.ludvigsen.name>
ssb>  2048R/9113138F 2015-11-18
ssb>  2048R/39812C75 2015-11-18
ssb>  2048R/D9F2ECC8 2015-11-18
zapu commented 7 years ago

OK, I'll try to recreate something like this and see what I can do. Thank you for helping me with that!

steinbitglis commented 7 years ago

Thank you for looking into it. I'm heading home soon, but I'll try to follow up as close as I can.

zapu commented 7 years ago

It looks like a bug in our openpgp library, so I will take it from there for a bit and get back to you once I have anything more. Thanks again!

zapu commented 7 years ago

Would you mind to show output of gpg2 --no-tty --with-colons --fingerprint -K? For some reason Keybase thinks that your keys are expired. Thank you.

steinbitglis commented 7 years ago

I should do this on the same computer then, so it will have to be tomorrow morning.

I'll post to you then.

Den 16.03.2017 18:20, skrev Michał Zochniak:

Would you mind to show output of |gpg2 --no-tty --with-colons --fingerprint -K|? For some reason Keybase thinks that your keys are expired. Thank you.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2909#issuecomment-287129688, or mute the thread https://github.com/notifications/unsubscribe-auth/ABUB1SFHFQhM4LyIdjdu4vQCeAjUJi2Oks5rmW93gaJpZM4MeVsJ.

steinbitglis commented 7 years ago 
C:\Users\Fredrik>"c:\Program Files (x86)\GNU\GnuPG\gpg2.exe" --no-tty --with-colons --fingerprint -K
sec::2048:1:25CD263267D392E7:1336034903:1452596400:::::::::
fpr:::::::::4ECFF2B5616BAC8473AB693425CD263267D392E7:
uid:::::::2055D84321705AA23C7C0840CEABE75A2F3DE9AA::Fredrik Ludvigsen (bitcoin) <post@fredrik.ludvigsen.name>:
sec::2048:1:623AE6A1D3DA6FCB:1447880481:1479417789::::::::#:
fpr:::::::::BCCB574EBE1ECB5051963E4A623AE6A1D3DA6FCB:
uid:::::::65CE11F6F8070E21CDC5230BD32F0BF9B0BE2152::Fredrik Ludvigsen (offline master key) <post@fredrik.ludvigsen.name>:
ssb::2048:1:30ED71E79113138F:1447880481:::::::::D2760001240102000006038117700000:
ssb::2048:1:B575DF1939812C75:1447885988:::::::::D2760001240102000006038117700000:
ssb::2048:1:F63287CCD9F2ECC8:1447886178:::::::::D2760001240102000006038117700000:
zapu commented 7 years ago

Can we also run gpg2 --list-keys? It seems like gpg2 marks your keys as expired, so keybase client treats them as such. But when I downloaded your key from https://keybase.io/fludvigsen, it was fine.

For example: sec::2048:1:623AE6A1D3DA6FCB:1447880481:1479417789::::::::#: The 7th value is expiration timestamp, in this case 1479417789, which is Thu Nov 17 22:23:09 CET 2016.

steinbitglis commented 7 years ago

`C:\Users\Fredrik>"c:\Program Files (x86)\GNU\GnuPG\gpg2.exe" --list-keys C:/Users/Fredrik/AppData/Roaming/gnupg/pubring.gpg

pub 2048R/67D392E7 2012-05-03 [expired: 2016-01-12] uid [ expired] Fredrik Ludvigsen (bitcoin) post@fredrik.ludvigsen.name

pub 2048R/9FA3478C 2012-07-26 uid [ full ] Thomas Tyssøy battlesheep5@gmail.com

pub 2048R/827498B8 2012-11-20 uid [ unknown] Peter Wingaard Meldahl peter@rain-games.com

pub 4096R/7BD0F730 2013-09-16 uid [ unknown] Torbjørn Ludvigsen post@xn--torbjrn-u1a.se uid [ unknown] [jpeg image of size 14666] sub 4096R/2C7116C9 2013-09-16 sub 4096R/50619F04 2013-09-16

pub 2048R/D9123532 2015-10-20 uid [ unknown] Eduardo Garabito eduardo@rain-games.com sub 2048R/3CD526C4 2015-10-20

pub 2048R/D3DA6FCB 2015-11-18 [expires: 2017-12-17] uid [ultimate] Fredrik Ludvigsen post@fredrik.ludvigsen.name uid [ultimate] Fredrik Ludvigsen (offline master key) post@fredrik.ludvigsen.name uid [ultimate] Fredrik Ludvigsen fredrik@rain-games.com sub 2048R/9113138F 2015-11-18 [expires: 2017-12-17] sub 2048R/39812C75 2015-11-18 [expires: 2017-12-17] sub 2048R/D9F2ECC8 2015-11-18 [expires: 2017-12-17]

pub 1024D/FEB7C7BC 2007-08-27 uid [ full ] Dominik Reichl dominik.reichl@gmx.de sub 4096g/F129EEB7 2007-08-27

pub 2048R/B43434E4 2015-08-31 [expires: 2018-08-30] uid [ unknown] PuTTY Releases putty@projects.tartarus.org

pub 4096R/58C6F98E 2016-06-08 uid [ full ] Dominik Reichl dominik.reichl@gmx.de sub 4096R/1E43A881 2016-06-08`

steinbitglis commented 7 years ago

Did that help?

zapu commented 7 years ago

Sorry! Got dragged away by other bugs :(

There is some issue where when you list your secret keys, it looks like D3DA6FCB is expired: sec# 2048R/D3DA6FCB 2015-11-18 [expires: 2016-11-17] (and that's also shown in the --with-colons output), but public key key is not expired (pub 2048R/D3DA6FCB 2015-11-18 [expires: 2017-12-17]). Is there some obvious PGP thing that I'm missing which would make them be "out of sync" like that?

steinbitglis commented 7 years ago

I did update the expiry date some time ago. I don't know what I might have done wrong at that time.

steinbitglis commented 7 years ago

I'll look into that --with-colons expiry date

zapu commented 7 years ago

-K --with-colons is just different formatting for -K (or --list-secret-keys). There should be a way to get that expiry date of offline master key private "stub" (not really a stub) bumped up, but to be honest, I've yet to have one expire on me so I never tried that.

steinbitglis commented 7 years ago

It seems that I have updated my subkeys with new expiry dates, but not my offline master key. I don't really understand the difference in meaning between these expiry dates.

For now, I cannot continue until I've consulted my offline key, so until tomorrow, there's nothing I can do.

steinbitglis commented 7 years ago

I managed to make it work actually. To reproduce my situation, you need to:

steinbitglis commented 7 years ago

Not sure why this still doesn't work though. `C:\Users\Fredrik>AppData\Local\Keybase\keybase.exe pgp sign -m "test"

Signing with plain gpg2 works, and keybase login works, and my device is provisioned by gpg

zapu commented 7 years ago

In

Update the expiration date of the master key and the subkeys (offline machine) Export a new public key, import it on the online machines

do you export updated keys with --export-secret-subkeys again? I will try to experiment again when I find time.

Glad to hear your problem is solved!

Signing through keybase will probably not work, since we use go-crypto to work with pgp keys and do signatures, and it is unlikely to ever support yubikey. For provisioning and importing keys, we shell out to gpg2 (or similar). @oconnor663 should know more and correct me here if I'm wrong.

steinbitglis commented 7 years ago

Doing a second --export-secret-subkeys does the more "proper" update of keys, which is necessary for the keybase login to work.

nethershaw commented 4 years ago

I'm doing the same thing as the OP, and this is going to get asked for a lot more often as these devices become more popular and available. The expectation that Keybase should select an appropriate signing or encryption subkey when available (whichever one has the longest validity) and prompt for pinentry if that subkey is a stub for a smartcard is the correct one.

Since seamless smartcard operation for the secure storage of private key material is absolutely essential to the goal of popularizing and simplifying the use of cryptography, updated guidance and a commitment from Keybase to support them would be appreciated.

lattice0 commented 3 years ago

Is it possible to make keybase only work with yubikey? like, git clone, sending messages, etc?

aolieman commented 2 years ago

Is it possible to make keybase only work with yubikey? like, git clone, sending messages, etc?

I came here to ask pretty much the same. I'd like to be able to better protect my keybase account from hypothetical attackers who gain physical access to my devices with Keybase installed on them. I've required password login on several devices, but I'd much rather use Yubikeys and/or biometrics.

dee-kryvenko commented 2 years ago

Is my understanding that --export-secret-subkeys is the only way to make keybase to work with the yubikey? If that is so - keybase is missing the point. I don't want my private keys being stored anywhere but my yubikey and my encrypted usb drive in my safe box for backup. I am not exporting my private key anywhere but my offline raspberry pi for renewal.

aellwein commented 1 year ago

Is my understanding that --export-secret-subkeys is the only way to make keybase to work with the yubikey? If that is so - keybase is missing the point. I don't want my private keys being stored anywhere but my yubikey and my encrypted usb drive in my safe box for backup. I am not exporting my private key anywhere but my offline raspberry pi for renewal.

This is also how i use Yubikey, i am not ever willing to export any of the private keys off the token...