Feature Request - PIV auth (Smart card) Hardware tokens (Yubikey)

[arcreigh]

Would love to have PIV functionality as in my homelab I have opted to utilize the PIV functionality of my Yubikey.
Hardware tokens are becoming more and more prevalent and would love the option to have that functionality within XPipe.

[crschnick]

Sure, something like this would be possible. If you don't mind, can you expand on your setup so I know exactly what we are talking about?

This would make it easier for me to try to set it up myself for testing and experimentation.

[arcreigh]

So in my environment I tried to model off of a production environment I have one Windows Domain Controller a Windows Root Certificate Authority and a Windows Intermediate Certificate Authority.

Below link is a good video guide to get it spun up.
https://www.youtube.com/watch?v=KsGcSCqs4Ps

This is specifically for use in a PIV style for authentication. I believe CAPI is what some other tools used as a smart card API but it's been a few years since I have had to use that functionality.

Yubikeys are growing more and more popular so having a way to interface with the minidriver would be great.

https://developers.yubico.com/ would be a good place to start I imagine for you.

I myself am just a network engineer so some of my statements may be blatantly incorrect do take me with a grain of salt.

[crschnick]

Ok so I read the yubico documentation a bit. If I read correctly, at least for SSH connections, authentication is handled via a special ssh agent, and xpipe should support these kinds of agents already. Did you get a specific error message when trying to connect with your yubikey and agent? Or when you talk about having PIV functionality, does that include more than ssh connections?

Regardless of that, it will take me some time to order one and set everything up, so I can get back to you once this is done.

[arcreigh]

I wasn't aware there was a specific SSH agent needed, from a user perspective I would hit a button which would prompt me for my Smart Card pin that would then allow me to select my certificate to use for auth as in an enterprise environment your smart card / yubikey might have multiple certs on it for different purposes. In some special circumstances some entities might have multiple smart cards to separate privileged access.

[crschnick]

Ok I will just order a cheap yubikey for this, I think it's good to own one for this

[arcreigh]

Be sure you get one that supports PIV! Check this link.
https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers
I would recommend one of the FIPS compatible keys.

[crschnick]

Alright, so I got the yubikey and set everything up. So now I can use it for SSH authentication for example.

I was able to implement support for using the yubikey with SSH connections in xpipe via the gpg-agent.

So now you would have to elaborate a little bit more on your use case:

• How do you use it for SSH authentication on windows? I used gpg4win
• Since your issue description is a little bit vague, what else do you want to use the key for? E.g. in substitution for the master passphrase of the xpipe vault or something else?

[arcreigh]

Gpg is a great first step for initial support of the yubikey, however I am looking for PIV support which is backed by certificates. You can see the piv application support in your yubikey app. Putty-cac uses CAPI in order to interface with PIV Smart Cards. That is the functionality I am after. You should absolutely support both! PIV/Smart Card based auth is a more advanced enterprise grade feature used in government sector.

[crschnick]

GPG agent support has now been implemented in the latest PTB build at https://github.com/xpipe-io/xpipe-ptb, so you can try it out if you want

The PIV support is next

[crschnick]

Can you whether the PIV support in https://github.com/xpipe-io/xpipe-ptb/releases/tag/1.7.11-2 works for you?

[arcreigh]

Sure give me a few to check it out.

[crschnick]

I think something went wrong with your email reply, not sure whether you want to include your contact details in there.

[arcreigh]

Thanks for that lol, pre-coffee nonsense. Edited my details out.

[crschnick]

So I will probably add this feature to the professional version once it's released because most people will probably use this authentication in an enterprise context.

I can give you a free professional license though since you posted this feature request in the first place and helped a lot. So just let me know to which email I should send it to.

[arcreigh]

Your analysis on that is 100% correct. This would be an advanced secure auth implementation used heavily in government sectors DoD/DHS/Insert agency here. I definitely appreciate the offer on a free pro key and will take you up on that. My github username @gmail.com.

[crschnick]

This feature is now released, you can try out in the latest version. I will send you that license key eventually. I also introduced a new preview license that will give you access to these features as they are released, so you can try out whether that works for you first.

[crschnick]

So now with the latest fixes implemented for smartcard handling to prevent it from asking for verification twice, I think I can close this issue finally as being fully completed.