Unable to create key when age-yubikey-plug has created key on yubikey

[trexxeon]

When I have created an age encryption key on yubikey with the age-yubikey-plugin and try to use yubikey-agent it says that the card is already configured and that I’ll need to use wipe flag which results in that everything is wiped so the age encryption key is gone

[mutlusun]

In my case, the error looks like that:

❯ yubikey-agent -setup
🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!
❌ The key will be lost if the PIN and PUK are locked after 3 incorrect tries.

Choose a new PIN/PUK: 
Repeat PIN/PUK: 

🧪 Reticulating splines...
‼️  The default Management Key did not work

If you know what you're doing, reset PIN, PUK, and
Management Key to the defaults before retrying.

If you want to wipe all PIV keys and start fresh,
use --really-delete-all-piv-keys ⚠️

Is it the same for you?

[mutlusun]

@FiloSottile / @str4d Is there any way to workaround this limitation? Or a way to manually generate a correct key?

Thanks for your help!

[bcvanmeurs]

@mutlusun @trexxeon

In my case, the error looks like that:

Is it the same for you?

I tried this this morning, and I get exactly the same error, I also have some Age keys on the YubiKey. I think it would be a nice feature to bypass the creation of new PIN and PUK and supply them with your own.

I think I found a workaround by manually (as suggested here) generating a key and certificate in slot 9a (which happens in setup.go) with ykman, (but I am by no means an expert in this).

• ykman piv info to see what slots are used. (in my case slot 82 and 83 for Age keys)
• ykman piv -h shows the help page where I got the inspiration for commands from
• ykman piv keys info 9a should show that there is no key, (I assume, I only found this command after generating the key.)
  • for example when I now do slot 84 I get this, I assume it would be the same for 9a

    ❯ ykman piv keys info 84
    ERROR: No key stored in slot 84 (RETIRED3).
    

• ykman piv keys generate --algorithm ECCP256 9a pubkey.pem --pin-policy once --touch-policy always generates a key with the settings as supplied in setup.go. enter your PIN. It generates the pubkey.pem, which is the public key in pem format.
• ykman piv keys info 9a now shows:

  ❯ ykman piv keys info 9a
  Key slot:               9A (AUTHENTICATION)
  Algorithm:              ECCP256
  Origin:                 GENERATED
  PIN required for use:   ONCE
  Touch required for use: ALWAYS
  

• ykman piv certificates generate --subject "O=yubikey-agent" 9a pubkey.pem to generate the certificate. I used this subject based on setup.go, but I don't know what the recommended setting is here.
• ykman piv info now lists the certificate in slot 9a.

  Slot 9A (AUTHENTICATION):
   Algorithm:   ECCP256
   Subject DN:  O=yubikey-agent
   Issuer DN:   O=yubikey-agent
   Serial:      XXXX
   Fingerprint: XXXX
   Not before:  2023-06-02T07:38:43
   Not after:   2024-06-01T07:38:43
  

• The last step is to convert the PEM formatted public key to a SSH formatted public key. After some searching I found this command: ssh-keygen -f pubkey.pem -i -m PKCS8 it prints the public key in the ecdsa-sha2-nistp256 format.
• By the way, you can always re-export the public key by using: ykman piv keys export 9a -

I verified that this works with Github by setting the key there, and using the IdentityAgent /usr/local/var/run/yubikey-agent.sock in my ssh config.

I hope this helps! Let me know if you face any challenges.

[mutlusun]

Dear @bcvanmeurs ,

Thanks for helping out! Your guide worked for me as well and I am able to log in to other hosts via ssh successfully.

One remark: In my version of ykman the command piv keys info 9a does not exist. It is also not listed in the official online documentation: https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html However, the piv info command worked and was totally sufficient (even though the newly created key in 9a was not directly displayed. I needed to execute the command a second time / wait a bit).

I'm happy to provide a PR to extend the docs with the guide above, if @FiloSottile is interested in this.

[bcvanmeurs]

Hi @mutlusun ,
Glad to hear it works!

Are you using a recent version of ykman? I used ykman version 5.1.0 and checked the ykman piv keys info command here, I can see that this command was added just 4 months ago (Yubico/yubikey-manager@14ae687), so maybe you are using an older version and I believe that the documentation is out of date.

[bcvanmeurs]

Oh I see now that it is also mentioned in the release notes of version 5.1.0, released on April 17th.

• "Add PIV key info command to CLI"

https://github.com/Yubico/yubikey-manager/releases/tag/5.1.0

[mutlusun]

Dear @bcvanmeurs ,
Sorry for my late reply! I can confirm that my ykman is rather old (I'm on Debian). So in this version the command doesn't exist. Thanks again for your guide!

[squirmy]

Just sharing another workaround for this issue. I reset my yubikey back to the default PIN/PUK & Management Key. As per the instructions in the error message.

If you know what you're doing, reset PIN, PUK, and
Management Key to the defaults before retrying.

Despite not knowing what I was doing I tried it anyway.

The defaults are here:
https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

There are 3 commands, each will prompt you to enter the values.

# Change this to 123456
ykman piv access change-pin

# Change this to 12345678
ykman piv access change-puk

# Change this to 010203040506070801020304050607080102030405060708
ykman piv access change-management-key

After this you can run the setup in this project as per the documentation. Changing your PIN & PUK back to your previous non-default value. The management key is also updated to be protected by the PIN during setup.