Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signers: allow all card slots and imported keys, sign confirmation and card select by serial #104

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

signers: allow all card slots and imported keys, sign confirmation and card select by serial #104

wants to merge 3 commits into from

Conversation

FStelzer
Copy link

@FStelzer FStelzer commented Oct 13, 2021
edited

  • creates a cli configuration flag (--slot authentication) to be
    able to specify which slots should be enabled
  • also allow specifying a pin policy (--slot signature,always) to allow
    for imported keys. Since these do not have a valid attestation which
    would be used to determine the pin policy otherwise we have to set it.
  • allow selecting a specific yubikey by its serial number. otherwise try all cards to find a valid one (my laptop sometimes has its internal smartcard reader in the cards list which will fail to "Open()" without a card though
  • add "ssh-add -c" equivalent key use confirmation. when a pin cache is in use it is good practice to know when the card/key is actually used for signing

to enable all slots with imported keys for a typical PIV config you could use:
yubikey-agent -l agent.sock --slot authentication,once --slot signature,always --slot keymanagement,once

The default without any parameters matches the current config (only Authentication and no configured pin policy).

This change makes yubikey-agent immediately usable with previously generated / imported keys (which i think a lot of people at least in the corporate world have).

Similar to #57 but focused on usage of all imported keys.

@FStelzer
signers: allow all card slots and imported keys
202d8df 
- creates a cli configuration flag (--slot authentication) to be
  able to specify which slots should be enabled
- allows specifying a pin policy (--slot signature,always) to allow
  for imported keys. These do not have a valid attestation which
  would be used to determine the pin policy, so we have to set it.

to enable all slots with imported keys for a typical PIV config you could use:
yubikey-agent -l agent.sock --slot authentication,once --slot signature,always --slot keymanagement,once
@FStelzer
cards: select card by serial or find the first valid one
34e4a2a 
Try all available cards till we find the first usable one.
Also allow selecting a specific yubikey by passing -serial 1234567890
@FStelzer
signing: allow confirmation on every key use
72bd39b 
similar to ssh-add -c. uses askpass to confirm every signing operation
by the user. especially useful for cached pin scenarios.
yubikeys can cache pins and askpass can be configured to autofill from
keychain. The user might still want to know about signing operations
happening.
@FStelzer FStelzer changed the title signers: allow all card slots and imported keys signers: allow all card slots and imported keys, sign confirmation and card select by serial Oct 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@FStelzer