Comments (8)
FiloSottile
commented on May 20, 2024
5
Yup, same with gpg-agent, seems to be a PCSC limitation. We'll definitely document this. There's also go-piv/piv-go#47 upstream to look into ways to make this better.
The interface is released on SIGHUP, so you can use killall -HUP yubikey-agent.
from yubikey-agent.
ryan-gerstenkorn-sp
commented on May 20, 2024
FYI, this workaround seems to fix a similar issue when using ykman oath code --single ... as well.
Just so it's searchable here's the error you get when trying this when yubikey-agent is running:
Error: Failed connecting to YubiKey 5 [FIDO+CCID]. Make sure the application have the required permissions.
from yubikey-agent.
FiloSottile
commented on May 20, 2024
Interestingly, my YubiKey 5 seems to persist the PIN cache across sessions, and even yubikey-agent restarts (but not unplug-replug cycles, as expected). In this case it would be far more acceptable to just drop the session every time.
I bet using a different applet will still trash the PIN cache, but that's probably ok.
from yubikey-agent.
FiloSottile
commented on May 20, 2024
Huh, it might be that PIN caching has always spanned sessions, but on older firmwares getting the serial number requires switching applets, so effectively we were dropping it at every session. Maybe there's an argument for not taking an exclusive lock, and just not reading the serial on older firmwares.
from yubikey-agent.
WhyNotHugo
commented on May 20, 2024
Hi! I want to use yubikey-agent for a very few SSH keys. Mostly, the ones for sites that don't support ed25519-sk keys.
This issue is a a big pain, especially because I use the yubikey as a FIDO device a lot too as well as for GPG.
I wouldn't mind having to type the PIN each time I use yubikey-agent if that's the price for it to not lock my yubikey the rest of the time.
Is this approach somehow possible? I think it could be a useful solution for some until upstream unblocks this issue.
from yubikey-agent.
smlx
commented on May 20, 2024
Wouldn't #44 essentially solve this? launchd also supports socket activation. Here's the launchd config and associated socket activation code I use in piv-agent. It's only lightly tested on macOS since I don't use that OS regularly, but it does work:
https://github.com/smlx/piv-agent/blob/main/deploy/launchd/com.github.smlx.piv-agent.plist
https://github.com/smlx/piv-agent/blob/main/internal/sockets/get_darwin.go
from yubikey-agent.
ezekiel
commented on May 20, 2024
I may not fully understand the context here, but it might be more worthwhile overall to place some efforts on this PR on the upstream piv-go library: go-piv/piv-go#100
This will allow yubikey-agent and piv-agent to Open SHARED access to the key, and avoid blocking other applications which do the same ( like ssh-agent, p11-kit, etc ).
from yubikey-agent.
cedws
commented on May 20, 2024
Looks like the PR for piv-go is stuck.
Would it make sense to build a broker that could be used by this project and others? Though it would be difficult to get projects to adopt it.
from yubikey-agent.
Related Issues (20)
- Error when starting agent on ArchLinux with OpenSSH 8.9
- How do I get the Public key from the Yubikey? - AGAIN? HOT 2
- Yubikey Password Entry Window isn't pre selected any more.
- sk-ssh-ed25519 not supported HOT 2
- IdentityAgent option has no effect HOT 2
- yubikey-agent -setup fails with error about default HOT 1
- 'needs manual reloading every time the YubiKey is unplugged or the machine goes to sleep' is not accurate HOT 2
- verify pin: smart card error 6983: authentication method blocked
- Cannot Find Package for Ubuntu 20.04.5 LTS
- Pinentry prompt does not show up HOT 2
- Possible incompatibility with macOS 13.1 HOT 2
- nixOS: Failed to connect to the YubiKey: connecting to pscs: the Smart card resource manager is not running HOT 10
- How can I start yubikey-agent as a service on Mac (without brew) HOT 1
- Unable to create key when age-yubikey-plug has created key on yubikey HOT 8
- Power-cycling a key while the system is asleep breaks the connection HOT 2
- Use host yubikey-agent inside a docker container HOT 1
- Installation on Steamdeck?
- Change -setup to generate a key with "touch policy" of "cached" instead of "always"
- Is this project still maintained? HOT 1
- "error fetching identities: agent refused operation" on Arch
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubikey-agent.