I have [setup](https://gist.github.com/pavinjosdev/0d7ade586e4b4a33d03a19c7684e78ce) the PAM module pam_u2f.so for FIDO2 as the primary authentication method on my LMDE 5 (based on Debian 11) machine. Is there a way to integrate passkey support with this PAM module or with another? Specifically I'm looking for the ability to use Google [passkeys](https://passkeys.dev/device-support/) in addition to my hardware security key (Yubikey). There are several advantages to using a passkey from Google/Apple with the potential privacy downside: 1. The credentials are tied to the Google account and synced across all Google devices, so any device can be used as an authenticator 2. Not tied to a physical object that can be lost/stolen 3. Main point for lazy me: no need to remove a lost/stolen/damaged key from every website and device it's configured on The Chrome browser on Linux sends a push notification via Bluetooth to a nearby Android smartphone for FIDO2/WebAuthn registration/authentication. Can the pam_u2f.so module (or another one) be configured to send a similar request and receive its response instead of relying on a locally connected USB security key?

I have a yubikey 5 NFC with GPG keys configured that I use for encryption and signing. Usually, this works fine, but sometimes gpg will tell me that no card is connected; if I unplug and replug the key, it sometimes works again (although sometimes only after several tries). When it's not working, gpg --card-status will say gpg: selecting card failed: No such device, and the light on the key often (but not always) lights up permanently. This seems to happen at random, but usually after it's been plugged in for a while. One consistent way to reproduce this I've found is immediately after I log in with pam_u2f with the key, but only for a new X session (if I log in via su, for example, the key still works after). Restarting gpg does not fix the problem, only replugging (and that also only sometimes). This occurs both via usb and via NFC (HID Omnikey reader). Other functionality on the key (eg. u2f, WebAuthn) still works fine. Versions: - OS: OpenSuSE Leap 15.5 - GPG: 2.2.27 (from repo)

Is there a way to encrypt single files with a Yubikey that doesn't use OpenPGP? I use my Yubikey for ssh logins and encrypting individual files (password stores.) The Yubikey is operating in CCID mode only (I don't currently use OTP or U2F.) All operations require the physical presence test. Up until now I've been using my Yubikey as an OpenPGP smart card along with: - gpg-agent --enable-ssh-support for ssh support; and - gnupg.vim plugin for encrypting files. GnuPG is clunky, unreliable, and hard to script. I'd like to stop using the Yubikey in this mode. I have another Yubikey that is configured as a NIST PIV smart card. I use OpenSSH's PKCS11 support and a regular ssh-agent. This is much more reliable than the gpg tools, but it *doesn't provide the individual-file-encryption support*. As I see it, there are a few possible options to using a PIV smart card for individual file encryption: - some sort of ssh-agent + vim hack? - maybe there's a seamless PKCS11 based file encryption tool? - using one of the other slots on the yubikey for file encryption, maybe with OpenSC or some of libccid stuff? - open source password manager that talks directly to the Yubikey?

NFC Smart card reader & Yubikey works fine for OTP usage, example with challenge-response auth for KeppassXC.\ Problem with FIDO2, example for Google login. I've tried in Windows and all works well :( Attach below info and log. Smartcard reader is a Elexlinco NC004 but system see it as GHI NC001.

[mynbk ~ ] > lsusb
[...]
Bus 003 Device 015: ID ae68:8001 GHI NC001
[...]

Pcsclite version:

[mynbk ~ ] > pacman -Ss | grep pcsclite
extra/pcsclite 2.3.1-1 [installato]
multilib/lib32-pcsclite 2.3.1-1 [installato]

/usr/sbin/pcscd --version output

[mynbk ~ ] > /usr/sbin/pcscd --version
pcsc-lite version 2.3.1
Copyright (C) 1999-2002 by David Corcoran .
Copyright (C) 2001-2024 by Ludovic Rousseau .
Copyright (C) 2003-2004 by Damien Sauveron .
Report bugs to .
Enabled features: USB serial filter_names libudev polkit systemd Linux x86_64 ipcdir=/run/pcscd usbdropdir=/usr/lib/pcsc/drivers serialconfdir=/etc/reader.conf.d
MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16

Operating system or GNU/Linux distribution name and version:

[mynbk ~ ] > cat /etc/os-release 
NAME="Manjaro Linux"
PRETTY_NAME="Manjaro Linux"
ID=manjaro
ID_LIKE=arch

Output of the command sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee -i log.txt\ https://pastebin.com/nGRX2pRd

I try to encrypt a file with my Yubkey and openssl on linux. My YubiKey is a

idProduct          0x0407 Yubikey 4/5 OTP+U2F+CCID
  bcdDevice            5.24

First I extract my Public key from my yubikey:

pkcs15-tool --read-public-key 01 -o pubkey

I get a file which reads like this:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZ[...]WpqK
qezLU6KBlk9[...]eRDFZEkvptllFFkw==
-----END PUBLIC KEY-----

When I try to encrypt a file with this public key I get an error:

openssl pkeyutl -encrypt -pubin -inkey pubkey -in file -out file.enc 
pkeyutl: Error initializing context
40A7F0A3DA720000:error:03000096:digital envelope routines:evp_pkey_asym_cipher_init:operation not supported for this keytype:../crypto/evp/asymcipher.c:189:

I recently switched to a yubikey. Before I had a epass2000 which worked this way. I can't find any proper docs for the yubikey online. How do I encrypt a file with openssl and yubikey?

I have been using pass (cli pw manager) for a couple of years now, and I just started using yubikeys. I have (2) YKs which I configured as duplicates of each other, transferring the same gpg subkeys (S, E, and A) to each one. I added the YK gpg-key id to my ~/.password-store/.gpg-id file, and re-initialized the store to re-encrypt the entries using the new key. I can now use pass with either of my YKs to open a password-store entry using pass, however, when I try either to edit an existing entry or to add a new one, I am met with:

$pass add test
Enter password for test: 
Retype password for test: 
gpg: B7C0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1BB7: skipped: No public key
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.

A check on the key returns:

$gpg -K YUBI
sec#  rsa4096/289xxxxxxxxxx8B5 2024-11-01 [SC] [expires: 2034-10-30]
      Key fingerprint = 8C6B xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 58B5
      Keygrip = E7608xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx37AFD
uid                 [ultimate] Fname Lname (YUBIKEY) 
ssb>  rsa4096/130xxxxxxxxxxA7D 2024-11-01 [S] [expires: 2034-10-30]
      Keygrip = 18DD9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1599B
ssb>  rsa4096/A39xxxxxxxxxxEBD 2024-11-01 [E] [expires: 2034-10-30]
      Keygrip = 5BD06xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8B9FD
ssb>  rsa4096/779xxxxxxxxxxBAA 2024-11-01 [A] [expires: 2034-10-30]
      Keygrip = 0A10BxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAFA2F

and

gpg -k YUBI
pub   rsa4096/289xxxxxxxxxx8B5 2024-11-01 [SC] [expires: 2034-10-30]
      Key fingerprint = 8C6B xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 58B5
      Keygrip = E7608xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx37AFD
uid                 [ultimate] Fname Lname (YUBIKEY) 
ssb>  rsa4096/130xxxxxxxxxxA7D 2024-11-01 [S] [expires: 2034-10-30]
      Keygrip = 18DD9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1599B
ssb>  rsa4096/A39xxxxxxxxxxEBD 2024-11-01 [E] [expires: 2034-10-30]
      Keygrip = 5BD06xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8B9FD
ssb>  rsa4096/779xxxxxxxxxxBAA 2024-11-01 [A] [expires: 2034-10-30]
      Keygrip = 0A10BxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAFA2F

Trying to re-import the **pub** made no changes, as expected. Encrypting a file like: $ gpg -r YUBIKEY -e file then decrypting it with: $ gpg -d file.gpg works as expected. I am prompted for the passphrase and file contents are listed afterward. Now I am confused and unsure what the issue is. If anyone has any suggs or advice I would sure appreciate it. Thks.

I have a Yubikey with my GPG private keys on it, and public keys in my gpg keyring. I made sure that private keys are not present on my system by running gpg --export-secret-key -a which returned nothing but gpg --export -a printed my public key. Next after setting up my ` for signing I noticed that I still get a private key printed on --export-secret-key` after unlocking my card and using it to sign something. This baffled me because I wasn't expecting anything to be printed on --export-secret-key so I am curious what this key is? To be sure I have also tried deleting this private key --delete-secret-keys but using the smartcard again, populates the private key for this ``.

So I've been trying to get a yubikey passthrough to work for a few days now with no luck. Does anyone know what I'm doing wrong or what's wrong with my setup? **Setup:**\ I'm using ubuntu 18.04 as both host and guest.\ Libvirt for virtualisation **Procedure:**\ I'm passing through the usb using the following hostdev section:

I boot the VM and verify that the usb was passed through properly with lsusb. (And it is)\ Then I try yubico-piv-tool -a status to see if the key is working. **Results:**\ yubico-piv-tool -a status returns "Failed to read device". **Observations:**\ The yubikey functions on the host, yubico-piv-tool -a status prints as expected.\ The yubikey still shows up on the host after the passthrough when I run lsusb on the host.\ The yubikey does not function on the host while the passthrough is active.\ I've tried to passthrough the yubikey on a laptop with a windows host on virtualbox and was successful with no extra settings.\ I tried virtualbox on the linux host and was not successful, same results as with libvirt. While the USB device is not passed through, lsusb -t shows that it's not assigned to any driver; when passed through, it's owned by the usbfs driver, and the libvirt-qemu user's qemu-syst process has the device open. **My guess:**\ There's missing parameters on the passthrough and the key isn't getting passed entirely (Something CCID/FIDO/OTP related?).\ The virtualization software was not able to disconnect the device from the host.

A FIDO2 security token should be used for decrypting all disks in a linux machine at boot. systemd allows this since version 248. Can the FIDO2 Security Token be removed after boot when using LUKS for full disk encryption, or does it need to remain plugged in for the disk to be usable for read/write operations?

Following the [example](https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html) of how to add a FIDO2 key from a YubiKey, but I can't figure out how to use the YubiKey to unlock it form the command line. The instructions talk about unlocking at boot--but that's not what I want. # Setup Make a 128 MiB file, make it a block device on loop0 and setup LUKS.

$ dd if=/dev/urandom of=disk.bin bs=1M count=128 
128+0 records in
128+0 records out
134217728 bytes (134 MB, 128 MiB) copied, 0.534038 s, 251 MB/s
$ losetup /dev/loop0 disk.bin 
$ cryptsetup luksFormat -y /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for temp.bin: 
Verify passphrase:

Add the Yubikey.

$ systemd-cryptenroll /dev/loop0 --fido2-device=auto  --fido2-with-client-pin=yes
🔐 Please enter current passphrase for disk /dev/loop0: ****                    
Requested to lock with PIN, but FIDO2 device /dev/hidraw9 does not support it, disabling.
Initializing FIDO2 credential on security token.
👆 (Hint: This might require confirmation of user presence on security token.)
Generating secret key on FIDO2 security token.
👆 In order to allow secret key generation, please confirm presence on security token.
New FIDO2 token enrolled as key slot 1.

Remove the the non-FIDO2 key.

$ cryptsetup -q -v luksKillSlot /dev/loop0 0
Keyslot 0 is selected for deletion.
Key slot 0 removed.
Command successful.

# Problem Now what? This doesn't work:

$ cryptsetup open /dev/loop0 loop0_encrypted
Enter passphrase for disk.bin:

I now have a LUKS disk but I don't know how to unlock it. All tutorials I found say to make modifications to /etc/crypttab and give instructions for mounts at boot. I want to mount without rebooting and (preferably) without modifying /etc/crypttab. What am I missing?

Does anyone have a solution for using the Yubikey Security Key as a second factor for file-based crypto containers like VeraCrypt or something else? I know the Security Key doesn't allow PGP, but now I don't have another key.

The use case I'm looking for is that I walk up to a *headless* server and "unlock" it using a hardware key, where scripts on the server recognize that I've plugged it in and automatically use it without a pin or password or additional factors. The most primitive way of implementing this would be to have a USB thumb drive with unencrypted raw AES keys on it which the scripts on the server find and use to decrypt things. The downside is that the USB stick could be copied and there is no way to revoke it if it were lost. It also runs into trouble with possible filesystem corruption of the USB stick itself if the drive were removed when the scripts were still using it. It seems like a smartcard or Yubikey would be the obvious solution to these problems, but it also seems like most people describing Yubikey solutions pair it with gpg as a second factor of auth. I don't want "extra" auth factors, I want the key to be one of multiple possible decryption methods. I don't want to have to configure gpg on each host or have "identities" or expiration dates or trust chains or any of that. The other popular option is to integrate it with LUKS, but I was hoping for a more non-root userland option. I just want to take an encrypted AES key and directly ask the Yubikey to decrypt it with an RSA private key that lives in hardware (without entering a pin or password, but a short touch or long touch on the device is ok). Is there any existing tool that can accomplish this? Scripting language libraries are fine too.

I just started using a Yubikey to do SSH logins by following this guide. It works fine - but only as long as the Yubikey is able to do OTP. After a few accidental touches on the key spewing a random string into places I don't want it I figured I could just disable OTP as I'm only using PIV. Cert/key is there and working:

$ ykman --version
YubiKey Manager (ykman) version: 5.1.0
$ cat /etc/fedora-release 
Fedora release 38 (Thirty Eight)
$ ykman piv info
PIV version:              5.4.3
PIN tries remaining:      3/3
Management key algorithm: TDES
CHUID: No data available
CCC:   No data available
Slot 9A (AUTHENTICATION):
  Algorithm:   ECCP256
  Subject DN:  CN=SSH key
  Issuer DN:   CN=SSH key
  Serial:      14009452700000000000
  Fingerprint: 1fa375971a89c6f82f3b73218f717cb1d031fbd61c94965qqqqqqqqqqqqqqqqq
  Not before:  2023-03-10T10:02:12
  Not after:   2024-03-09T10:02:12

I can disable OTP:

$ ykman config usb --list
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP

$ ykman config usb --disable OTP
USB configuration changes:
  Disable OTP
  The YubiKey will reboot
Proceed? [y/N]: y

$ ykman config usb --list
FIDO U2F
FIDO2
OATH
PIV
OpenPGP

But after doing that, SSH no longer works, and I'm prompted for a password instead of the expected key-based login I can enable OTP again:

$ ykman config usb --enable OTP
USB configuration changes:
  Enable OTP
  The YubiKey will reboot
Proceed? [y/N]: y

Which restores SSH functionality. Why must OTP be enabled for PIV to work?

I am using a yubikey nano on my local system to do encrypt/decrypt/sign on remote systems, plus SSH agent forwarding. I recall this being a bear to setup, but it has worked flawlessly for several months now. Suddenly it broke. My searches all return the same links I read when I set it up, but I am stuck. SSH agent forwarding inexplicably works. Remote system shows this: REMOTE:$ ssh-add -L ssh-rsa blahblah cardno:123 I can login to other servers using SSH from the remote system and it uses the nano for auth (I know this because it requires touch to enable agent signing). I can see logs about the SSH signing in the gpg-agent log on the local system. However, I can't get GPG sign/encrypt to work at all. If I run the following on the remote system: REMOTE:$ echo "$(uname -a)" | gpg2 --armor --clearsign --default-key 0x1234 gpg: all values passed to '--default-key' ignored gpg: no default secret key: No secret key gpg: [stdin]: clearsign failed: No secret key In the local gpg-agent log I see no logs about the attempt. If I run this command, I can see log entries in the local gpg-agent log: REMOTE:$ $ netcat -U /home/user/.gnupg/S.gpg-agent OK Pleased to meet you RESET OK GETINFO PID ERR 67109115 Forbidden POOP ERR 67109139 Unknown IPC command Which results in these logs in the local agent: 2018-01-05 16:38:32 gpg-agent DBG: chan_10 -> OK Pleased to meet you 2018-01-05 16:38:35 gpg-agent DBG: chan_10 OK 2018-01-05 16:38:45 gpg-agent DBG: chan_10 ERR 67109115 Forbidden 2018-01-05 16:39:01 gpg-agent DBG: chan_10 ERR 67109139 Unknown IPC command If I run strace -f -F on gpg-connect-agent on the remote system, it seems to be connecting to a socket in /var/run, but not the one forwarded from the local system in ~/.gnupg/. I have tried removing both sockets, killing all gpg-agent processes and changed the SSH remote forward to go to either the /var/run location or the ~/.gnupg location to no avail. It is possible I screwed these steps up and I will try them again, but I want to know if someone knows the answer, and I would like to have an easy to find post for the next time this breaks. LOCAL SYSTEM: Mac OS X 10.11.6 gpg installed with brew gpg (GnuPG) 2.2.1 libgcrypt 1.8.1 REMOTE SYSTEM: ubuntu 17.10 gpg (GnuPG) 2.1.15 libgcrypt 1.7.8 EDIT: Ok, no idea what changed, but I left it alone for a bit and came back and tried to switch the socket again and it now works: REMOTE:$ $ echo "$(uname -a)" | strace -f -F gpg2 --armor --clearsign --default-key 0x1234 ... a bunch of garbage ... stat("/run/user/1000/gnupg/S.gpg-agent", {st_mode=S_IFSOCK|0600, st_size=0, ...}) = 0 socket(AF_UNIX, SOCK_STREAM, 0) = 5 Changing my SSH remote forward to this new location worked. I swear I tried this earlier using the socket path provided by gpgconf --list-dir agent-ssh-socket, without any luck. Probably forgot to kill the existing agent. And by happenstance, I just chanced upon a blogpost reporting that this changed: https://blog.kylemanna.com/linux/gpg-213-ssh-agent-socket-moved/

I'm trying to decrypt a file using GPG. The private key is stored on my Yubikey, but I get the following message from GPG:

shell> gpg --output test-temp --decrypt git-token.gpg 
gpg: encrypted with 255-bit ECDH key, ID 38033A6C1F5941E8, created 2022-04-22
      "User Name "
gpg: decryption failed: No secret key

However when checking the GPG card it can see the private key just fine:

General key info..: 
pub  ed25519/F5BA3C4BA7D63D15 2022-04-22 User Name 
sec>  ed25519/F5BA3C4BA7D63D15  created: 2022-04-22  expires: never     
                                card-no: [REDACTED]
ssb#  ed25519/A31508BC36769673  created: 2022-04-22  expires: never     
ssb#  cv25519/38033A6C1F5941E8  created: 2022-04-22  expires: never

As you see the key ID's match. The private/public keypair is also properly present in my keychain:

shell> gpg -k
pub   ed25519 2022-04-22 [SC]
      0D9E4996BF56ED20DC3162BEF5BA3C4BA7D63D15
uid           [ultimate] User Name 
sub   ed25519 2022-04-22 [A]
sub   cv25519 2022-04-22 [E]

shell> gpg -K
/home/user/.gnupg/pubring.kbx
-------------------------------
sec>  ed25519 2022-04-22 [SC]
      0D9E4996BF56ED20DC3162BEF5BA3C4BA7D63D15
      Card serial no. = [REDACTED]
uid           [ultimate] User Name 
ssb#  ed25519 2022-04-22 [A]
ssb#  cv25519 2022-04-22 [E]

The file was encrypted using

--encrypt --armor --output git-token.gpg --recipient user@username.com git-token

What gives? My setup works fine with signing (in Git for example).

According to man configuration.nix, enabling services.yubikey-agent should start yubikey-agent on login:

services.yubikey-agent.enable
	   Whether to start yubikey-agent when you log in. Also sets SSH_AUTH_SOCK to point
	   at yubikey-agent.

	   Note that yubikey-agent will use whatever pinentry is specified in
	   programs.gnupg.agent.pinentryFlavor.

	   Type: boolean

	   Default: false

	   Declared by:

But this doesn't seem to be working any more for me, even after restart:

➤ grep yubikey-agent /etc/nixos/configuration.nix
  services.yubikey-agent.enable = true; # used for SSH agent
➤ ssh-add -l
Error connecting to agent: Connection refused
➤ pgrep -f yubikey || echo "not found"
not found

Further confusing me is that systemctl can't even find the yubikey-agent.service:

➤ systemctl start yubikey-agent.service
Failed to start yubikey-agent.service: Unit yubikey-agent.service not found.

It looks like it's in the right place to me:

➤ ls -l /run/current-system/sw/lib/systemd/user/yubikey-agent.service
lrwxrwxrwx 1 root root 102 Dec 31  1969 /run/current-system/sw/lib/systemd/user/yubikey-agent.service -> /nix/store/x7ln7dxjyfakn9cq8g1lwhlbmmyx0bzy-yubikey-agent-0.1.6/lib/systemd/user/yubikey-agent.service
➤ cat /run/current-system/sw/lib/systemd/user/yubikey-agent.service
[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent 

[Service]
ExecStart=/nix/store/x7ln7dxjyfakn9cq8g1lwhlbmmyx0bzy-yubikey-agent-0.1.6/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent

[Install]
WantedBy=default.target

This is on NixOS 22.11:

➤ sudo nix-channel --list
nixos https://nixos.org/channels/nixos-22.11 

Hoping the answer https://unix.stackexchange.com/a/613772/320598 will help, I found out that it did not After asking this question, I found a very similar question at https://stackoverflow.com/q/67001320/6607497) . I have basically the same problem that the answer should fix, but it does not: I created GPG keys locally, transferred them to the card, then deleted the local keys from the keyring and re-imported the public key (from an export made before). I thought everything is fine (following OpenPGP Keys on a YubiKey , I thought), until I tried to sign a key: > gpg: signing failed: No secret key So I tried the --card-status thing before: ~~~lang-text Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 Application ID ...: D2760001240103040006234727620000 Application type .: OpenPGP Version ..........: 3.4 Manufacturer .....: Yubico Serial number ....: 234XXXXX Name of cardholder: UXXXXX WXXXX Language prefs ...: de Salutation .......: Mr. URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 4 KDF setting ......: off Signature key ....: AC... created ....: 2023-01-26 21:05:14 Encryption key....: 6E... created ....: 2023-01-26 21:07:30 Authentication key: 61... created ....: 2023-01-26 21:11:18 General key info..: sub rsa4096/B5XXXXXXXXXXXXXX 2023-01-26 UXXXXX WXXXX (XXX) sec# rsa4096/A5XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 ssb> rsa4096/B5XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 card-no: 0006 234XXXXX ssb> rsa4096/A1XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 card-no: 0006 234XXXXX ssb> rsa4096/11XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 card-no: 0006 234XXXXX ~~~ When I use --edit-key to check my key, I get (some details redacted with X): ~~~lang-text gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret subkeys are available. pub rsa4096/A5XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 usage: C trust: ultimate validity: ultimate ssb rsa4096/B5XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 usage: S card-no: 0006 234XXXXX ssb rsa4096/A1XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 usage: E card-no: 0006 234XXXXX ssb rsa4096/11XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 usage: A card-no: 0006 234XXXXX [ultimate] (1). UXXXXX WXXXX (XXX) ~~~ So I thought this looks good. However when trying to sign a key I get this: ~~~lang-text sec rsa3072/1CXXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: C trust: ultimate validity: ultimate ssb rsa3072/C1XXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: S ssb rsa3072/99XXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: E ssb rsa3072/DEXXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: A [ultimate] (1). UXXXXX WXXXX [ultimate] (2) UXXXXX WXXXX (Work) Really sign all user IDs? (y/N) y sec rsa3072/1CXXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: C trust: ultimate validity: ultimate Primary key fingerprint: E1... UXXXXX WXXXX UXXXXX WXXXX (Work) This key is due to expire on 2025-01-27. Are you sure that you want to sign this key with your key "UXXXXX WXXXX (XXX)" (A5XXXXXXXXXXXXXX) Really sign? (y/N) y gpg: signing failed: No secret key gpg: signing failed: No secret key Key not changed so no update needed. ~~~ How can I recover from this, and what was my mistake setting up the keys on the card most likely? It seems https://unix.stackexchange.com/a/393166/320598 gives the reason why it does not work, but what created that situation?

This may be an x-y problem and please feel free to point me in other directions as well. I'm trying to write a login mechanism to dovecot's passdb, using either a Lua plugin or a CheckPassword program. The end goal is to be able to use a yubikey OTP specifically for dovecot, rather than mandating yubikey for all login as a user. I found that the facilities available in /usr/libexec/auth seems usable. Specifically, I can call /usr/libexec/auth/login_yubikey -d username and get a password prompt. The program will print authorize to the terminal and exit with a 0 status on successful authorization. Now, using these facilities from another program seems difficult. The login_* facilities use readpassphrase(3) that does not read from stdin, but rather from /dev/tty (and the difference here eludes me, I must confess). How can I call the /usr/libexec/auth/login_* facilities supplying a password, rather than prompting the user for one? If this is not possible, how can I authorize a given password or key for a user from a program?

I am trying to set up a passwordless login for Linux Mint 19.3, in order to be able to log in either with a Yubikey token or a password. I followed the instructions from Yubikey website and this thread , but I cannot make it work. Briefly, this is what I did: 1. sudo pamu2fcfg -u \whoami\ > /etc/Yubico/u2f_keys 2. In **/etc/pam.d/** I created **common-u2f** with the following content:

auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys debug debug_file=/var/log/pam_u2f.log authpending_file=/etc/Yubico/pam-u2f-authpending

3. I added

@include common-u2f

before

@include common-auth

in the following files: **lightdm**, **sudo**, **login**, **cinnamon-screensaver** Now, I can use command sudo, unlock the screen, and log in (only after logging out) with just my Yubikey. However, when I try to log in after reboot, something strange happen. I get the blinking light on the Yubikey, and after pressing it, the screen goes black as if it is going to bring up my desktop, but instead it goes back to the log in screen. So, basically, if I try to use Yubikey, it gets stuck in the log-in loop. To get out of it, I just have to remove the token and use my password. When I looked at the debug log, I saw that it tries to authenticate me twice. First time it succeeds, but second time it complains about u2f device not found. I don't know why it calls pam_u2f.so module twice after reboot, as for sudo, unlocking the screen, and logging in (after logging out), it only calls it once (as expected). Here is the content of the debug log:

debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): called.
debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): flags 0 argc 4
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv=authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[1] =debug
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[2] =debug_file=/var/log/pam_u2f.log
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv=authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): max_devices=0
debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): debug=1
debug(pam_u2f): ../pam-u2f.c:106 (parse_cfg): interactive=0
debug(pam_u2f): ../pam-u2f.c:107 (parse_cfg): cue=0
debug(pam_u2f): ../pam-u2f.c:108 (parse_cfg): nodetect=0
debug(pam_u2f): ../pam-u2f.c:109 (parse_cfg): manual=0
debug(pam_u2f): ../pam-u2f.c:110 (parse_cfg): nouserok=0
debug(pam_u2f): ../pam-u2f.c:111 (parse_cfg): openasuser=0
debug(pam_u2f): ../pam-u2f.c:112 (parse_cfg): alwaysok=0
debug(pam_u2f): ../pam-u2f.c:113 (parse_cfg): authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:114 (parse_cfg): authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:115 (parse_cfg): origin=(null)
debug(pam_u2f): ../pam-u2f.c:116 (parse_cfg): appid=(null)
debug(pam_u2f): ../pam-u2f.c:117 (parse_cfg): prompt=(null)
debug(pam_u2f): ../pam-u2f.c:169 (pam_sm_authenticate): Origin not specified, using "pam://host1"
debug(pam_u2f): ../pam-u2f.c:181 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://host1)
debug(pam_u2f): ../pam-u2f.c:192 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): ../pam-u2f.c:210 (pam_sm_authenticate): Requesting authentication for user user1
debug(pam_u2f): ../pam-u2f.c:221 (pam_sm_authenticate): Found user user1
debug(pam_u2f): ../pam-u2f.c:222 (pam_sm_authenticate): Home directory for user1 is /home/user1
debug(pam_u2f): ../pam-u2f.c:271 (pam_sm_authenticate): Using authentication file /etc/Yubico/u2f_keys
debug(pam_u2f): ../util.c:105 (get_devices_from_authfile): Authorization line: user1: 
debug(pam_u2f): ../util.c:110 (get_devices_from_authfile): Matched user: user1
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 1: 
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 1: 
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 2: 
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 2: 
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): ../util.c:194 (get_devices_from_authfile): Found 2 device(s) for user user1
debug(pam_u2f): ../pam-u2f.c:340 (pam_sm_authenticate): Using file '/etc/Yubico/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): ../util.c:277 (do_authentication): Device max index is 0
debug(pam_u2f): ../util.c:311 (do_authentication): Attempting authentication with device number 1
debug(pam_u2f): ../util.c:335 (do_authentication): Challenge: { "keyHandle": "", "version": "U2F_V2", "challenge": "", "appId": "pam:\/\/host1" }
debug(pam_u2f): ../util.c:349 (do_authentication): Response: { "signatureData": "", "clientData": "" }
debug(pam_u2f): ../pam-u2f.c:410 (pam_sm_authenticate): done. [Success]
debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): called.
debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): flags 0 argc 4
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv=authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[1] =debug
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[2] =debug_file=/var/log/pam_u2f.log
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv=authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): max_devices=0
debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): debug=1
debug(pam_u2f): ../pam-u2f.c:106 (parse_cfg): interactive=0
debug(pam_u2f): ../pam-u2f.c:107 (parse_cfg): cue=0
debug(pam_u2f): ../pam-u2f.c:108 (parse_cfg): nodetect=0
debug(pam_u2f): ../pam-u2f.c:109 (parse_cfg): manual=0
debug(pam_u2f): ../pam-u2f.c:110 (parse_cfg): nouserok=0
debug(pam_u2f): ../pam-u2f.c:111 (parse_cfg): openasuser=0
debug(pam_u2f): ../pam-u2f.c:112 (parse_cfg): alwaysok=0
debug(pam_u2f): ../pam-u2f.c:113 (parse_cfg): authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:114 (parse_cfg): authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:115 (parse_cfg): origin=(null)
debug(pam_u2f): ../pam-u2f.c:116 (parse_cfg): appid=(null)
debug(pam_u2f): ../pam-u2f.c:117 (parse_cfg): prompt=(null)
debug(pam_u2f): ../pam-u2f.c:169 (pam_sm_authenticate): Origin not specified, using "pam://host1"
debug(pam_u2f): ../pam-u2f.c:181 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://host1)
debug(pam_u2f): ../pam-u2f.c:192 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): ../pam-u2f.c:210 (pam_sm_authenticate): Requesting authentication for user user1
debug(pam_u2f): ../pam-u2f.c:221 (pam_sm_authenticate): Found user user1
debug(pam_u2f): ../pam-u2f.c:222 (pam_sm_authenticate): Home directory for user1 is /home/user1
debug(pam_u2f): ../pam-u2f.c:271 (pam_sm_authenticate): Using authentication file /etc/Yubico/u2f_keys
debug(pam_u2f): ../util.c:105 (get_devices_from_authfile): Authorization line: user1: 
debug(pam_u2f): ../util.c:110 (get_devices_from_authfile): Matched user: user1
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 1: 
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 1: 
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 2: 
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 2: 
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): ../util.c:194 (get_devices_from_authfile): Found 2 device(s) for user user1
debug(pam_u2f): ../pam-u2f.c:340 (pam_sm_authenticate): Using file '/etc/Yubico/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): ../util.c:271 (do_authentication): Unable to discover device(s), cannot find U2F device
debug(pam_u2f): ../pam-u2f.c:371 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): ../pam-u2f.c:410 (pam_sm_authenticate): done. [Authentication failure]

As you can see from the log, it tries to authenticate me twice. I have no idea why. Any help would be appreciated!

I am trying to write a basic script that will run the gpg --card-edit command on any connected yubikey and generate an RSA 4096 key pair on the card #!/usr/bin/env bash red=tput setaf 1 green=tput setaf 2 reset=tput sgr0 set -euf set -o pipefail echo "${red}script started${reset}" echo " ${red}run card edit ${reset}" gpg --card-edit --command-fd - < ~/bin/yubikey/input2.txt The input2.txt contains the commands I want to run: admin generate I cannot figure out a way to handle the PIN promt that I get from gpg so I get this error gpg: error checking the PIN: Inappropriate ioctl for device