[Bug]: Using YubiKey with SSH results in "error retrieving public key" #2101
Description
Steps to Reproduce
Initialize a certificate authority with --ssh so it generates keys and .pub files. Import the keys into a YubiKey (you cannot import the public keys since they are not certificates). Change ca.json to pull from YubiKey.
Your Environment
- OS - Alpine Linux
step-caVersion - 0.28.1- YubiKey Firmware - 5.7.1
Expected Behavior
CA starts and can get a public key for SSH from the YubiKey
Actual Behavior
Running the CA immediately results in error retrieving public key: command failed: smart card error 6a82: data object or application not found
Additional Context
Beginning of the Discord discussion where Carl T. told me to create an issue:
https://discord.com/channels/837031272227930163/841249977699401759/1316182538162802720
My ca.json:
{
"root": "/home/stepca/.local/share/step-ca/certs/root_ca.crt",
"federatedRoots": null,
"crt": "/home/stepca/.local/share/step-ca/certs/intermediate_ca.crt",
"key": "yubikey:slot-id=83",
"kms": {
"type": "yubikey",
"pin": <REDACTED>
},
"address": ":8443",
"insecureAddress": "",
"dnsNames": <REDACTED>,
"ssh": {
"hostKey": "yubikey:slot-id=84",
"userKey": "yubikey:slot-id=85"
},
"logger": {
"format": "text"
},
"db": {
"type": "postgresql",
"dataSource": "postgresql://<REDACTED>"
},
"authority": {
"enableAdmin": true
},
"tls": {
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion": 1.2,
"maxVersion": 1.3,
"renegotiation": false
},
"templates": {
"ssh": {
"user": [
{
"name": "config.tpl",
"type": "snippet",
"template": "templates/ssh/config.tpl",
"path": "~/.ssh/config",
"comment": "#"
},
{
"name": "step_includes.tpl",
"type": "prepend-line",
"template": "templates/ssh/step_includes.tpl",
"path": "${STEPPATH}/ssh/includes",
"comment": "#"
},
{
"name": "step_config.tpl",
"type": "file",
"template": "templates/ssh/step_config.tpl",
"path": "ssh/config",
"comment": "#"
},
{
"name": "known_hosts.tpl",
"type": "file",
"template": "templates/ssh/known_hosts.tpl",
"path": "ssh/known_hosts",
"comment": "#"
}
],
"host": [
{
"name": "sshd_config.tpl",
"type": "snippet",
"template": "templates/ssh/sshd_config.tpl",
"path": "/etc/ssh/sshd_config",
"comment": "#",
"requires": ["Certificate", "Key"]
},
{
"name": "ca.tpl",
"type": "snippet",
"template": "templates/ssh/ca.tpl",
"path": "/etc/ssh/ca.pub",
"comment": "#"
}
]
}
}
}
Removing the ssh property makes the CA run properly.
Here is some YubiKey outputs with ykman showing the keys exist and you can get a public key from them:
> ykman piv keys info 84
Key slot: 84 (RETIRED3)
Algorithm: ECCP256
Origin: IMPORTED
PIN required for use: ONCE
Touch required for use: NEVER
> ykman piv keys info 85
Key slot: 85 (RETIRED4)
Algorithm: ECCP256
Origin: IMPORTED
PIN required for use: ONCE
Touch required for use: NEVER
> ykman piv keys export 84 PUBLIC-KEY
> ykman piv keys export 85 PUBLIC-KEY
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).