smart card error 6d00 with YubiKey 4.2.8

[phipla]

I am getting errors trying to make this work with my YubiKey :

• macOS Catalina 10.15.4
• YubiKey 4.2.8
• yubikey-agent: stable 0.1.1

yubikey-agent.log

Connecting to the YubiKey...
Reconnecting to the YubiKey...
agent 13: failed to prepare private key: get attestation cert: command failed: smart card error 6d00
agent 17: operation unsupported

SSH log

ssh -v -T [email protected]
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/philippe/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to github.com port 22.
debug1: Connection established.
debug1: identity file /Users/philippe/.ssh/id_rsa type -1
debug1: identity file /Users/philippe/.ssh/id_rsa-cert type -1
debug1: identity file /Users/philippe/.ssh/id_dsa type -1
debug1: identity file /Users/philippe/.ssh/id_dsa-cert type -1
debug1: identity file /Users/philippe/.ssh/id_ecdsa type -1
debug1: identity file /Users/philippe/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/philippe/.ssh/id_ed25519 type -1
debug1: identity file /Users/philippe/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/philippe/.ssh/id_xmss type -1
debug1: identity file /Users/philippe/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version babeld-a950f115
debug1: no match: babeld-a950f115
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /Users/philippe/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: YubiKey #4250300 PIV Slot 9a ECDSA SHA256:d4oDsV8IJotbZPVnmCgWbKTkwv4cwVlf81CFaMWkU6w agent
debug1: Will attempt key: /Users/philippe/.ssh/id_rsa
debug1: Will attempt key: /Users/philippe/.ssh/id_dsa
debug1: Will attempt key: /Users/philippe/.ssh/id_ecdsa
debug1: Will attempt key: /Users/philippe/.ssh/id_ed25519
debug1: Will attempt key: /Users/philippe/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: YubiKey #4250300 PIV Slot 9a ECDSA SHA256:d4oDsV8IJotbZPVnmCgWbKTkwv4cwVlf81CFaMWkU6w agent
debug1: Server accepts key: YubiKey #4250300 PIV Slot 9a ECDSA SHA256:d4oDsV8IJotbZPVnmCgWbKTkwv4cwVlf81CFaMWkU6w agent
sign_and_send_pubkey: signing failed: agent refused operation
debug1: Trying private key: /Users/philippe/.ssh/id_rsa
debug1: Trying private key: /Users/philippe/.ssh/id_dsa
debug1: Trying private key: /Users/philippe/.ssh/id_ecdsa
debug1: Trying private key: /Users/philippe/.ssh/id_ed25519
debug1: Trying private key: /Users/philippe/.ssh/id_xmss
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).

[russelldavies]

I have the same issue.

• macOS Mojave 10.14.6
• Yubikey NEO; Firmware: 3.4.3
• yubikey-agent: v0.1.1

yubikey-agent.log:

Connecting to the YubiKey...
Reconnecting to the YubiKey...
agent 13: failed to prepare private key: get attestation cert: command failed: smart card error 6d00

The error I get from SSH is: sign_and_send_pubkey: signing failed for ECDSA "YubiKey #XXXXXX PIV Slot 9a" from agent: agent refused operation.

[robbiev]

I've got the same setup as @russelldavies, except I'm on Catalina. I'm also seeing this.

[joneskoo]

I wonder if the older Yubikeys don't support attestation for the PIV? In order to support different pin policy configurations, piv-go added check by parsing the attestation certificate as that seems to be the only thing that indicates whether PIN will be actually required. go-piv/piv-go#50

EDIT: https://developers.yubico.com/PIV/Introduction/PIV_attestation.html Attestation is supported starting 4.3. The current piv-go requires attestation support.

Maybe someone can modify that code via local replace to ignore the attestation error and instead silently default to default pin policy and see if that solves this? My guess in any case this belongs to upstream. EDIT: See my next comment.

https://github.com/go-piv/piv-go/blob/6bdd3b348cd787716fccaf6b0671a22959c84e38/piv/key.go#L587-L603

[joneskoo]

Maybe this could This seems to be same as go-piv/piv-go#55 ?

[ericchiang]

I fixed this issue upstream go-piv/piv-go#59

However, I found a bug in older YubiKeys that prevent PIN caching for PINPolicyOnce (what this tool uses). So yubikey-agent still won't work with those keys. If you have an older YubiKey and can help test, that'd be appreciated. I only have v4.3.7 and v3.4.9, and I know it works on v4.3.7 but doesn't on v3.4.9.

See: go-piv/piv-go#60