Add -new-key command

[FiloSottile]

The -new-key command generates a new key in one of the numbered "retired" slots with a certificate with CN="SSH key".

The -touch-policy, -pin-policy, and -key-type flags control the respective aspects of this additional key.

There is no way to delete a key with yubikey-agent, instead the README will explain how to use YubiKey Manager for that.

yubikey-agent will support all ECDSA, Ed25519, and RSA keys in the Authorization and retired slots of all connected PIV tokens, as long as they were generated on device and the Common Name of the certificate is SSH key. (This allows ignoring age keys, which otherwise would leak to remote SSH servers.)

(This will break some current keys generated by other tools, but those were never and won't be officially supported.)

[FiloSottile]

Actually, I looked again at #57 and I like the approach of having a separate command better, so let's call this yubikey-agent-keygen, with the same semantics.

[markomitranic]

Hey @FiloSottile , is there any update on this matter (or a workaround? like locally creating and importing a key?) I have a usage pattern where 20+ auth requests are being made in a row (vscode remote connection) and it is getting a bit burdensome to touch my key 20 times evey couple of minutes. :/

[markomitranic]

Hey @FiloSottile , I needed this pretty badly today, so i opened up setup.go and just tried to replicate the same thing manually via ykman, as a temporary solution until you allow some level of configuration. Leaving a comment here for future reference for anyone who needs help with this :) Also, if you notice that I did something wrong here, please tell me :D

brew serveices start yubikey-agent

# Reset PIV module
ykman piv reset -f

# Using PIN 0000000 just for the sake of example, ofc.
ykman piv access change-pin -P 123456 -n 0000000
# Set the same PUK
ykman piv access change-puk -p 12345678 -n 0000000
# Store management key on the device, protect by pin
ykman piv access change-management-key -P 0000000 -p

# Generate a key in slot 9a
ykman piv keys generate --pin=0000000 -a ECCP256 --pin-policy=ONCE --touch-policy=NEVER 9a /var/tmp/pkey.pub 
# Generate cert
ykman piv certificates generate --subject="CN=SSH Name+O=yubikey-agent+OU=0.1.5" --valid-days=10950  9a /var/tmp/pkey.pub 

# Read the public key and use it as you normally would
ssh-add -L

[drod3763]

Any updates on this? Would really like to be able to have some no-touch functionality and it seems like its tied to this.

[nolith]

I was looking at the ability to generate a key with cached touch policy, but then I got it by this bug in piv-go.

If you generate a key with PinPolicyOnce and TouchPolicyCached it will cache the touch for 15 seconds, but when the cache expires, it will ask for the PIN again.

At least for me, this is a big no for the cached touch policy.