yubikey-manager
yubikey-manager copied to clipboard
Yubico
`ykman fido credentials list` omits details about account name
- YubiKey Manager (ykman) version: 4.0.5
- How was it installed?:
yubikey-managerin Fedora repository - Operating system and version: Fedora 34
- YubiKey model and version: YubiKey 5 NFC firmware 5.2.7
- Bug description summary:
I expect that ykman fido credentials list would list all relevant information about FIDO residential credentials, yet it seems to omit at least one important one: the account name. There might also be more data, but I'm not an expert so I'm not sure. The example I will use is my Microsoft account. The ykman output looks like this:
$ ykman fido credentials list
Enter your PIN:
ssh:resident1 0000000000000000000000000000000000000000000000000000000000000000 openssh
login.microsoft.com 4d463a92afdxxxxxxxxxxxxxxxxxxxxxxxxx68449b775371 [email protected]
while in Chrome, the Manage security keys -> Sign-in data menu is able to display:
login.microsoft.com First Last ([email protected])
ssh:resident1 openssh (openssh)
It seems reasonable to me that the ykman CLI utility should display all this relevant information by default, or at least as an option. In addition, I wouldn't mind seeing descriptions of the data ykman outputs, or at least in a help screen.
Thanks!
It would be good if ykman could also (optionally) show the public key corresponding to each residential key.
I have created two residential ssh keys (ssh-keygen -t ed25519-sk -O resident -O user=foo; ssh-keygen -t ed25519-sk -O resident -O user=bar) and unless one uses the -O application option when generating the keys, there seems to be no simple way to tell which key in the .ssh directory corresponds to which key from the ykman fido credentials list output after downloading the keys to a new host (with ssh-keygen -K).
Just for clarification:
PublicKeyCredentialUserEntity contains both name and displayName. We currently show name, but could potentially also show displayName in the CLI output.
We also have the public key information available in COSE format, though I'm not sure how one would best use that to map between ssh keys, so we would need to figure out what format to display those in.
ykman 5 has now been released, which changes the output of the command:
ykman fido credentials list
Enter your PIN:
Credential ID RP ID Username Display name
4c52fc86... demo.yubico.com dain dain
It also adds a --csv flag which includes additional fields, doesn't truncate the credential ID, and outputs in CSV format:
ykman fido credentials list --csv
Enter your PIN:
credential_id,rp_id,user_name,user_display_name,user_id
4c52fc8662d0151f88f3139a7f33d98c4a51100f829b325141d061f92997d412b671b849105f8da9baad78b918b45a7d,demo.yubico.com,dain,dain,635ff8d0a885e09e1a14895284ac64ee38e529006474a5dd43553f96ea87387e
Hi! I was trying to setup also the user when generating the SSH resident key, and then with ykman fido credentials list I can see it, but the Username and Display name are always openssh, it does not matter which -O user=... is defined. Is this normal? Should maybe ykman display in one of those 2 columns actually the name passed in that parameter? 🤔
I have a similar experience; the value of the username doesn't seem to be the name parameter.
I'm glad I'm not the only one.
I've attempted to use -O user:username and it doesn't do a thing with ykman or Yubikey Manager. The Resident key still says openssh. Makes for quite a pain.
This appears to be an issue in OpenSSH; the credential manager in Chrome (chrome://settings/securityKeys) shows the same default value openssh for the username:
$ ssh -V
OpenSSH_9.5p1, OpenSSL 3.1.4 24 Oct 2023
$ ykman --version
YubiKey Manager (ykman) version: 5.2.1
$ ssh-keygen -t ecdsa-sk -O resident -O user=asdf
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
[additional output omitted for brevity]
$ ykman fido credentials list
Enter your PIN:
Credential ID RP ID Username Display name
f8d96e4c... ssh: openssh openssh
A colleague of mine pointed out that the current ssh-keygen man page description of -O user is inaccurate - what it actually does is set the user handle (AKA user ID) instead of the username:
$ ssh -V
OpenSSH_9.5p1, OpenSSL 3.1.4 24 Oct 2023
$ ykman --version
YubiKey Manager (ykman) version: 5.2.1
$ ssh-keygen -t ecdsa-sk -O resident -O user=asdf
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
[additional output omitted for brevity]
$ ykman fido credentials list
Credential ID RP ID Username Display name
0fe6c822... ssh: openssh openssh
$ ykman fido credentials list --csv
Enter your PIN:
credential_id,rp_id,user_name,user_display_name,user_id
0fe6c8228fa36018f9e41eb313df4f0b1f538c1a23f6cdf0621908736e8362ecd9624cbcd65f4ead5f96e290833ea0f1,ssh:,openssh,openssh,6173646600000000000000000000000000000000000000000000000000000000
$ ykman fido credentials list --csv | grep openssh | tail -n 1 | cut -d ',' -f 5 | xxd -r -p | xxd
Enter your PIN:
00000000: 6173 6466 0000 0000 0000 0000 0000 0000 asdf............
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Interesting.
I just submitted a ticket on the Git repo for PuTTY-CAC to add a "Display Name" textbox which will allow for FIDO keys to be generated similar to the OpenSSH method, however, with the option to pick our own username that will display in programs such as the Yubikey Authenticator / ykman. (He said he'd look at it this weekend).
He's generating FIDO keys for security devices without the need for OpenSSH. Tried my code edits today and it worked great.
Guess we need to see if OpenSSH will address this for their program too.
Edit: PuTTY-CAC now supports defining a display name in Yubico Authenticator for your FIDO keys. Sadly it's Windows only, but it's a start.