xpipe icon indicating copy to clipboard operation
xpipe copied to clipboard

Published 20 hours ago verified publisher icon xpipe-io

Feature Request - PIV auth (Smart card) Hardware tokens (Yubikey)

Open arcreigh opened this issue 1 year ago • 16 comments

Would love to have PIV functionality as in my homelab I have opted to utilize the PIV functionality of my Yubikey. Hardware tokens are becoming more and more prevalent and would love the option to have that functionality within XPipe.

arcreigh avatar Oct 30 '23 17:10 arcreigh

Sure, something like this would be possible. If you don't mind, can you expand on your setup so I know exactly what we are talking about?

This would make it easier for me to try to set it up myself for testing and experimentation.

crschnick avatar Oct 30 '23 22:10 crschnick

So in my environment I tried to model off of a production environment I have one Windows Domain Controller a Windows Root Certificate Authority and a Windows Intermediate Certificate Authority.

Below link is a good video guide to get it spun up. https://www.youtube.com/watch?v=KsGcSCqs4Ps

This is specifically for use in a PIV style for authentication. I believe CAPI is what some other tools used as a smart card API but it's been a few years since I have had to use that functionality.

Yubikeys are growing more and more popular so having a way to interface with the minidriver would be great.

https://developers.yubico.com/ would be a good place to start I imagine for you.

I myself am just a network engineer so some of my statements may be blatantly incorrect do take me with a grain of salt.

arcreigh avatar Oct 30 '23 22:10 arcreigh

Ok so I read the yubico documentation a bit. If I read correctly, at least for SSH connections, authentication is handled via a special ssh agent, and xpipe should support these kinds of agents already. Did you get a specific error message when trying to connect with your yubikey and agent? Or when you talk about having PIV functionality, does that include more than ssh connections?

Regardless of that, it will take me some time to order one and set everything up, so I can get back to you once this is done.

crschnick avatar Oct 30 '23 23:10 crschnick

I wasn't aware there was a specific SSH agent needed, from a user perspective I would hit a button which would prompt me for my Smart Card pin that would then allow me to select my certificate to use for auth as in an enterprise environment your smart card / yubikey might have multiple certs on it for different purposes. In some special circumstances some entities might have multiple smart cards to separate privileged access.

arcreigh avatar Oct 31 '23 00:10 arcreigh

Ok I will just order a cheap yubikey for this, I think it's good to own one for this

crschnick avatar Oct 31 '23 00:10 crschnick

Be sure you get one that supports PIV! Check this link. https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers I would recommend one of the FIPS compatible keys.

arcreigh avatar Oct 31 '23 00:10 arcreigh

Alright, so I got the yubikey and set everything up. So now I can use it for SSH authentication for example.

I was able to implement support for using the yubikey with SSH connections in xpipe via the gpg-agent.

So now you would have to elaborate a little bit more on your use case:

  • How do you use it for SSH authentication on windows? I used gpg4win
  • Since your issue description is a little bit vague, what else do you want to use the key for? E.g. in substitution for the master passphrase of the xpipe vault or something else?

crschnick avatar Dec 07 '23 05:12 crschnick

Gpg is a great first step for initial support of the yubikey, however I am looking for PIV support which is backed by certificates. You can see the piv application support in your yubikey app. Putty-cac uses CAPI in order to interface with PIV Smart Cards. That is the functionality I am after. You should absolutely support both! PIV/Smart Card based auth is a more advanced enterprise grade feature used in government sector.

arcreigh avatar Dec 07 '23 13:12 arcreigh

GPG agent support has now been implemented in the latest PTB build at https://github.com/xpipe-io/xpipe-ptb, so you can try it out if you want

The PIV support is next

crschnick avatar Dec 09 '23 02:12 crschnick

Can you whether the PIV support in https://github.com/xpipe-io/xpipe-ptb/releases/tag/1.7.11-2 works for you?

crschnick avatar Dec 10 '23 16:12 crschnick

Sure give me a few to check it out.

arcreigh avatar Dec 10 '23 17:12 arcreigh

I think something went wrong with your email reply, not sure whether you want to include your contact details in there.

crschnick avatar Dec 10 '23 17:12 crschnick

Thanks for that lol, pre-coffee nonsense. Edited my details out.

arcreigh avatar Dec 10 '23 17:12 arcreigh

So I will probably add this feature to the professional version once it's released because most people will probably use this authentication in an enterprise context.

I can give you a free professional license though since you posted this feature request in the first place and helped a lot. So just let me know to which email I should send it to.

crschnick avatar Dec 12 '23 00:12 crschnick

Your analysis on that is 100% correct. This would be an advanced secure auth implementation used heavily in government sectors DoD/DHS/Insert agency here. I definitely appreciate the offer on a free pro key and will take you up on that. My github username @gmail.com.

arcreigh avatar Dec 12 '23 03:12 arcreigh

This feature is now released, you can try out in the latest version. I will send you that license key eventually. I also introduced a new preview license that will give you access to these features as they are released, so you can try out whether that works for you first.

crschnick avatar Dec 16 '23 04:12 crschnick

So now with the latest fixes implemented for smartcard handling to prevent it from asking for verification twice, I think I can close this issue finally as being fully completed.

crschnick avatar May 18 '24 15:05 crschnick