Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yubikey support #558

Merged
merged 4 commits into from
Apr 21, 2020
Merged

Yubikey support #558

merged 4 commits into from
Apr 21, 2020

Conversation

mtibben
Copy link
Member

@mtibben mtibben commented Apr 20, 2020
edited
Loading

Support for Yubikey OATH-TOTP via ykman.

Thanks to @j0hnsmith for the initial PRs at #316, #514, #533

Could someone with a Yubikey please test this? @j0hnsmith @jtopper or anyone else?
Docs and binaries

@RiccardoBoettcher
Copy link

No Linux build yet available for testing ...

@mtibben
Copy link
Member Author

mtibben commented Apr 20, 2020

No Linux build yet available for testing ...

uploading now

@asiragusa
Copy link
Contributor

Hi @mtibben, thanks for this great PR!

I have a small issue getting the OATH code with my Yubikey that already contains multiple secrets with the current naming format:

 ./aws-vault exec --prompt ykman staging -- aws s3 ls
aws-vault: error: Failed to get credentials for staging: ykman: exit status 1:
Error: Multiple matches, please make the query more specific.

aws:arn:aws:iam::ID:mfa/alessandro
aws:arn:aws:iam::ID:mfa/alessandro-2

This is really strange as if I run manually ykman oath code -s aws:arn:aws:iam::ID:mfa/alessandro (like in https://github.com/99designs/aws-vault/pull/558/files#diff-1d1bf1de34ef664900cccdefd19fe78fR12) I can get correctly a OATH code.

For the record, my OS is Darwin 19.3.0 and I have 2 users because I use this Yubikey in 2 different computers.

As a side note #316 introduced also a very handy add-yubikey command, are you planning to add it back? If not I can help with a PR if needed!

@RiccardoBoettcher
Copy link

tested the linux build on fedora 31: worked for me as described. Just validaded, my existing profile which was previously used with a manually entered TOTP now can be used with yubikey touch.
testet command: aws-vault exec

@christophgysin
Copy link
Contributor

Works for me on Arch. Two things I noted:

  • There is no prompt. The current implementation hides the ykman prompt on stderr, and doesn't provide a prompt of its own.
  • It would be nice if one could specify the prompt per profile.

@mtibben
Copy link
Member Author

mtibben commented Apr 21, 2020
edited
Loading

This is really strange as if I run manually....I can get correctly a OATH code.

Thanks @asiragusa, that is very strange. I've expanded the flag to --single. Does that help? ykman oath code does specify QUERY as the argument, but I can't find any documentation on the actual query syntax in the docs. Looking at the code it seems direct matches should hit. Any guidance here? What version of ykman are you using?

As a side note #316 introduced also a very handy add-yubikey command, are you planning to add it back?

As noted in #514 (comment), I'm not convinced a very specific command for managing yubikeys belong in aws-vault. As I assume this should be just a couple lines of shell script, perhaps you could create a contrib shell script using the aws cli to achieve the same thing?

@mtibben
Copy link
Member Author

mtibben commented Apr 21, 2020
edited
Loading

There is no prompt. The current implementation hides the ykman prompt on stderr, and doesn't provide a prompt of its own.

Good point @christophgysin. I've addressed this in 34e4756

It would be nice if one could specify the prompt per profile.

Great idea. Perhaps a aws_vault_prompt param for the aws config file? I'll leave this as an exercise for whoever may be motivated

@mtibben
Copy link
Member Author

mtibben commented Apr 21, 2020
edited
Loading

New binaries uploaded

asiragusa added a commit to asiragusa/aws-vault that referenced this pull request Apr 21, 2020
@asiragusa
Add contrib script to enable a mfa device via ykman
0e4100d 
This script helps to add a yubikey using ykman. See 99designs#558
@asiragusa asiragusa mentioned this pull request Apr 21, 2020
Merged
@asiragusa
Copy link
Contributor

This is really strange as if I run manually....I can get correctly a OATH code.

Thanks @asiragusa, that is very strange. I've expanded the flag to --single. Does that help? ykman oath code does specify QUERY as the argument, but I can't find any documentation on the actual query syntax in the docs. Looking at the code it seems direct matches should hit. Any guidance here? What version of ykman are you using?

Got it! The issue comes from the entries stored in my Yubikey, they are prefixed by aws:, so I can confirm that your PR is working correctly.

As a side note #316 introduced also a very handy add-yubikey command, are you planning to add it back?

As noted in #514 (comment), I'm not convinced a very specific command for managing yubikeys belong in aws-vault. As I assume this should be just a couple lines of shell script, perhaps you could create a contrib shell script using the aws cli to achieve the same thing?

Sure, here it is #559

@mtibben
Copy link
Member Author

mtibben commented Apr 21, 2020

Amazing! Thanks @asiragusa

@mtibben mtibben merged commit 09889cc into master Apr 21, 2020
@mtibben mtibben mentioned this pull request Apr 21, 2020
Closed
mtibben pushed a commit that referenced this pull request Apr 21, 2020
@asiragusa @mtibben
Add contrib script to enable a mfa device via ykman
9da7bc6 
This script helps to add a yubikey using ykman. See #558
@mtibben mtibben added this to the v6 milestone Apr 30, 2020
@ismailyenigul
Copy link

Thanks for this feature. I have written a basic article about configuring yubikey on MacOS at https://medium.com/@ismailyenigul/configuring-aws-vault-6-x-with-yubikey-on-macos-792c3ce8b6b5
I just made more clear ~/aws/config part for my own need :) I hope it will help someone else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v6
Development

Successfully merging this pull request may close these issues.
5 participants
@mtibben @RiccardoBoettcher @asiragusa @christophgysin @ismailyenigul