agent

package
v0.1.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2025 License: BSD-3-Clause Imports: 29 Imported by: 0

Documentation

Overview

Package agent implements an SSH agent that uses YubiKey PIV tokens for key operations.

Index

Constants

View Source 
const (
	// TouchNotificationTimeout is how long to wait before showing a touch notification
	TouchNotificationTimeout = 5 * time.Second

	// TemporaryErrorRetryDelay is how long to wait before retrying after a temporary error
	TemporaryErrorRetryDelay = time.Second

	// SocketDirPermissions is the permission mode for the socket directory
	SocketDirPermissions = 0700

	// SignOperationTimeout is the maximum time allowed for a sign operation
	// This prevents indefinite blocking waiting for YubiKey touch
	SignOperationTimeout = 2 * time.Minute
)
View Source 
const (
	// RequiredPINLength is the required length for YubiKey PINs
	RequiredPINLength = 8

	// CertificateValidityYears is how many years certificates are valid for
	CertificateValidityYears = 42
)

Variables

View Source 
var ErrOperationUnsupported = errors.New("operation unsupported")

ErrOperationUnsupported is returned for agent operations not supported by yubikey-agent. Since keys are hardware-bound, operations like Add/Remove don't apply.

View Source 
var ErrPINMismatch = errors.New("PINs don't match")

ErrPINMismatch is returned when the PIN confirmation doesn't match.

View Source 
var Version string

Version contains the build version of yubikey-agent, set at build time.

Functions

func Run 

func Run()

Run executes the agent using the specified socket path

func RunSetup 

func RunSetup(yk *piv.YubiKey) error

RunSetup sets up all four main PIV slots on a single YubiKey, generating SSH-usable certificates in each. This function expects you've already selected your one YubiKey, e.g. via RunSetupSelected().

func SetupSlot 

func SetupSlot(yk *piv.YubiKey, slot piv.Slot, pinPolicy piv.PINPolicy, touchPolicy piv.TouchPolicy) error

SetupSlot configures (or re-configures) a single PIV slot with a specified PIN policy and touch policy. Demonstrates a more "incremental" approach, rather than setting up all slots at once.

If a management key is not yet stored in metadata, it will prompt for a PIN (resetting from defaults). Otherwise, it reuses the existing management key.

func UnblockPIN 

func UnblockPIN(yk *piv.YubiKey) error

UnblockPIN uses the PUK to unblock a locked PIN

Types

type Agent 

type Agent struct {
	// contains filtered or unexported fields
}

Agent holds status of the current agent in use and all yubikeys associated with it

func (*Agent) Add 

func (a *Agent) Add(key agent.AddedKey) error

Add is not supported as keys cannot be added to hardware tokens remotely.

func (*Agent) Close 

func (a *Agent) Close() error

Close finishes the connection to the YubiKey devices.

func (*Agent) Extension 

func (a *Agent) Extension(extensionType string, contents []byte) ([]byte, error)

Extension implements the agent.ExtendedAgent interface but no extensions are supported.

func (*Agent) List 

func (a *Agent) List() ([]*agent.Key, error)

List returns a list of all available keys from all YubiKeys.

func (*Agent) Lock 

func (a *Agent) Lock(passphrase []byte) error

Lock is not supported as the YubiKey itself handles PIN-based locking.

func (*Agent) Remove 

func (a *Agent) Remove(key ssh.PublicKey) error

Remove is not supported as keys cannot be removed from hardware tokens remotely.

func (*Agent) RemoveAll 

func (a *Agent) RemoveAll() error

RemoveAll is not supported as keys cannot be removed from hardware tokens remotely.

func (*Agent) Sign 

func (a *Agent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error)

Sign implements the agent.Agent interface for signing data with a key. This method delegates to SignWithFlags with no flags set.

func (*Agent) SignWithFlags 

func (a *Agent) SignWithFlags(key ssh.PublicKey, data []byte, flags agent.SignatureFlags) (*ssh.Signature, error)

SignWithFlags implements the agent.ExtendedAgent interface for signing with algorithm selection. This operation has a 2-minute timeout to prevent indefinite blocking on YubiKey touch.

func (*Agent) Signers 

func (a *Agent) Signers() ([]ssh.Signer, error)

Signers implements the agent.ExtendedAgent interface, returning signers for all keys. This method locks the agent and ensures YubiKey connections are healthy.

func (*Agent) Unlock 

func (a *Agent) Unlock(passphrase []byte) error

Unlock is not supported as the YubiKey itself handles PIN-based unlocking.

type ErrInvalidPINLength added in v0.1.6 

type ErrInvalidPINLength struct {
	Required int
	Got      int
}

ErrInvalidPINLength is returned when the PIN length is incorrect.

func (ErrInvalidPINLength) Error added in v0.1.6 

func (e ErrInvalidPINLength) Error() string

type Yubi 

type Yubi struct {
	Name   string
	Device *piv.YubiKey
	Serial uint32
}

Yubi contains all the information about a YubiKey

func GetSingleYubiKey 

func GetSingleYubiKey() (*Yubi, error)

GetSingleYubiKey loads YubiKeys (respecting --serial) and ensures exactly one is found. Returns the YubiKey and nil if successful, or nil and an error if failed.

func GetSingleYubiKeyContext added in v0.1.6 

func GetSingleYubiKeyContext(ctx context.Context) (*Yubi, error)

GetSingleYubiKeyContext loads YubiKeys with context support and ensures exactly one is found.

func LoadYubiKeys 

func LoadYubiKeys() ([]*Yubi, error)

LoadYubiKeys loads all connected YubiKeys, but if a `--serial` is provided, only the matching YubiKey will be returned. This ensures we never "touch" any other YubiKeys if `serial` is set.

func LoadYubiKeysContext added in v0.1.6 

func LoadYubiKeysContext(ctx context.Context) ([]*Yubi, error)

LoadYubiKeysContext loads all connected YubiKeys with context support. If ctx is cancelled during loading, it returns ctx.Err().

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.