diff --git a/api/utils/keys/yubikey.go b/api/utils/keys/yubikey.go index 1bc5e5f745bea..e8297a6d3e619 100644 --- a/api/utils/keys/yubikey.go +++ b/api/utils/keys/yubikey.go @@ -142,12 +142,12 @@ func GetDefaultKeySlot(policy PrivateKeyPolicy) (piv.Slot, error) { case PrivateKeyPolicyHardwareKeyTouch: // private_key_policy: hardware_key_touch -> 9c return piv.SlotSignature, nil - case PrivateKeyPolicyHardwareKeyPIN: - // private_key_policy: hardware_key_pin -> 9d - return piv.SlotCardAuthentication, nil case PrivateKeyPolicyHardwareKeyTouchAndPIN: - // private_key_policy: hardware_key_touch_and_pin -> 9e + // private_key_policy: hardware_key_touch_and_pin -> 9d return piv.SlotKeyManagement, nil + case PrivateKeyPolicyHardwareKeyPIN: + // private_key_policy: hardware_key_pin -> 9e + return piv.SlotCardAuthentication, nil default: return piv.Slot{}, trace.BadParameter("unexpected private key policy %v", policy) } @@ -715,10 +715,10 @@ func parsePIVSlot(slotKey uint32) (piv.Slot, error) { return piv.SlotAuthentication, nil case piv.SlotSignature.Key: return piv.SlotSignature, nil - case piv.SlotCardAuthentication.Key: - return piv.SlotCardAuthentication, nil case piv.SlotKeyManagement.Key: return piv.SlotKeyManagement, nil + case piv.SlotCardAuthentication.Key: + return piv.SlotCardAuthentication, nil default: retiredSlot, ok := piv.RetiredKeyManagementSlot(slotKey) if !ok { diff --git a/docs/pages/access-controls/guides/hardware-key-support.mdx b/docs/pages/access-controls/guides/hardware-key-support.mdx index 19b77f4d4616b..55f06d176ee20 100644 --- a/docs/pages/access-controls/guides/hardware-key-support.mdx +++ b/docs/pages/access-controls/guides/hardware-key-support.mdx @@ -210,8 +210,8 @@ $ tsh clusters By default, Teleport clients use the following PIV slots for each option: - `hardware_key`: slot `9a` - `hardware_key_touch`: slot `9c` - - `hardware_key_pin`: slot `9d` - - `hardware_key_and_pin`: slot `9e` + - `hardware_key_touch_and_pin`: slot `9d` + - `hardware_key_pin`: slot `9e` If you are using any other PIV applications, you might need to specify a different slot. For example, `yubikey-agent` uses slot `9a`. To avoid overwriting the `yubikey-agent` key and certificate, diff --git a/rfd/0080-hardware-key-support.md b/rfd/0080-hardware-key-support.md index 3cd5dc84d7642..fde005893a2db 100644 --- a/rfd/0080-hardware-key-support.md +++ b/rfd/0080-hardware-key-support.md @@ -342,7 +342,7 @@ If a hardware key policy is required, then a private key will be generated direc #### PIV slot logic -PIV provides us with up to 24 different slots. Each slot has a different intended purpose, but functionally they are the same. We will use the first four slots (`9a`, `9c`, `9d`, `9e`) to support each of the 4 hardware key policy requirements (`hardware_key`, `hardware_key_touch`, `hardware_key_pin`, `hardware_key_touch_and_pin` respectively). +PIV provides us with up to 24 different slots. Each slot has a different intended purpose, but functionally they are the same. We will use the first four slots (`9a`, `9c`, `9d`, `9e`) to support each of the 4 hardware key policy requirements (`hardware_key`, `hardware_key_touch`, `hardware_key_touch_and_pin`, `hardware_key_pin` respectively). Each of these keys will be generated for the first time when a Teleport client is required to meet its respective private key policy. Once a key is generated, it will be reused by any other Teleport client required to meet the same private key policy.