feat: Hardware Key Agent validates known keys#54691
Merged
Conversation
github-actions
Bot
added
rfd
rosstimothy
reviewed
May 13, 2025
Joerger
force-pushed
the
joerger/skip-validate-piv-cert
branch
from
19d8189 to
0f42d26
Compare
Joerger
force-pushed
the
joerger/skip-validate-piv-cert
branch
3 times, most recently
from
73b6768 to
a4869c9
Compare
…ating by the PIV slot cert. * Refactor cert check logic with a custom error.
Joerger
force-pushed
the
joerger/skip-validate-piv-cert
branch
from
adc85f0 to
f7bc36e
Compare
rosstimothy
approved these changes
May 16, 2025
greedy52
approved these changes
May 16, 2025
public-teleport-github-review-bot
Bot
removed the request for review
from EdwardDowling
Contributor
Joerger
added a commit
that referenced
this pull request
May 16, 2025
* * Have hardware key agent validate known keys instead of always validating by the PIV slot cert. * Refactor cert check logic with a custom error. * Add test. * Update rfd. * Fix lint. * Address comments. * Require knownKeyFn to be provided. * Require fallbackService to be provided to agent service. * Address comments.
Joerger
added a commit
that referenced
this pull request
May 16, 2025
* * Have hardware key agent validate known keys instead of always validating by the PIV slot cert. * Refactor cert check logic with a custom error. * Add test. * Update rfd. * Fix lint. * Address comments. * Require knownKeyFn to be provided. * Require fallbackService to be provided to agent service. * Address comments.
This was referenced May 16, 2025
Joerger
added a commit
that referenced
this pull request
May 16, 2025
* * Have hardware key agent validate known keys instead of always validating by the PIV slot cert. * Refactor cert check logic with a custom error. * Add test. * Update rfd. * Fix lint. * Address comments. * Require knownKeyFn to be provided. * Require fallbackService to be provided to agent service. * Address comments.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
May 19, 2025
* * Have hardware key agent validate known keys instead of always validating by the PIV slot cert. * Refactor cert check logic with a custom error. * Add test. * Update rfd. * Fix lint. * Address comments. * Require knownKeyFn to be provided. * Require fallbackService to be provided to agent service. * Address comments.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
May 19, 2025
* * Have hardware key agent validate known keys instead of always validating by the PIV slot cert. * Refactor cert check logic with a custom error. * Add test. * Update rfd. * Fix lint. * Address comments. * Require knownKeyFn to be provided. * Require fallbackService to be provided to agent service. * Address comments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog: Hardware Key Agent validates known keys by checking active or expired login session.
Changes:
Hardware Key Agent now makes a best effort to validate that a PIV slot is for Teleport by checking an active or expired Teleport login key matching the hardware key in the agent signature request.
If the key is unknown to the agent, e.g. because the agent request is from a Teleport client with a different Teleport Home directory, the agent will instead validate the key by checking the PIV slot certificate.
Context:
As a security constraint, the Hardware Key Agent does not allow signature for PIV slots that do not correspond to a known Teleport PIV key. This is currently done by checking the PIV slot certificate, which should have "teleport" as the subject organization name. This implies that a Teleport client generating the key and cert, or the YubiKey's administrator manually generated the key and cert for Teleport. This allows the Hardware Key Agent to discern whether a PIV slot is intended for Teleport use without any cluster login information, meaning that the Hardware Key Agent can operate with Teleport Connect without any active logins. However, in some administrative environments, the certificate subject name validation is impossible or difficult to comply with, in which case the Hardware Key Agent does need to check for active or expired login sessions.