I had to recently rebuild my laptop. In the process, I switched from Fedora31 to Kubuntu 20.04 LTS. Everything in the switch went without a hitch, except for one thing. Where I work we use 2FA for all logins, and utilize a yubi key for this purpose. I thought I had everything set-up correctly, but whenever I try to ssh to a server now (and use PIV) I get this error...
Enter passphrase for PKCS#11: Could not add card
"/usr/lib/x86_64-linux-gnu/libykcs11.so": agent refused operation
Now, every time I reboot the system, etc I have to re-add the card as normal. This shows that it was properly added already.
ssh-add -s /usr/lib/x86_64-linux-gnu/libykcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/libykcs11.so
Despite this, it's still throwing that annoying error at me. Now I CAN just manually enter my PW and hit the Yubi and log in. So it's not a show-stopper. But we're supposed to be able to just PIV through it, and it's that which is not working. Annoying.
Thought I had everything set-up correctly, but I guess not. On the old build (prior to rebuild) I did a complete export of all private and public keys, and trusts. On the new system I imported those private & public keys, and the trusts file. I also copied over my ssh configs, etc.
After a TON of Googling, I tried all the remedies I could find, including verifying ownership and permissions on the cert file itself. To my knowledge, this is all correct.
-r-------- 1 REDACTED_USER REDACTED_USER 1537 Jan 20 2020 id_rsa-cert.pub
If I do a "ssh-add -l" I do see the proper signature there.
ssh-add -l
2048 SHA256:<<REDACTED>> Public key for Digital Signature (RSA)
2048 SHA256:<<REDACTED>> Public key for PIV Attestation (RSA)
While I redacted it here, I did verify that the sha256 value for the key does match with the servers in question.
So obviously, the problem is a user-induced config issue on my laptop.
Anyone have any thoughts on what the issue could be?
Make sure your key has restricted permissions: