An SSH and GPG agent which you can use with your PIV hardware security device (e.g. a Yubikey).
piv-agent
is an SSH and GPG agent providing simple integration of PIV hardware (e.g. a Yubikey) with ssh
, and gpg
workflows such as git
signing, pass
encryption, or keybase chat.piv-agent
originated as a reimplementation of yubikey-agent because I needed some extra features, and also to gain a better understanding of the PIV applet on security key hardware.piv-agent
makes heavy use of the Go standard library and supplementary crypto
packages, as well as piv-go
and pcsclite
. Thanks for the great software!DISCLAIMER
I make no assertion about the security or otherwise of this software and I am not a cryptographer. If you are, please take a look at the code and send PRs or issues. :green_heart:
ssh-agent
and gpg-agent
functionalityThis agent should require no interaction and in general do the right thing when security keys are plugged/unplugged, laptop is power cycled, etc.
It is highly opinionated:
~/.ssh/id_ed25519
)It makes some concession to practicality with OpenPGP:
It tries to strike a balance between security and usability:
~/.ssh/id_ed25519
) in memory, so these only need to be provided once after the agent starts.Tested with:
Will be tested with (once PIV support is available):
Any device implementing the SCard API (PC/SC), and supported by piv-go
/ pcsclite
may work.
If you have tested another device with piv-agent
successfully, please send a PR adding it to this list.
Currently tested on Linux with systemd
and macOS with launchd
.
Supported | Not Supported | Support Blocked (Curve25519) |
---|---|---|
✅ | ❌ | ⏳ |
Curve25519 algorithms are blocked on hardware support. Currently I'm only aware of Solo V2 which intends to implement this non-standard curve. Support is not yet available (see the link above).
Security Key | Keyfile | |
---|---|---|
ecdsa-sha2-nistp256 | ✅ | ❌ |
ssh-ed25519 | ⏳ | ✅ |
Security Key | Keyfile | |
---|---|---|
ECDSA Sign (NIST Curve P-256) | ✅ | ✅ |
EDDSA Sign (Curve25519) | ⏳ | ⏳ |
ECDH Decrypt | ✅ | ✅ |
RSA Sign | ❌ | ✅ |
RSA Decrypt | ❌ | ✅ |
Please see the documentation.
Install build dependencies:
# debian/ubuntu
sudo apt install libpcsclite-dev
make
This D-Bus variable is required for pinentry
to use a graphical prompt:
go build ./cmd/piv-agent && systemd-socket-activate -l /tmp/piv-agent.sock -E DBUS_SESSION_BUS_ADDRESS ./piv-agent serve --debug
Then in another terminal:
export SSH_AUTH_SOCK=/tmp/piv-agent.sock
ssh ...
cd docs && make serve