Feature/add yubikey

[j0hnsmith]

Adds Yubikey integration, #230.

[j0hnsmith]

The build is failing because libpcsclite is now required, I'm not sure if/how I can modify the build env (happy to try if someone can guide me). Pretty sure that's not the only new package needed.

[ismailyenigul]

Great job!
I look forward to this feature. I can be first beta tester :)

[Isaacpm]

Hi, is there any update on this PR? It would be very useful to have.

[j0hnsmith]

If you don't want to wait for this PR to be merged you can build it yourself, see https://github.com/99designs/aws-vault#development (that's what I've done, works well for me, I use it most days). If you do please report here with your experience of the functionality as it will add impetus to this PR.

[Isaacpm]

I will give that a try, and report here, thanks!

[p0bailey]

Hello there,

Great work! Any updates on when this pr would be merged into master ?

I'm having problems to build the code from https://github.com/j0hnsmith/aws-vault

1. I clone this repo https://github.com/j0hnsmith/aws-vault

2. I switch to feature/add_yubikey

3. I run: go build and I get.

./main.go:27:22: cannot use app (type *"gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureGlobals
./main.go:28:25: cannot use app (type *"gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureAddCommand
./main.go:29:26: cannot use app (type *"gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureListCommand
./main.go:30:28: cannot use app (type *"gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureRotateCommand

phillip

[j0hnsmith]

@p0bailey Something like this should work

cd ${GOPATH}/src/github.com
git clone git@github.com:99designs/aws-vault.git
git remote add git@github.com:j0hnsmith/aws-vault.git
git fetch j0hnsmith feature/add_yubikey
git checkout j0hnsmith/feature/add_yubikey

make build
# now you need to sign and install, see https://github.com/99designs/aws-vault#self-signing-your-binary

[StevenACoffman]

I found the code signing directions lacking.

Deal with signing aws-vault

1. Start keychain access
2. Keychain access -> Certificate assistance -> Create a certificate
3. Name it whatever you like (I choose AWSVAULTSIGNER)
4. Check "Let me override defaults"
5. Just click continue until you reach "Extended Key Usage Extension" select "Code Signing"
6. Just click continue until you reach the point to select Keychain, select the System keychain
7. type codesign --force --sign name-of-certificate /Users/${HOME}/go/src/github.com/99designs/aws-vault/aws-vault in your console
8. You can then sign your binary like this:

go get -u -v github.com/99designs/aws-vault
cd $GOPATH/src/github.com/99designs/aws-vault
make build
codesign --force --sign name-of-certificate ${GOPATH}/src/github.com/99designs/aws-vault/aws-vault
export PATH="$(PWD):$PATH"
# verify signature
codesign -dvv $(which aws-vault) 2>&1 | grep Authority

Verify signature

$ codesign -dvv $(which aws-vault) 2>&1 | grep Authority

Check out Apple's guide on it here, or find it in Keychain Access > Certificate Assistant > Create Certificate > Code Signing Certificate.

[viraptor]

@j0hnsmith I'm getting the same issue. After switching to your branch:

➜  aws-vault git:(270eaf0) make build
go build -o aws-vault -ldflags="-X main.Version=v4.4.1-23-g270eaf0 -s -w" .
main.go:6:2: cannot find package "github.com/99designs/aws-vault/cli" in any of:
	/Users/viraptor/go/src/github.com/aws-vault/vendor/github.com/99designs/aws-vault/cli (vendor tree)
	/usr/local/Cellar/go/1.12/libexec/src/github.com/99designs/aws-vault/cli (from $GOROOT)
	/Users/viraptor/go/src/github.com/99designs/aws-vault/cli (from $GOPATH)
make: *** [build] Error 1

➜  aws-vault git:(270eaf0) go get
# github.com/aws-vault
./main.go:27:22: cannot use app (type *"github.com/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureGlobals
./main.go:28:25: cannot use app (type *"github.com/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureAddCommand
./main.go:29:26: cannot use app (type *"github.com/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureListCommand
./main.go:30:28: cannot use app (type *"github.com/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureRotateCommand
./main.go:31:26: cannot use app (type *"github.com/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureExecCommand
./main.go:32:28: cannot use app (type *"github.com/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureRemoveCommand
./main.go:33:27: cannot use app (type *"github.com/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureLoginCommand
./main.go:34:28: cannot use app (type *"github.com/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application) as type *"github.com/99designs/aws-vault/vendor/gopkg.in/alecthomas/kingpin.v2".Application in argument to cli.ConfigureServerCommand
./main.go:35:2: undefined: cli.ConfigureAddYubikeyCommand
./main.go:36:2: undefined: cli.ConfigureRemoveYubikeyCommand
./main.go:36:2: too many errors

That's using go1.12 on a mac

[j0hnsmith]

@viraptor if you follow the instructions in #316 (comment) all should be good.

[j0hnsmith]

@mtibben are you happy with the general premise of this PR? If so, what needs to happen to get the build to pass?

[viraptor]

@j0hnsmith That's what I did, with some fixes:

cd ${GOPATH}/src/github.com
git clone git@github.com:99designs/aws-vault.git
cd aws-vault
git remote add j0hnsmith git@github.com:j0hnsmith/aws-vault.git
git fetch j0hnsmith feature/add_yubikey
git checkout j0hnsmith/feature/add_yubikey
make build

But there is some reproducible issue it seems.

[mtibben]

@j0hnsmith FYI I've just rebased this

[j0hnsmith]

@viraptor I've just built and installed the rebased version using 1.11.5, worked ok for me, you could try that.

[viraptor]

Found the problem - missing directory in the structure - fixed here:

mkdir -p ${GOPATH}/src/github.com/99designs
cd ${GOPATH}/src/github.com/99designs
git clone git@github.com:99designs/aws-vault.git
cd aws-vault
git remote add j0hnsmith git@github.com:j0hnsmith/aws-vault.git
git fetch j0hnsmith feature/add_yubikey
git checkout j0hnsmith/feature/add_yubikey
make build

[davxiao]

Is this already merged to the latest release or it will be included?

[jottr]

libpcsclite seems to be missing. Could someone please update the dependencies and merge this?
Lots of people are waiting for this. :)

[jottr]

@j0hnsmith I've built and tried using the yubikey with aws-vault, but couldn't get it to work:

I've added the ARN of the yubikey, to ~/.aws/config with mfa_serial as the key.
I am prompted for a token for the correct mfa ARN when I run aws-vault exec yubiawsaccount -- aws, but pressing the button on the key does nothing.
Not sure what I'm missing

Also, it is quite unclear what aws-vault add-yubikey actually adds the key to. Would this be to the AWS account itself?

[jottr]

@lox @j0hnsmith can this PR please be expedited?
Having U2F support in aws-vault should be considered to be on of the most important features of a tool that facilitates authentication against sensitive server infrastructure.

[lox]

What's the status of this @j0hnsmith? I'm reviewing PR's presently, is this ready for review?

[j0hnsmith]

@lox I've just rebased against master so yes, absolutely.

The build is failing because libpcsclite needs to be available in the travis environment to build, pretty sure that's not the only missing package. I don't know how to add it, if you can guide me I'm happy to do it, alternatively if you know what needs to be done I'm happy for you to do it.

[lox]

Ok cool. I'll see if I can figure out how to get libpcsclite installed and I'll leave some notes throughout the PR.

[asiragusa]

@j0hnsmith great job! I have tested your PR and I found a flaw in ykoath (yawn/ykoath#8) if you stored tokens that require the --touch and tokens that don't, in some cases this PR won't work.

I did not have a reply for 10 days, but it would be nice if this PR would work properly. Can you update the commit ID in go.mod?

Also, I found a small quirk with the MFA device being added even if the tokens used are wrong, in this case you might try to do some cleanup. It's not a major issue, as manually doing aws-vault remove-yubikey fixes the problem.

[asiragusa]

@j0hnsmith it would be nice also if we could have more feedback once the Yubikey button has been pressed. Today it shows:

waiting for yubikey touch...

And nothing more once you pressed it. For tasks that don't output something for seconds it's impossible to know if you have correctly pressed the button or not. If you touch the button multiple times, the console is filled with random chars, otherwise it timeouts and asks for a token.

A simple OK\n aligned with the waiting for yubikey touch... would make it

[j0hnsmith]

@asiragusa Thanks for testing and giving feedback. I've added OK\n once touch has happened.

I found a small quirk with the MFA device being added even if the tokens used are wrong

In what situation would the token be wrong?

Can you update the commit ID in go.mod?

What do you want it updated to, surely your PR has to be merged first?

[asiragusa]

@asiragusa Thanks for testing and giving feedback. I've added OK\n once touch has happened.

Great, thanks!

I found a small quirk with the MFA device being added even if the tokens used are wrong

In what situation would the token be wrong?
It happens if you already have both tokens with and without touch requirement in your Yubikey, so it's mainly an edge case.

Can you update the commit ID in go.mod?

What do you want it updated to, surely your PR has to be merged first?

Given that it's an edge case we can merge this PR and wait for yawn/ykoath#8 to be merged. An issue to remind to update the go.mod will do the trick ;)

[asiragusa]

@j0hnsmith I have found a small issue using the remove-yubikey command.

In my environment I have forbidden to remove MFA devices without using a MFA token and probably the remove-yubikey command doesn't generate one for the operation.

The output I have is the following:

$ aws-vault remove-yubikey xxx yyy
Removing yubikey for user xxx using profile yyy)
aws-vault: error: error removing yubikey
%!(EXTRA *errors.withStack=failed to delete virtual AWS MFA device with serial "arn:aws:iam::zzz:mfa/xxx": AccessDenied: User: arn:aws:iam::zzz:user/xxx is not authorized to perform: iam:DeleteVirtualMFADevice on resource: arn:aws:iam::zzz:mfa/xxx
	status code: 403, request id: req-id)

[j0hnsmith]

@asiragusa I've found and fixed the problem with removing a yubikey, the creds used are obtained with a TOTP. This is the policy I tested with (deny is better than allow as an explicit deny will deny regardless of other policies)

      {
         "Effect":"Deny",
         "Action":[
            "iam:DeactivateMFADevice",
            "iam:DeleteVirtualMFADevice"
         ],
         "Resource":"arn:aws:iam::${account_id}:mfa/$${aws:username}",
         "Condition":{
            "NumericGreaterThan":{
               "aws:MultiFactorAuthAge":"900"
            }
         }
      },

I commented out the Condition and was unable to remove the yubikey, got the expected error, then after uncommenting and applying the change I was able to remove the yubikey.

[j0hnsmith]

@mtibben rebased

[mtibben]

Awesome, thank you so much @j0hnsmith for this feature!

[arnuschky]

I am struggling with using Yubikey-based auth too. I built aws-vault just fine, following the instructions above (thanks!)

However, when I add the Yubikey to my account through the AWS console and set the MFA's arn in my ~/.aws/config, I end up with the following:

Enter token for arn:aws:iam::xxxx:u2f/user/myuser/default-zzzz: cccckkahgsdfhasdlkfhaskdjf
aws-vault: error: Failed to get credentials for xxx (source profile for xxx-yyy): ValidationError: 2 validation errors detected: Value 'cccckkahgsdfhasdlkfhaskdjf' at 'tokenCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [\d]*; Value 'cccckkahgsdfhasdlkfhaskdjf' at 'tokenCode' failed to satisfy constraint: Member must have length less than or equal to 6

However, if I remove the yubikey from by account via the AWS ui and try to add it through aws-vault, I get the following:

aws-vault add-yubikey myuser xxx-yyy
Adding yubikey to user myuser using profile xxx-yyy
aws-vault: error: error registering yubikey
%!(EXTRA *errors.withStack=error creating virtual device: EntityAlreadyExists: MFADevice entity at the same path and name already exists.

I am a bit lost here. What is add-yubikey for actually? How can I use the yubikey? Why doesn't aws-vault accept my token?

[j0hnsmith]

@arnuschky aws-vault add-yubikey registers your yubikey as a TOTP device (not U2F) for the given username with AWS. Then when you aws-vault exec ... or similar it gets a 6 digit TOTP from the yubikey and uses it to create your AWS session. A token that looks like cccckkahgsdf.... is a U2F token, not TOTP which is 6 numbers (as you'd get from Google Authenticator or similar).

As long as you can see an entry in Yubikey Authenticator (don't ever manually remove that), I think you need to

• if you've added a u2f mfa device via the interface, remove it via the interface
• ensure you have something like this in you ~/.aws/config

[profile name-used-in-aws-vault]
mfa_serial=arn:aws:iam::{your account number}:mfa/{your username}

• run aws-vault remove-yubikey --debug profilename username (you can run more than once if necessary, aws seems to keep mfa devices for deleted users)
• now you should have a clean state, so can run aws-vault add-yubikey --debug myuser xxx-yyy (the debug should provide a little extra info)
• aws-vault exec profilename -- aws iam list-mfa-devices --user-name your_username or other command that requires mfa auth

[tlwr]

This is a super neat feature, thanks very much @j0hnsmith, and @mtibben for merging!

Sorry if I'm being impatient. Is there an ETA for a GH release of this? There are a number of aws-vault users in our org who would benefit from this feature.

Thanks again

[mtibben]

@j0hnsmith I've just run into some problems trying to create a new release of aws-vault due to the introduction of CGO and cross-compilation. I'm going to revert this from master and look to address in a new PR