YK Neo signing fails

[felixhammerl]

First of all, thanks so much for creating this!

I own three identically configured YKs (4c, 5, neo), where the neo is the backup. All three keys have PIV enabled for macOS login, I just reuse slot 9a here.

Testing with Github, I've noticed that SSH auth with the Neo does not seem to work.

YK 4C (works as expected):

> ssh -T git@github.com
Hi felixhammerl! You've successfully authenticated, but GitHub does not provide shell access.

YK 5 (works as expected):

> ssh -T git@github.com
Hi felixhammerl! You've successfully authenticated, but GitHub does not provide shell access.

YK Neo:

> ssh -T git@github.com
sign_and_send_pubkey: signing failed: agent refused operation
git@github.com: Permission denied (publickey).
> killall -HUP yubikey-agent
> ssh -T git@github.com
sign_and_send_pubkey: signing failed: agent refused operation
git@github.com: Permission denied (publickey).

PGP is not in use on the YKs. Not sure what the issue might be.

> cat ~/.ssh/config
Host *
    IdentityAgent /usr/local/var/run/yubikey-agent.sock

[joneskoo]

@felixhammerl Possibly a variant of go-piv/piv-go#55 that affects older Yubikeys before 4.2.8 firmware? Can you report your firmware and try running yubikey-agent in the foreground (you need to set SSH_AUTH_SOCK to the socket file that you use when running it). Without the output from yubikey-agent it's hard to say what might be going wrong.

[FiloSottile]

This should be fixed in v0.1.2 thanks to the upstream fixes.

If not, please open a new issue with the contents of /usr/local/var/log/yubikey-agent.log. Thank you!