PIN policy "ALWAYS" not working

[joneskoo]

Reproduction

Reset and configure key policy

$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from your YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
	PIN:	123456
	PUK:	12345678
	Management Key:	010203040506070801020304050607080102030405060708
$ ykman piv import-key --pin-policy ALWAYS --touch-policy ALWAYS 9a key.pem
Enter a management key [blank to use default key]: 
$ ykman piv generate-certificate -s $USER 9a public.pem              
Enter PIN: 
Enter a management key [blank to use default key]: 
Touch your YubiKey...

Start agent and set up authorized_keys

$ yubikey-agent &
$ export SSH_AUTH_SOCK="/Users/joneskoo/Library/Caches/yubikey-agent.sock"
$ ssh-add -L  | set-up-authorized-keys server

First login works

PIN is prompted and touch is required as expected.

$ ssh server
Login OK.

Second login

Touch is required but PIN is not prompted.

$ ssh server
sign_and_send_pubkey: signing failed: agent refused operation

Agent refuses and yubikey-agent logs:

2020/04/27 00:18:35 agent 13: command failed: smart card error 6982: security status not satisfied

[joneskoo]

And just to confirm, ykman piv import-key --pin-policy ONCE --touch-policy ALWAYS 9a key.pem works as expected; it requires touch for every use, but PIN only once per session.

[FiloSottile]

Looks like an upstream issue, reported as go-piv/piv-go#49. Closing here because I plan to only officially support setup-generated configurations, but thanks for the detailed report, it will definitely help upstream, and probably the fix will find its way back downstream.

[esselius]

Note to future self, agent 13: command failed: smart card error 6982: security status not satisfied also shows up in logs when forgetting to poke the yubikey :)