YubiKey ignores cancellation of PIV PIN/touch requests #47810
Labels
bug
teleport-connect
Issues related to Teleport Connect.
tsh
tsh - Teleport's command line tool for logging into nodes running Teleport.
Comments
gzdunek
added
bug
teleport-connect
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a YubiKey is used as a hardware key and prompts the user for a PIN or touch, attempting to cancel the request in either tsh or Teleport Connect does not stop the YubiKey from blinking.
This issue comes from two main problems:
signer.Signinterface does not accept aContext, so it's not possible to cancel the call easily.abandonableSignwhen the context is canceled. This however does not cancel the request itself and the YubiKey is still blinking.go-pivlibrary (used for YubiKey communication) does not expose any API that would allow us to break the pending request.Attempting to close the YubiKey connection with
YubiKey.Close()did not cause the device to stop blinking.There is also a chance that this mechanism is intentional on the YubiKey side, so it's not possible to cancel the request programmatically.
The key will eventually reach a timeout (after a few seconds) and unlock itself, but until it does, the user may need to tap it twice, as observed in #47652 (comment).
If possible, we should attempt to cancel the request; otherwise, we can add to the error message something like "the key itself may wait for PIN/touch for a few more seconds".
The text was updated successfully, but these errors were encountered: