[ Gam ] [ Configuration of yubikey Failed ]

[Zo-Hasina RASATAVOHARY]

Hello, 
I'm trying to configure a yubikey which include a piv for gam authentification, 
The two first steps are ok : 
- generating a private key on yubikey and public key that is stored locally 
- generating a certificates 
Then when I'm trying to run the following command 

 gam rotate sakey yubikey 123456 9c AUTHENTICATION

I'm getting the following error :

ERROR: YubiKey - Invalid PIN/PUK. Remaining attempts: 1

It seems that it does not recognize for some reason the pin provided (here the default pin ) 

If you may have any suggestion or solution, it would be great ! 

BR 

Zo

[Jay Lee]

What version of GAM are you using? Did you follow the steps at:

https://github.com/GAM-team/GAM/wiki/Use-a-Yubikey#setup-steps

Jay

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/15838d51-e22f-4e15-916c-fc1a6ffe8330n%40googlegroups.com.

[Zo-Hasina RASATAVOHARY]

I'm using the following version of GAM : 

GAMADV-XTD3 6.57.08 - https://github.com/taers232c/GAMADV-XTD3 - pyinstaller

Ross Scroggs <ross.s...@gmail.com>

Python 3.11.3 64-bit final

I've followed the step you mentionned in your message

I'm not sure if the syntax I used is correct, because the initial syntaxe example was :

Now that you have a private key on your YubiKey, tell GAM to use that instead of the private_key stored in oauth2service.json. We can do that by rotating the key:
gam rotate sakey yubikey yubikey_pin yubikey_slot AUTHENTICATION

gam rotate sakey yubikey 123456 9c AUTHENTICATION

 I have tried a lot of different syntaxe without any success :-( 

ᐧ

You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/27lVXvtyL1M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp87mbVdiAr5XdEx23OOP%3DBj2Kk05yjSH6QZkJKnwAnq%2Bw%40mail.gmail.com.

[Zo-Hasina RASATAVOHARY]

After having a look at the BNF syntax of GAM, I think that this feature of adding yubikey auth to GAM contains a bug,

You can see the BNF syntax here : https://github.com/taers232c/GAMADV-XTD3/blob/master/src/GamCommands.txt

I have seen that we also have a gam create sakey that I tested with the same results

gam create sakey
        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
        (localkeysize 1024|2048|4096)|
        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
         yubikey_serialnumber <Number>
         [localkeysize 1024|2048|4096])
gam rotate sakey|sakeys retain_existing
        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
         yubikey_serialnumber <Number>
         [localkeysize 1024|2048|4096])

So at this stage I was wondering if anyone would know this issue ? 

Or maybe have a quick way to start with debugging gam  ? 

Thank your all for your help ! 

ᐧ

[Ross Scroggs]

You should be typing a command like this:

gam rotate sakey yubikey yubikey_pin yubikey_slot AUTHENTICATION

Do not replace yubikey_pin with the actual pin, you will be prompted

Do not replace yubikey_slot with the actual slot, 

  use yubikey_slot AUTHENTICATION for slot 9a

  use yubikey_slot SIGNATURE for slot 9c

Ross

----

Ross Scroggs

Ross.S...@gmail.com

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAG99YD9pxXtu%3DnF2c-r%2BgYu%2BqDVWUs3UWPGU6nrGB-nRc6kZDw%40mail.gmail.com.

[Zo-Hasina RASATAVOHARY]

Hi Scott, 

  Invitation Sent :-) Thank you for your help ! 

Zo

ᐧ

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/2BD525DB-9FB3-4468-839C-5FAAA62775E1%40gmail.com.

[Zo-Hasina RASATAVOHARY]

Thank you for the answer, 

I'm still having the same problem

I'm sending a meet link

Le mar. 29 août 2023 à 04:50, Ross Scroggs <ross.s...@gmail.com> a écrit :

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/2BD525DB-9FB3-4468-839C-5FAAA62775E1%40gmail.com.

ᐧ

[Zo-Hasina RASATAVOHARY]

Thank you Ross for taking time and for your patience to handle my local configuration issues ! 

So I'm posting back in the hope this may help other chaps looking for solving their issue, @Ross.S...@gmail.com  update the documentation and got it very accurate :  https://github.com/GAM-team/GAM/wiki/Use-a-Yubikey#setup-steps

📖 First thing and very important is before you use and create your private key with yubikey for authentication, you may backup your oauth2service.json

 📖 Second important thing about google configuration, you need to enable the following operations :📖

- ServiceAccountKeyCreation

- ServiceAccountKeyUpload

This is available on the. https://console.cloud.google.com/ interface with the following path:

=> IAM & Administration >> Rules Administrations  and then select your project to see how it is setup.

If it is inherited from the Organization, you may have a look at the organization to see how the rules has been configured it is setup. 

Google documentation is quite clear about that : https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts?hl=fr#console

✔

The good practice that enounce that it is good to disable the ability for a serviceAccount to upload new keys is good but bring some constraints and may prevent you from setting up your yubikey to authenticate with GAM. This is was my main issue here that prevent the process to be done  ! 

So here are the steps we followed  with @Ross.S...@gmail.com 

📖 I updated also my local gam version in order to have the latest version by running the following command 

bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l

that will update your local version of Gam

After that, I also updated my local project by running the following command 

gam update project 

 📖 Then we ran the following commands with the following value for the param

param1 = PINCODE ( eg : 123456 )  

param2 = slot number, should be either 9a (authentication), or 9c ( signature ) ( eg : 9a here )  

param3 = name of the public key file ( pub_key for instance ) 

- 1/ Create the private yubikey and the associated public key which will be uploaded to console.cloud.google.com

ykman piv keys generate -P $param1 --pin-policy ALWAYS --touch-policy NEVER --algorithm RSA2048 $param2 $param3

- 2/ Create the associated certificate based on the public & private keys 

ykman piv certificates generate -P $param1 --subject "GAM Service Account" -d 36500 $param2 $param3

- 3/ Create the private key on the google service account 

gam create sakey yubikey yubikey_pin yubikey_slot AUTHENTICATION

This will ask your PIN ( param1 that you may enter ) 

==> This is this part where your serviceAccount needs to have the following rights :

• iam.DisableServiceAccountCreation
• iam.DisableServiceAccountKeyCreation
• iam.DisableServiceAccountKeyUpload

The update documentation by @Ross.S...@gmail.com  is great about that : https://github.com/GAM-team/GAM/wiki/Use-a-Yubikey#setup-steps

And at last you should be able to have everything running.

Thanks you again @Ross.S...@gmail.com  for your time and your help !

Zo

ᐧ

[Zo-Hasina RASATAVOHARY]

The correct link to have is the following : https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-YubiKey

Not the previous one 😑, my bad 

ᐧ