Allow RSA-4096 keys for Hardware/YubiKey-backed private key data #51470
Labels
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
Comments
programmerq
added
the
feature-request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like Teleport to do?
When using a YubiKey-backed private key, Teleport should support an existing RSA-4096 key on the device.
What problem does this solve?
A user that has a YubiKey managed by a third party Enterprise software solution that only supports RSA 4096 is currently unable to use that device with Teleport's hardware-backed key support.
This third-party software doesn't allow the use of legacy RSA-2048 keys, and it doesn't allow support for the new elliptical curve keys that were added in Teleport 17.x as described in RFD 136. https://github.com/gravitational/teleport/blob/branch/v17/rfd/0136-modern-signature-algorithms.md
Our Teleport docs indicate that a user can manually add a key that uses an external management key by manually inputting that management key when running
ykman piv keys generate -a ECCP256 [slot] --touch-policy=[never|cached|always] --pin-policy=[never|once|always] -reference: https://goteleport.com/docs/admin-guides/access-controls/guides/hardware-key-support/#custom-key
The third-party YubiKey management software does not allow access to the management key, so users cannot manually add a key of a different type.
If a workaround exists, please include it.
No current workaround.
The text was updated successfully, but these errors were encountered: