Yubikey
Jump to navigation
Jump to search
setup
buy it
plug it in
dmesg says:
[176545.484426] usb 3-1.1: new full-speed USB device number 9 using xhci_hcd [176545.506841] usb 3-1.1: New USB device found, idVendor=1050, idProduct=0110 [176545.506844] usb 3-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [176545.506847] usb 3-1.1: Product: Yubikey NEO OTP [176545.506848] usb 3-1.1: Manufacturer: Yubico [176545.506954] usb 3-1.1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes [176545.511076] input: Yubico Yubikey NEO OTP as /devices/pci0000:00/0000:00:04.0/0000:02:00.0/usb3/3-1/3-1.1/3-1.1:1.0/input/input16 [176545.511167] hid-generic 0003:1050:0110.0005: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP] on usb-0000:02:00.0-1.1/input0
install yubikey utilities and libraries
The first thing it tells you is to install and run ykpersonalize:
- download, unpack
./configure
Fails with this error:
checking for libyubikey... no configure: error: libyubikey v1.5+ not found, see http://code.google.com/p/yubico-c/
- apt-get install libyubikey-dev
- apt-get install pkg-config (already present)
- apt-get install libusb-1.0-0-dev
- apt-get install libjson0-dev (optional)
./configure
success.
make sudo make install
Now ykinfo should work but fails like this:
# ykinfo ykinfo: error while loading shared libraries: libykpers-1.so.1: cannot open shared object file: No such file or directory
Need to run ldconfig to pick up changes
ldconfig
# ykinfo -v version: 3.1.2
install yubico-c
https://github.com/Yubico/yubico-c
- download the zip from github
- unpack
- make -f simple.mk check
OK, the command line tools now work and tests pass for modhex, ykparse, ykgenerate.
setup as pgp key
# ykpersonalize -m82 Firmware version 3.1.2 Touch level 1285 Program sequence 1 The USB mode will be set to: 0x82 Commit? (y/n) [n]: y
- remove and re-insert the yubikey
look for CCID in the dmesg output:
[181879.686402] usb 3-1.1: new full-speed USB device number 10 using xhci_hcd [181879.709151] usb 3-1.1: New USB device found, idVendor=1050, idProduct=0111 [181879.709154] usb 3-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [181879.709156] usb 3-1.1: Product: Yubikey NEO OTP+CCID [181879.709158] usb 3-1.1: Manufacturer: Yubico [181879.709258] usb 3-1.1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes [181879.713385] input: Yubico Yubikey NEO OTP+CCID as /devices/pci0000:00/0000:00:04.0/0000:02:00.0/usb3/3-1/3-1.1/3-1.1:1.0/input/input19 [181879.713482] hid-generic 0003:1050:0111.0008: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+CCID] on usb-0000:02:00.0-1.1/input0
# gpg --card-edit gpg: WARNING: unsafe ownership on configuration file `/home/rday/.gnupg/gpg.conf' Application ID ...: D2760001240102000000000000010000 Version ..........: 2.0 Manufacturer .....: test card Serial number ....: 00000001 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card>
gpg/card> admin Admin commands are allowed
gpg/card> generate
Please note that the factory settings of the PINs are
PIN = `123456' Admin PIN = `12345678'
You should change them using the command --change-pin
gpg: 2 Admin PIN attempts remaining before card is permanently locked
Please enter the Admin PIN
[remaining attempts: 2]
Please enter the PIN
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Thu 07 Dec 2023 03:40:08 PM PST
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Ryan Finnin Day
Email address: rday@linuxfoundation.org
Comment:
You selected this USER-ID:
"Ryan Finnin Day <rday@linuxfoundation.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (19 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (5 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (31 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key 63653EEA marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2016-08-30
pub 2048R/63653EEA 2013-12-09 [expires: 2023-12-07]
Key fingerprint = 7EE4 87A9 B882 430B AB64 B084 1EFA B084 6365 3EEA
uid Ryan Finnin Day <rday@linuxfoundation.org>
sub 2048R/E9B34A77 2013-12-09 [expires: 2023-12-07]
sub 2048R/47FE850E 2013-12-09 [expires: 2023-12-07]
gpg/card>
create udev rule for yubikey
root@ferret:/etc/udev/rules.d# cat 69-yubikey.rules
ACTION!="add|change", GOTO="yubico_end"
# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.
# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111", \
ENV{ID_SECURITY_TOKEN}="1"
LABEL="yubico_end"
ACTION==”remove”, ENV{ID_VENDOR_ID}=”1050″, ENV{SUBSYSTEM}==”usb”, RUN+=”/usr/bin/pkill scdaemon”
modify Xsession.options
- comment out "use-ssh-agent"
# $Id: Xsession.options 189 2005-06-11 00:04:27Z branden $ # # configuration options for /etc/X11/Xsession # See Xsession.options(5) for an explanation of the available options. allow-failsafe allow-user-resources allow-user-xsession #use-ssh-agent use-session-dbus
configure gnome
Install dependencies
# apt-get install gnupg-agent # apt-get install pcscd # apt-get install pgpsm
troubleshooting
is smartcard visible?
rday@ferret:~$ gpg --card-status can't connect to `/home/rday/.gnupg/S.gpg-agent': Permission denied gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00' Application ID ...: D2760001240102000000000000010000 Version ..........: 2.0 Manufacturer .....: test card <snip>
- when scdaemon starts as root, it creates S.gpg-agent* owned
- fix permissions to not be owned by root
rday@ferret:~/.gnupg$ gpg --card-status Application ID ...: D2760001240102000000000000010000 Version ..........: 2.0 Manufacturer .....: test card Serial number ....: 00000001 <snip>
check ~/.gnupg/gpg-agent.log
- try to log in using the smartcard key
rday@ferret:~/.gnupg$ ssh muno Agent admitted failure to sign using the key.
- watch log
2013-12-10 11:19:01 gpg-agent[2646] DBG: detected card with S/N D2760001240102000000000000010000 2013-12-10 11:19:06 gpg-agent[2646] smartcard signing failed: Bad PIN
is scdaemon getting started?
- Not started properly
rday@ferret:~/.gnupg$ ps -eaf | grep [s]cdaemon rday@ferret:~/.gnupg$ gpg --card-status can't connect to `/home/rday/.gnupg/S.gpg-agent': No such file or directory gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00' Application ID ...: D2760001240102000000000000010000 rday@ferret:~/.gnupg$ ps -eaf | grep [s]cdaemon rday@ferret:~/.gnupg$
- started on bash session startup for root (should be normal user)
root@ferret:~# ps -eaf | grep scdaemon root 3028 1203 0 12:12 ? 00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file