Difference between revisions of "Yubikey"

From Finninday
Jump to: navigation, search
(is scdaemon getting started?)
(is scdaemon getting started?)
Line 276: Line 276:
 
</pre>
 
</pre>
  
* started on bash session startup for root
+
* started on bash session startup for root (should be normal user)
 
<pre>
 
<pre>
 
root@ferret:~# ps -eaf | grep scdaemon
 
root@ferret:~# ps -eaf | grep scdaemon
 
root      3028  1203  0 12:12 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
 
root      3028  1203  0 12:12 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
 
</pre>
 
</pre>

Revision as of 20:25, 10 December 2013

setup

buy it

plug it in

dmesg says:

[176545.484426] usb 3-1.1: new full-speed USB device number 9 using xhci_hcd
[176545.506841] usb 3-1.1: New USB device found, idVendor=1050, idProduct=0110
[176545.506844] usb 3-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[176545.506847] usb 3-1.1: Product: Yubikey NEO OTP
[176545.506848] usb 3-1.1: Manufacturer: Yubico
[176545.506954] usb 3-1.1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[176545.511076] input: Yubico Yubikey NEO OTP as /devices/pci0000:00/0000:00:04.0/0000:02:00.0/usb3/3-1/3-1.1/3-1.1:1.0/input/input16
[176545.511167] hid-generic 0003:1050:0110.0005: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP] on usb-0000:02:00.0-1.1/input0

install yubikey utilities and libraries

The first thing it tells you is to install and run ykpersonalize:

    • download, unpack
./configure

Fails with this error:

checking for libyubikey... no
configure: error: libyubikey v1.5+ not found, see http://code.google.com/p/yubico-c/
  • apt-get install libyubikey-dev
  • apt-get install pkg-config (already present)
  • apt-get install libusb-1.0-0-dev
  • apt-get install libjson0-dev (optional)
./configure 

success.

make
sudo make install

Now ykinfo should work but fails like this:

# ykinfo
ykinfo: error while loading shared libraries: libykpers-1.so.1: cannot open shared object file: No such file or directory

Need to run ldconfig to pick up changes

ldconfig
# ykinfo -v
version: 3.1.2

install yubico-c

https://github.com/Yubico/yubico-c

  • download the zip from github
  • unpack
  • make -f simple.mk check

OK, the command line tools now work and tests pass for modhex, ykparse, ykgenerate.

setup as pgp key

# ykpersonalize -m82
Firmware version 3.1.2 Touch level 1285 Program sequence 1

The USB mode will be set to: 0x82

Commit? (y/n) [n]: y
  • remove and re-insert the yubikey

look for CCID in the dmesg output:

[181879.686402] usb 3-1.1: new full-speed USB device number 10 using xhci_hcd
[181879.709151] usb 3-1.1: New USB device found, idVendor=1050, idProduct=0111
[181879.709154] usb 3-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[181879.709156] usb 3-1.1: Product: Yubikey NEO OTP+CCID
[181879.709158] usb 3-1.1: Manufacturer: Yubico
[181879.709258] usb 3-1.1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[181879.713385] input: Yubico Yubikey NEO OTP+CCID as /devices/pci0000:00/0000:00:04.0/0000:02:00.0/usb3/3-1/3-1.1/3-1.1:1.0/input/input19
[181879.713482] hid-generic 0003:1050:0111.0008: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+CCID] on usb-0000:02:00.0-1.1/input0
# gpg --card-edit
gpg: WARNING: unsafe ownership on configuration file `/home/rday/.gnupg/gpg.conf'

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>
gpg/card> admin
Admin commands are allowed

gpg/card> generate

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin

gpg: 2 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
[remaining attempts: 2]
                 
Please enter the PIN
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Thu 07 Dec 2023 03:40:08 PM PST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Ryan Finnin Day
Email address: rday@linuxfoundation.org
Comment: 
You selected this USER-ID:
    "Ryan Finnin Day <rday@linuxfoundation.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (19 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (5 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (31 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key 63653EEA marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2016-08-30
pub   2048R/63653EEA 2013-12-09 [expires: 2023-12-07]
      Key fingerprint = 7EE4 87A9 B882 430B AB64  B084 1EFA B084 6365 3EEA
uid                  Ryan Finnin Day <rday@linuxfoundation.org>
sub   2048R/E9B34A77 2013-12-09 [expires: 2023-12-07]
sub   2048R/47FE850E 2013-12-09 [expires: 2023-12-07]


gpg/card> 

create udev rule for yubikey

root@ferret:/etc/udev/rules.d# cat 69-yubikey.rules 
ACTION!="add|change", GOTO="yubico_end"
 
# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.
 
# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111", \
    ENV{ID_SECURITY_TOKEN}="1"
 
LABEL="yubico_end"
 
ACTION==”remove”, ENV{ID_VENDOR_ID}=”1050″, ENV{SUBSYSTEM}==”usb”, RUN+=”/usr/bin/pkill scdaemon”

modify Xsession.options

  • comment out "use-ssh-agent"
# $Id: Xsession.options 189 2005-06-11 00:04:27Z branden $
#
# configuration options for /etc/X11/Xsession
# See Xsession.options(5) for an explanation of the available options.
allow-failsafe
allow-user-resources
allow-user-xsession
#use-ssh-agent
use-session-dbus

configure gnome

Install dependencies

# apt-get install gnupg-agent
# apt-get install pcscd
# apt-get install pgpsm

troubleshooting

is smartcard visible?

rday@ferret:~$ gpg --card-status
can't connect to `/home/rday/.gnupg/S.gpg-agent': Permission denied
gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
<snip>

  • fix permissions to not be owned by root
rday@ferret:~/.gnupg$ gpg --card-status
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
<snip>

check ~/.gnupg/gpg-agent.log

  • try to log in using the smartcard key
rday@ferret:~/.gnupg$ ssh muno
Agent admitted failure to sign using the key.
  • watch log
2013-12-10 11:19:01 gpg-agent[2646] DBG: detected card with S/N D2760001240102000000000000010000
2013-12-10 11:19:06 gpg-agent[2646] smartcard signing failed: Bad PIN

is scdaemon getting started?

  • Not started properly
rday@ferret:~/.gnupg$ ps -eaf | grep [s]cdaemon
rday@ferret:~/.gnupg$ gpg --card-status
can't connect to `/home/rday/.gnupg/S.gpg-agent': No such file or directory
gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
Application ID ...: D2760001240102000000000000010000
rday@ferret:~/.gnupg$ ps -eaf | grep [s]cdaemon
rday@ferret:~/.gnupg$ 
  • started on bash session startup for root (should be normal user)
root@ferret:~# ps -eaf | grep scdaemon
root      3028  1203  0 12:12 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file