Yubikey

From Finninday
Revision as of 18:51, 10 December 2013 by Rday (Talk | contribs)

Jump to: navigation, search

setup

buy it

plug it in

dmesg says:

[176545.484426] usb 3-1.1: new full-speed USB device number 9 using xhci_hcd
[176545.506841] usb 3-1.1: New USB device found, idVendor=1050, idProduct=0110
[176545.506844] usb 3-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[176545.506847] usb 3-1.1: Product: Yubikey NEO OTP
[176545.506848] usb 3-1.1: Manufacturer: Yubico
[176545.506954] usb 3-1.1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[176545.511076] input: Yubico Yubikey NEO OTP as /devices/pci0000:00/0000:00:04.0/0000:02:00.0/usb3/3-1/3-1.1/3-1.1:1.0/input/input16
[176545.511167] hid-generic 0003:1050:0110.0005: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP] on usb-0000:02:00.0-1.1/input0

install yubikey utilities and libraries

The first thing it tells you is to install and run ykpersonalize:

    • download, unpack
./configure

Fails with this error:

checking for libyubikey... no
configure: error: libyubikey v1.5+ not found, see http://code.google.com/p/yubico-c/
  • apt-get install libyubikey-dev
  • apt-get install pkg-config (already present)
  • apt-get install libusb-1.0-0-dev
  • apt-get install libjson0-dev (optional)
./configure 

success.

make
sudo make install

Now ykinfo should work but fails like this:

# ykinfo
ykinfo: error while loading shared libraries: libykpers-1.so.1: cannot open shared object file: No such file or directory

Need to run ldconfig to pick up changes

ldconfig
# ykinfo -v
version: 3.1.2

install yubico-c

https://github.com/Yubico/yubico-c

  • download the zip from github
  • unpack
  • make -f simple.mk check

OK, the command line tools now work and tests pass for modhex, ykparse, ykgenerate.

setup as pgp key

# ykpersonalize -m82
Firmware version 3.1.2 Touch level 1285 Program sequence 1

The USB mode will be set to: 0x82

Commit? (y/n) [n]: y
  • remove and re-insert the yubikey

look for CCID in the dmesg output:

[181879.686402] usb 3-1.1: new full-speed USB device number 10 using xhci_hcd
[181879.709151] usb 3-1.1: New USB device found, idVendor=1050, idProduct=0111
[181879.709154] usb 3-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[181879.709156] usb 3-1.1: Product: Yubikey NEO OTP+CCID
[181879.709158] usb 3-1.1: Manufacturer: Yubico
[181879.709258] usb 3-1.1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[181879.713385] input: Yubico Yubikey NEO OTP+CCID as /devices/pci0000:00/0000:00:04.0/0000:02:00.0/usb3/3-1/3-1.1/3-1.1:1.0/input/input19
[181879.713482] hid-generic 0003:1050:0111.0008: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+CCID] on usb-0000:02:00.0-1.1/input0
# gpg --card-edit
gpg: WARNING: unsafe ownership on configuration file `/home/rday/.gnupg/gpg.conf'

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>
gpg/card> admin
Admin commands are allowed

gpg/card> generate

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin

gpg: 2 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
[remaining attempts: 2]
                 
Please enter the PIN
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Thu 07 Dec 2023 03:40:08 PM PST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Ryan Finnin Day
Email address: rday@linuxfoundation.org
Comment: 
You selected this USER-ID:
    "Ryan Finnin Day <rday@linuxfoundation.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (19 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (5 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (31 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key 63653EEA marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2016-08-30
pub   2048R/63653EEA 2013-12-09 [expires: 2023-12-07]
      Key fingerprint = 7EE4 87A9 B882 430B AB64  B084 1EFA B084 6365 3EEA
uid                  Ryan Finnin Day <rday@linuxfoundation.org>
sub   2048R/E9B34A77 2013-12-09 [expires: 2023-12-07]
sub   2048R/47FE850E 2013-12-09 [expires: 2023-12-07]


gpg/card> 

configure gnome

Install dependencies

# apt-get install gnupg-agent
# apt-get install pcscd
# apt-get install pgpsm