Yubikey

From Finninday
Revision as of 17:08, 22 January 2014 by Rday (Talk | contribs)

Jump to: navigation, search

setup

buy it

plug it in

dmesg says:

[176545.484426] usb 3-1.1: new full-speed USB device number 9 using xhci_hcd
[176545.506841] usb 3-1.1: New USB device found, idVendor=1050, idProduct=0110
[176545.506844] usb 3-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[176545.506847] usb 3-1.1: Product: Yubikey NEO OTP
[176545.506848] usb 3-1.1: Manufacturer: Yubico
[176545.506954] usb 3-1.1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[176545.511076] input: Yubico Yubikey NEO OTP as /devices/pci0000:00/0000:00:04.0/0000:02:00.0/usb3/3-1/3-1.1/3-1.1:1.0/input/input16
[176545.511167] hid-generic 0003:1050:0110.0005: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP] on usb-0000:02:00.0-1.1/input0

install yubikey utilities and libraries

The first thing it tells you is to install and run ykpersonalize:

    • download, unpack
./configure

Fails with this error:

checking for libyubikey... no
configure: error: libyubikey v1.5+ not found, see http://code.google.com/p/yubico-c/
  • apt-get install libyubikey-dev
  • apt-get install pkg-config (already present)
  • apt-get install libusb-1.0-0-dev
  • apt-get install libjson0-dev (optional)
./configure 

success.

make
sudo make install

Now ykinfo should work but fails like this:

# ykinfo
ykinfo: error while loading shared libraries: libykpers-1.so.1: cannot open shared object file: No such file or directory

Need to run ldconfig to pick up changes

ldconfig
# ykinfo -v
version: 3.1.2

install yubico-c

https://github.com/Yubico/yubico-c

  • download the zip from github
  • unpack
  • make -f simple.mk check

OK, the command line tools now work and tests pass for modhex, ykparse, ykgenerate.

setup as pgp key

# ykpersonalize -m82
Firmware version 3.1.2 Touch level 1285 Program sequence 1

The USB mode will be set to: 0x82

Commit? (y/n) [n]: y
  • remove and re-insert the yubikey

look for CCID in the dmesg output:

[181879.686402] usb 3-1.1: new full-speed USB device number 10 using xhci_hcd
[181879.709151] usb 3-1.1: New USB device found, idVendor=1050, idProduct=0111
[181879.709154] usb 3-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[181879.709156] usb 3-1.1: Product: Yubikey NEO OTP+CCID
[181879.709158] usb 3-1.1: Manufacturer: Yubico
[181879.709258] usb 3-1.1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[181879.713385] input: Yubico Yubikey NEO OTP+CCID as /devices/pci0000:00/0000:00:04.0/0000:02:00.0/usb3/3-1/3-1.1/3-1.1:1.0/input/input19
[181879.713482] hid-generic 0003:1050:0111.0008: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+CCID] on usb-0000:02:00.0-1.1/input0

I should not have run this as root.

# gpg --card-edit
gpg: WARNING: unsafe ownership on configuration file `/home/rday/.gnupg/gpg.conf'

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>
gpg/card> admin
Admin commands are allowed

gpg/card> generate

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin

gpg: 2 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
[remaining attempts: 2]
                 
Please enter the PIN
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Thu 07 Dec 2023 03:40:08 PM PST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Ryan Finnin Day
Email address: rday@linuxfoundation.org
Comment: 
You selected this USER-ID:
    "Ryan Finnin Day <rday@linuxfoundation.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (19 seconds)
gpg: signatures created so far: 0
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (5 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: generating new key
gpg: please wait while key is being generated ...
gpg: key generation completed (31 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key 63653EEA marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2016-08-30
pub   2048R/63653EEA 2013-12-09 [expires: 2023-12-07]
      Key fingerprint = 7EE4 87A9 B882 430B AB64  B084 1EFA B084 6365 3EEA
uid                  Ryan Finnin Day <rday@linuxfoundation.org>
sub   2048R/E9B34A77 2013-12-09 [expires: 2023-12-07]
sub   2048R/47FE850E 2013-12-09 [expires: 2023-12-07]


gpg/card> 

create udev rule for yubikey

root@ferret:/etc/udev/rules.d# cat 69-yubikey.rules 
ACTION!="add|change", GOTO="yubico_end"
 
# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.
 
# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111", \
    ENV{ID_SECURITY_TOKEN}="1"
 
LABEL="yubico_end"
 
ACTION==”remove”, ENV{ID_VENDOR_ID}=”1050″, ENV{SUBSYSTEM}==”usb”, RUN+=”/usr/bin/pkill scdaemon”

modify Xsession.options

  • comment out "use-ssh-agent"
# $Id: Xsession.options 189 2005-06-11 00:04:27Z branden $
#
# configuration options for /etc/X11/Xsession
# See Xsession.options(5) for an explanation of the available options.
allow-failsafe
allow-user-resources
allow-user-xsession
#use-ssh-agent
use-session-dbus

configure gnome

Install dependencies

# apt-get install gnupg-agent
# apt-get install pcscd
# apt-get install pgpsm

troubleshooting

is smartcard visible?

rday@ferret:~$ gpg --card-status
can't connect to `/home/rday/.gnupg/S.gpg-agent': Permission denied
gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
<snip>

  • when scdaemon starts as root, it creates S.gpg-agent* owned by root
  • fix permissions to not be owned by root
rday@ferret:~/.gnupg$ gpg --card-status
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
<snip>

check ~/.gnupg/gpg-agent.log

  • try to log in using the smartcard key
rday@ferret:~/.gnupg$ ssh muno
Agent admitted failure to sign using the key.
  • watch log
2013-12-10 11:19:01 gpg-agent[2646] DBG: detected card with S/N D2760001240102000000000000010000
2013-12-10 11:19:06 gpg-agent[2646] smartcard signing failed: Bad PIN

is scdaemon getting started?

  • Not started properly
rday@ferret:~/.gnupg$ ps -eaf | grep [s]cdaemon
rday@ferret:~/.gnupg$ gpg --card-status
can't connect to `/home/rday/.gnupg/S.gpg-agent': No such file or directory
gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
Application ID ...: D2760001240102000000000000010000
rday@ferret:~/.gnupg$ ps -eaf | grep [s]cdaemon
rday@ferret:~/.gnupg$ 
  • started on bash session startup for root (should be normal user)
root@ferret:~# ps -eaf | grep scdaemon
root      3028  1203  0 12:12 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
  • why doesn't scdaemon start for normal user?

start scdaemon manually for debug

rday@ferret:~$ /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --server -v
scdaemon[6743]: handler for fd -1 started
scdaemon[6743]: PC/SC OPEN failed: sharing violation (0x8010000b)
OK GNU Privacy Guard's Smartcard server ready

But this isn't really what I want. With just scdaemon running (no gpg-agent) gpg --card-status fails like this:

rday@ferret:~$ gpg --card-status
can't connect to `/home/rday/.gnupg/S.gpg-agent': No such file or directory
gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
gpg: pcsc_connect failed: sharing violation (0x8010000b)
gpg: apdu_send_simple(0) failed: locking failed
Please insert the card and hit return or enter 'c' to cancel: c
gpg: selecting openpgp failed: general error
gpg: OpenPGP card not available: general error

So what I want is to have gpg-agent running.

start gpg-agent manually for debug

rday@ferret:~$ gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
GPG_AGENT_INFO=/home/rday/.gnupg/S.gpg-agent:6977:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/home/rday/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
SSH_AGENT_PID=6977; export SSH_AGENT_PID;
rday@ferret:~$ ps -eaf | grep scdaemon
rday      6641  5413  0 15:18 ?        00:00:00 scdaemon --multi-server
rday      6977  5351  0 15:33 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
rday      6980  6755  0 15:33 pts/0    00:00:00 grep --color=auto scdaemon
rday@ferret:~$ gpg --card-status
gpg: selecting openpgp failed: ec=6.108
gpg: OpenPGP card not available: general error

There was only one gpg-agent before I performed this test, but after it, I had two. When I killed the one with fewer parameters, it worked.

rday@ferret:/etc/udev/rules.d$ ps -eaf | grep gpg-agent
rday      5413  5351  0 15:00 ?        00:00:00 gpg-agent --daemon --sh
rday      6977  5351  0 15:33 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
rday      7010  6755  0 15:35 pts/0    00:00:00 tail -f gpg-agent.log
rday      7194  6030  0 15:45 pts/1    00:00:00 grep --color=auto gpg-agent
rday@ferret:/etc/udev/rules.d$ kill 5413
rday@ferret:/etc/udev/rules.d$ kill 5413
bash: kill: (5413) - No such process
rday@ferret:/etc/udev/rules.d$ ps -eaf | grep gpg-agent
rday      6977  5351  0 15:33 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
rday      7010  6755  0 15:35 pts/0    00:00:00 tail -f gpg-agent.log
rday      7196  6030  0 15:45 pts/1    00:00:00 grep --color=auto gpg-agent
rday@ferret:/etc/udev/rules.d$ gpg --card-status
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
<snip>

rday@ferret:~/.gnupg$ ps -eaf | grep scdaemon
rday      6977  5351  0 15:33 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
rday      6990  6977  0 15:34 ?        00:00:00 scdaemon --multi-server
rday      7216  6755  0 15:47 pts/0    00:00:00 grep --color=auto scdaemon
rday@ferret:~/.gnupg$ ps -eaf | grep gpg-agent
rday      6977  5351  0 15:33 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --scdaemon-program /usr/lib/x86_64-linux-gnu/gnupg2/scdaemon --use-standard-socket --log-file /home/rday/.gnupg/gpg-agent.log --write-env-file
rday      7263  6755  0 15:47 pts/0    00:00:00 grep --color=auto gpg-agent
  • but ssh-add -L doesn't have any identities
rday@ferret:/etc/udev/rules.d$ ssh-add -L
The agent has no identities.

permissions on yubikey device

OK, now we're back to the question of allowing regular users to see the yubikey.

rday@ferret:~$ lsusb | grep Yubi
Bus 003 Device 003: ID 1050:0111 Yubico.com 

rday@ferret:/dev/bus/usb/003$ ls -l
total 0
crw-rw-r--  1 root root 189, 256 Dec 10 14:38 001
crw-rw-r--  1 root root 189, 257 Dec 10 14:38 002
crw-rw-r--+ 1 root root 189, 258 Dec 10 15:30 003

rday@ferret:/dev/bus/usb/003$ getfacl 003
# file: 003
# owner: root
# group: root
user::rw-
user:rday:rw-
group::rw-
mask::rw-
other::r--

  • the udev rule mentioned above (/etc/udev/rules.d/69-yubikey.rules) was helpful.


Michael's recipe http://paste.fedoraproject.org/60662/86721201/

gpg import override bug workaround https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1257706

setup on Fedora 20

  1. set up yubikey on fedora 20, Dell Latitude E6440
  1. this yubikey has been previously configured on an Ubuntu system so on

first insertion, it already has the CCID mode set:

Jan 02 15:40:03 servo.finninday.net mtp-probe[8277]: checking bus 3, device
5: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-4/3-4.2"
Jan 03 08:25:15 servo.finninday.net kernel: usb 3-13.2: new full-speed USB
device number 6 using xhci_hcd
Jan 03 08:25:15 servo.finninday.net kernel: usb 3-13.2: New USB device
found, idVendor=1050, idProduct=0111
Jan 03 08:25:15 servo.finninday.net kernel: usb 3-13.2: New USB device
strings: Mfr=1, Product=2, SerialNumber=0
Jan 03 08:25:15 servo.finninday.net kernel: usb 3-13.2: Product: Yubikey
NEO OTP+CCID
Jan 03 08:25:15 servo.finninday.net kernel: usb 3-13.2: Manufacturer:
Yubico
Jan 03 08:25:15 servo.finninday.net kernel: usb 3-13.2: ep 0x81 - rounding
interval to 64 microframes, ep desc says 80 microframes
Jan 03 08:25:15 servo.finninday.net kernel: input: Yubico Yubikey NEO
OTP+CCID as
/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13.2/3-13.2:1.0/input/input18
Jan 03 08:25:15 servo.finninday.net kernel: hid-generic
0003:1050:0111.0002: input,hidraw1: USB HID v1.10 Keyboard [Yubico Yubikey
NEO OTP+CCID] on usb-0000:00:14.0-13.2/input0

install dependencies

yum install yubikey-personalization-gui libyubikey ykpers ykclient gpg

optional gui

Gui user guide here:

http://static.yubico.com/var/uploads/pdfs/Cross_Platform_YubiKey_Personalization_Tool_3.0.1_User_guide_v5.pdf

[root@servo X11]# ykinfo -v
version: 3.1.2

As noted above, it is already configured as a pgp key because it announces itself as a Yubikey NEO OTP+CCID, so no need to run ykpersonalize -m82.

gpg --card-edit can't see the card

[rday@servo Downloads]$ gpg --card-edit

gpg: pcsc_establish_context failed: no service (0x8010001d)
gpg: card reader not available
gpg: OpenPGP card not available: general error

This means that scdaemon is not running:

[rday@servo Downloads]$ ps -eaf | grep scdaemon
rday     22195  7407  0 09:46 pts/0    00:00:00 grep --color=auto scdaemon

It should be started automatically by gpg.

  1. yum install gnupg2-smime pcsc-lite

$ gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false

$ echo "use-agent" >> ~/.gnupg/gpg.conf

$ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

  • install gpg-agent-wrapper script
  • set up triggers for gpg-agent-wrapper
    • /etc/X11/xinit/xinitrc.d/01-xsession
    • ~/.xsession
    • ~/.bashrc

Restart gnome (reboot)

gpg --card-status works

[rday@servo ~]$ gpg --card-status
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: Ryan Finnin Day
<snip>

[rday@servo ~]$ lsusb | grep Yubi
Bus 003 Device 005: ID 1050:0111 Yubico.com Yubikey NEO OTP+CCID
[rday@servo ~]$ ls -l /dev/bus/usb/003/005
crw-rw-r--+ 1 root root 189, 260 Jan  3 10:11 /dev/bus/usb/003/005
[rday@servo ~]$ getfacl !$
getfacl /dev/bus/usb/003/005
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/003/005
# owner: root
# group: root
user::rw-
user:rday:rw-
group::rw-
mask::rw-
other::r--

[rday@servo ~]$ 

can I ssh now?

  • installed lastpass plugin for firefox
  • already had authy set up on phone
  • set up openvpn, kerberos plugin for firefox
  • established vpn
  • connect to ipa to get hostname
  • ssh to that hostname works

can I update my pins?

[rday@servo ~]$ gpg --card-edit

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0

<snip>

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000000000000010000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
gpg: sending command `SCD PASSWD' to agent failed: ec=6.131
Error changing the PIN: general error

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

gpg/card> quit

Huh, so I could change the pin, but not the admin pin.

From this document: http://www.gnupg.org/howtos/card-howto/en/ch03.html

PIN retry counter

    This field saves how many tries still are left to enter the right PIN. 
They are decremented whenever a wrong PIN is entered. They are reset whenever 
a correct AdminPIN is entered. The first and second PIN are for the standard 
PIN. gpg makes sure that the two numbers are synchronized. The second PIN is 
only required due to peculiarities of the ISO-7816 standard; gpg tries to keep 
this PIN in sync with the first PIN. The third PIN represents the retry 
counter for the AdminPIN.

My retry counters look like this:

PIN retry counter : 3 3 0

Does that mean that I'm permanently locked out of the admin pin?

I posted that question on the yubikey forums and the answer is yes, the pin is locked until the app is re-installed, wiping the data on the yubikey.

I'm using a yubikey neo on Fedora 20 with OpenGPG. It works well except I've been 
unable to change the admin PIN from the default.
My retry counter looks like this:

Code:
PIN retry counter : 3 3 0


Does the zero in the above line indicate that my admin pin is now locked forever? 
Is it possible to reset the counter so I can try again to reset the admin PIN?

For reference, here is what happened on my last attempt to change the PIN and admin PIN:

Code:
$ gpg --card-edit

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0

<snip>

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000000000000010000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
gpg: sending command `SCD PASSWD' to agent failed: ec=6.131
Error changing the PIN: general error



 

Share On:
Share on Facebook 	Facebook	Share on Twitter 	
Twitter	Share on Tumblr 	Tumblr	Share on Google+ 	Google+

Tom 	
 Post subject: Re: [QUESTION] how do I reset the admin pin retry counter?
PostPosted: Fri Jan 10, 2014 12:09 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 364 	
Hi, yeah the 0 means that it is blocked.

I would recommend you to install the latest version of the openpgp applet 
(which will overwrite everything and destroy everything you currently have in you openpgp applet)

get the applet from opensource.yubico.com

_________________
-Tom

The openpgp applet that is referenced above is here: http://opensource.yubico.com/ykneo-openpgp/

Which just points to this github repo: https://github.com/Yubico/ykneo-openpgp

How did I manage to not install this applet in the first place?

Relatedly, tykeal just got a yubikey and had trouble setting his PINs. I couldn't get the admin PIN to be changed until _after_ I set a reset PIN