Yubico Forum

[Community] - Forum going read only. New KDB on its way.

2018-01-30T09:26:55+01:00

For the security and experience of our user community, we have decided to set the forum as read-only and wipe all user account information. All historical posts and announcements will be archived and remain publicly searchable.

In 2018, we will be publishing a searchable knowledge-base system that allows the community to provide direct feedback on articles and make suggestions that will be reviewed by Yubico staff. We sincerely appreciate the participation of our user forum over the years and hope to continue serving your for years to come.

Statistics: Posted by Tom2 — Tue Jan 30, 2018 9:26 am

Yubikey NEO • Re: Yubikey Resetting code

2018-01-30T09:10:29+01:00

viewtopic.php?f=26&t=2147

Statistics: Posted by ChrisHalos — Tue Jan 30, 2018 9:10 am

Yubikey NEO • Yubikey Resetting code

2018-01-29T13:13:21+01:00

So I have read that you can configure a Resetting Code for the OpenPGP applet which can be used to reset the pin.
The command to be used is supposed to be: RESET RETRY COUNTER but I've not found any information on how to send the command.
Are there any utilities to use the Resetting Code for the yubikey, or how is it supposed to work?

Statistics: Posted by jfjallid — Mon Jan 29, 2018 1:13 pm

Computer Logon - Windows | Linux | MacOS | freeBSD • [QUESTION] Keep Win10 system from crashing -- network share

2018-01-25T17:25:41+01:00

I have Yubikey 4 set up for several different users on non-domain Windows 10 systems using the Windows Logon Tool. I have a network share set up on each system for users to transfer files. They have a random, but persistent problem of the system crashing and rebooting when accessing the file share. From the logs, there is a fatal error in the lsass.exe process, requiring the system to reboot. Upon reboot, the Windows Logon Tool no longer authenticates the user with the configured Yubikey and requires reconfiguration to log in. Note that the crash does not occur when the Windows Logon Tool is disabled.

[*]Users authenticate with the Yubikey inserted into the server hosting the share (or identically configured Yubikeys inserted into both the client and server).
[*]When crashes occur, it is usually at or near the end of a file transfer.
[*]Crashes appear more likely if systems connect to each other in serial.
[*]Once crashes occur, it appears to be more likely that crashes will continue to occur.

Do you have any information on what can be done to prevent these crashes?

As an afterthought, are there group policy security settings that could be interfering with Windows Logon Tool authentication over the network and making it unstable (but mostly functional)?

Statistics: Posted by jkl — Thu Jan 25, 2018 5:25 pm

YubiKey 4 • YubiKey 4 on MAC - ABORT has been sent to the transform

2018-01-24T11:30:14+01:00

Hi,

I am trying to sign some data with the certificate PrivateKey ( Certificate was loaded into slot 9c(Digital signature) on My YubiKey4 using Yubikey PIV Manager v1.4.2) on Mac High Sierra.

Below OSX APIs were used to sign the data using the certificate,

Code:

    SecTransformRef signingTransform = NULL;
    signingTransform = SecSignTransformCreate(privateKeyRef, NULL);
    NSString *stingSign = @"Some string";
    CFDataRef sourceData = CFDataCreate(
                                        kCFAllocatorDefault,
                                        (const unsigned char *)[stingSign UTF8String],
                                        stingSign.length
                                        );
    CFErrorRef error = NULL;
    SecTransformSetAttribute(
                             signingTransform,
                             kSecTransformInputAttributeName,
                             sourceData,
                             &error);
    if (error)
      {
        NSLog(@"Error : %@",[((__bridge NSError*)error) description]);
      }
   ..... Remaining execution code goes here

but i am getting

Quote:

Error : Error Domain=com.apple.security.transforms.error Code=20 "ABORT has been sent to the transform (Error Domain=Internal CSSM error Code=-25304 "Internal error #ffff9d28 at SignTransform_block_invoke /BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-58286.31.2/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:411" UserInfo={NSDescription=Internal error #ffff9d28 at SignTransform_block_invoke /BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-58286.31.2/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:411, Originating Transform=CoreFoundationObject})" UserInfo={NSDescription=ABORT has been sent to the transform (Error Domain=Internal CSSM error Code=-25304 "Internal error #ffff9d28 at SignTransform_block_invoke /BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-58286.31.2/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:411" UserInfo={NSDescription=Internal error #ffff9d28 at SignTransform_block_invoke /BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-58286.31.2/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:411, Originating Transform=CoreFoundationObject})}

Do I need to do any extra configuration to execute this code? or am I missing something while setup? same code is working fine if I sign with the same certificate on eToken smartcard.

Please help us.

Statistics: Posted by Murali — Wed Jan 24, 2018 11:30 am

Computer Logon - Windows | Linux | MacOS | freeBSD • Re: YubiKey 4 for PIV stopped working

2018-01-23T22:02:43+01:00

JamesA wrote:

For enroll on behalf of (EOBO) you also need to set the publish and enroll in the "Enrollment Agent" template as covered in the Smart Card Deployment Guide.

Regarding your issue with self-enrollment, please open a support ticket for further troubleshooting. https://www.yubico.com/support/get-support/

The Enrollment Agent template was also published. I was able to pull the cert and get almost all the way through enrollment before it failed due to policy.

Today I extinguished all doubt by troubleshooting the entire PKI stack with this guide:
https://blogs.technet.microsoft.com/ask ... e-snap-in/

I ran RSOP.msc to see if there were any conflicts with GPOs but everything was configured the way I expected.
I was still getting the 'blocked by computer policy' error so I disabled all of my computer GPOs and self enrollment worked. By turning things back on one at a time I determined that my Yubikey GPO was to blame. I believe it's one or both of my registry edits:

BlockPUKOnMGMUpgrade
or
NewKeyTouchPolicy

What I'm working backwards to understand is how the YubiKeys were getting the certificate installed in 9a -only with the PIV Manager- but weren't able to authenticate.

Statistics: Posted by RadiatorMints — Tue Jan 23, 2018 10:02 pm

Computer Logon - Windows | Linux | MacOS | freeBSD • Re: YubiKey 4 for PIV stopped working

2018-01-23T21:47:21+01:00

Statistics: Posted by JamesA — Tue Jan 23, 2018 9:47 pm

Yubikey NEO • Re: [QUESTION] Neo & ssh ... works on Linux, not on Mac

2018-01-23T21:03:14+01:00

tinkster wrote:

Hi,

I have installed the yubi_u2f PAM module on my linux workstation. Connecting via ssh to localhost works - I type ssh andrej@host, get
a password prompt, and get connected when I push the button on the neo after that; plugging the neo into my macbook air and trying
to connect to my linux box via ssh fails; ought to say that I could happily connect to it from the mac yesterday (w/o the yubi_u2f), using
either password or public-key access. Now it's no-show. What am I doing wrong? :)

Cheers,
Andrej

So ... for shits & giggles I tried to connect from the Mac to Linux box while the Neo was on the linux box. Doing the password
typy-typy thing on the mac and then pushing the button attached to the Linux box established a session. Huh? :D

What *did* I do wrong?

Cheers,
Andrej

Statistics: Posted by tinkster — Tue Jan 23, 2018 9:03 pm

Yubikey NEO • [QUESTION] Neo & ssh ... works on Linux, not on Mac

2018-01-23T20:45:36+01:00

Statistics: Posted by tinkster — Tue Jan 23, 2018 8:45 pm

Computer Logon - Windows | Linux | MacOS | freeBSD • Re: YubiKey 4 for PIV stopped working

2018-01-22T20:20:54+01:00

Found rev B which has auto-enrollment stuff in it.
https://www.yubico.com/wp-content/uploa ... 7_RevB.pdf
Actions taken today (1/22/2018):
Revoked all previous user certs except the one that works.
Reissued the root domain cert and verified through cert chains that it is being used.
Pushed all the auto-enrollment config via GPO and found it in the system tray. (Fails with a message about "Prohibited by Computer Policy" weather it's launched from the tray or certmgr)
Added a brand new PC to the domain and logged in via the one working YubiKey 4 on the first boot with no configuration other than previously configured GPOs.

EDIT: per the documentation under the Cryptography tab:
Provider Category is now Key Storage Provider
Algo is RSA, length is default: 2048
Provider is Microsoft Smart Card Key Storage Provider

What am I missing?

Statistics: Posted by RadiatorMints — Mon Jan 22, 2018 8:20 pm

YubiKey 4 • Occurred while decrypting a message the hand is invalid

2018-01-22T13:17:17+01:00

Hi,

When trying open a keepass database protected with a certificate on the yubikey into a 2008R2 (inside a ICA session citrix XenApp 6.5), i run across the following message :

An error occurred while decrypting a message: The handle is invalid.

First i have the PIN prompt and after PIN validation, i have the error as you can see on the image.

It work very well inside a RDP session on the same server !
And it works also in a ICA session citrix XenApp version 7.9 !

When i use putty and pageant wincrypt, i have the following error :
__________________________________________________________________________________________
login as: root
Authenticating with public key "cert://cn=adminrescue,thumbprint=6786370c2e56f50 6679a116758951a1e0cd7686d" from agent
Server refused public-key signature despite accepting key!
Using keyboard-interactive authentication.
Password:
__________________________________________________________________________________________

it tells me incorrect signature ???

Can you help me to track what's going wrong ?

Thanks

Statistics: Posted by gg94700 — Mon Jan 22, 2018 1:17 pm

Yubikey NEO • Re: gpg --card-status and Card error message

2018-01-21T21:56:56+01:00

having tried again,
I get this message:

C:\Users\myaccount>gpg --card-status

gpg: OpenPGP card not available: Not supported

Statistics: Posted by jbenfeld — Sun Jan 21, 2018 9:56 pm

Yubikey NEO • gpg --card-status and Card error message

2018-01-21T21:32:31+01:00

Microsoft Windows [Version 10.0.16299.192]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Users\myaccount>gpg --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error

Does anyone know how to solve this error?

regards
JB

Statistics: Posted by jbenfeld — Sun Jan 21, 2018 9:32 pm

Computer Logon - Windows | Linux | MacOS | freeBSD • YubiKey 4 for PIV stopped working

2018-01-22T20:55:53+01:00

Earlier this month I purchased one YubiKey 4 for a proof of concept for OTP login using a 3rd party solution. In the interest of compatibility and simplicity we chose to back down to PIV. I followed the deployment instructions and in a matter of nearly no time my YubiKey 4 was doing PIV smartcard login on domain computers.

So I purchased the rest of the YubiKeys I needed for my users, implemented the Enroll on behalf of CA Template and that's when everything went completely sideways. Enroll on behalf of didn't seem to work at all, the template couldn't find the signature > no certificate on the YubiKey > cert enrollment failure on the CA. So I'm back to user self enrollment and I can get a certificate on a YubiKey. The PIV manager recognizes it, it's published in the Certificate Authority but any time I try to use it for login the endpoint says that "No valid certificates were found on this smart card."

My original YubiKey and cert still works flawlessly. Changing out YubiKeys yields the same results (failure). I changed the name of the original template and recreated a new one from scratch with the following settings:

General
Validity period is 2 years
Cert is published in AD
Compatibility
CA is Server 2016
Recipient is Windows 7
Request handling
Signature and encryption
Include symmetric algorithms allowed by the subject
Prompt user during enrollment
Cryptography
Note: italicized text refers to a configuration that has since been changed
Key Storage Provider
RSA
Key Size 2048
Requests must use Microsoft Smart Card Key Storage Provider

Legacy Cryptographic Service Provider
Algo determined by CSP
Requests must use Microsoft Enhanced Cryptographic Provider v1.0

Security
Authenticated users may read and enroll
Admins can read, write, and enroll

I'm happy to answer any questions (within the realm of reason).

Update: I replicated those template settings with a new, longer, unique name, made sure it was published to the CA and waited the 20 minutes. It still isn't working.

Statistics: Posted by RadiatorMints — Fri Jan 19, 2018 4:51 pm

YubiKey 4 • S/MIME basics

2018-01-19T13:06:51+01:00

Hi, first post here

I am using SMIME certificate on Yubikey for a year now. Now i need to exchange it for a renewed one. Two questions I have:

1. Why in all docs it says that "certificate" is on the yubikey, nothing about "private key", even though it also is there? Is the term "certificate" used for a package of public+private key, not only public one?
2. How do I save new smime cert while retaining the old one for stored mail decryption?

Cheers!

Statistics: Posted by woocash — Fri Jan 19, 2018 1:06 pm