Yubico Forum ...visit our web-store at 2016-06-14T16:35:30+01:00 https://forum.yubico.com/feed.php?f=26&t=2342 2016-06-14T16:35:30+01:00 2016-06-14T16:35:30+01:00 https://forum.yubico.com/viewtopic.php?t=2342&p=8717#p8717 <![CDATA[Re: [QUESTION] NEO + PIV; Can I disable the PIN?]]> Tom2 wrote:

9a is for PIV Authentication (once)
9c is for Digital Signature (PIN always checked)
9d is for Key Management (once)
9e is for Card Authentication (PIN never checked)

http://nvlpubs.nist.gov/nistpubs/Specia ... 0-73-4.pdf


Yes, known.

However, even under 9e, because of the Access Control Matrix listed here - https://developers.yubico.com/PIV/Intro ... ccess.html

Any sign operations still require a PIN, is there a way to change this behavior (even custom config) of the Yubikey for this use case?

Statistics: Posted by offset — Tue Jun 14, 2016 4:35 pm

]]> 2016-06-14T13:14:47+01:00 2016-06-14T13:14:47+01:00 https://forum.yubico.com/viewtopic.php?t=2342&p=8715#p8715 <![CDATA[Re: [QUESTION] NEO + PIV; Can I disable the PIN?]]> 9c is for Digital Signature (PIN always checked)
9d is for Key Management (once)
9e is for Card Authentication (PIN never checked)

http://nvlpubs.nist.gov/nistpubs/Specia ... 0-73-4.pdf

Statistics: Posted by Tom2 — Tue Jun 14, 2016 1:14 pm

]]> 2016-06-14T05:56:11+01:00 2016-06-14T05:56:11+01:00 https://forum.yubico.com/viewtopic.php?t=2342&p=8712#p8712 <![CDATA[Re: [QUESTION] NEO + PIV; Can I disable the PIN?]]> Statistics: Posted by offset — Tue Jun 14, 2016 5:56 am

]]> 2016-06-13T12:06:22+01:00 2016-06-13T12:06:22+01:00 https://forum.yubico.com/viewtopic.php?t=2342&p=8709#p8709 <![CDATA[[QUESTION] NEO + PIV; Can I disable the PIN?]]> I have successfully imported the certificate+key onto my YubiKey and have configured openvpn client on CentOS to use pkcs11 to load in the cert/key. This seems to be working great :)

As I want to deploy this to a remote server, is it possible for the PIV applet NOT to prompt for the pin when accessing a cert/key, or is it possible somehow hardcode the pin into the PIV applet/OS?

I wish to protect against the ssl-key being cloned or extracted (rather than used), essentially tying the vpn connection to a specific dongle (yubikey).
I have no wish to protect against it being used (as the pin currently does), just to protect against the key being copied/extracted (which if I understand correctly is impossible anyway).

Any advice would be greatly appreciated.

Edited to add [question] to the subject.

Statistics: Posted by BuildTheRobots — Mon Jun 13, 2016 12:06 pm

]]>