Yubico Forum

Re: Config Protection of EXISTING "Challange-Response"

2017-11-01T02:33:08+01:00

ChrisHalos wrote:

... I think I figured out what's going on here ...

Chris:

A sincere "Thank You" for the extra clarifications re: potentially differing behaviors based on firmware versions.

Cheers,

Statistics: Posted by LD2gIlShWrA2J9qFcwS5 — Wed Nov 01, 2017 2:33 am

Re: Config Protection of EXISTING "Challange-Response"

2017-11-01T02:27:23+01:00

My1 wrote:

... you go into settings press update settings and there you can set the protection ...

My1:

Thank you so much!

I'd never investigated that innocuous little button down there at the bottom of the page w/ the grayed-out text.

It was EXACTLY what I was looking for.

Thanks again,

Cheers,

Statistics: Posted by LD2gIlShWrA2J9qFcwS5 — Wed Nov 01, 2017 2:27 am

Re: Config Protection of EXISTING "Challange-Response"

2017-10-31T20:06:36+01:00

ChrisHalos wrote:

Just remember... forgetting an access code after setting one means there's no way to make changes to that slot anymore (or enable/disable modes - OTP/CCID/U2F).

how does that last part even make sense? the config protection applies to slot 1 or 2, but the modes the Yubi acts in are neither related to the slots to nor the personalization tool in the first place.

Statistics: Posted by My1 — Tue Oct 31, 2017 8:06 pm

Re: Config Protection of EXISTING "Challange-Response"

2017-10-31T00:21:10+01:00

I think I figured out what's going on here. Firmware 4.3.4 and 4.3.5 there was a bug that didn't allow updating configuration protection on the slot credentials. 4.2.6-4.3.3 work, as do 4.3.6 and newer. When I responded on the other thread I'm speaking from experience (works). When my colleague responded on the support case that was referred to on the other post, he was testing on 4.3.4 because he wasn't sure (hence the two different answers).

So on a 4.3.4 or 4.3.5 firmware YK4, you need to reprogram the credential in order to set an access code. If you have the configuration log (csv file), you can simply choose the same settings in the Personalization Tool and set the access code during programming. Just remember... forgetting an access code after setting one means there's no way to make changes to that slot anymore (or enable/disable modes - OTP/CCID/U2F).

Statistics: Posted by ChrisHalos — Tue Oct 31, 2017 12:21 am

Re: Config Protection of EXISTING "Challange-Response"

2017-10-29T16:49:48+01:00

you go into settings press update settings and there you can set the protection.

Statistics: Posted by My1 — Sun Oct 29, 2017 4:49 pm

[SOLVED] Config Protection of EXISTING "Challange-Response"

2017-11-01T02:34:40+01:00

I had previously posed this question in another thread -- viewtopic.php?f=35&t=2722 -- but never received a definitive answer.

So I'm trying again here w/ a more "descriptive" Subj line

Question: Is it possible to config-protect a "Challenge-Reply" configuration in Slot 2 WITHOUT changing / over-writing the previously-entered "Secret Key" ?

I've tried several times but have been unsuccessful on each attempt.

Statistics: Posted by LD2gIlShWrA2J9qFcwS5 — Sat Oct 28, 2017 8:52 pm