Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:00 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 54 posts ]  Go to page 1, 2, 3, 4, 5, 6  Next
Author Message
PostPosted: Thu Sep 05, 2013 8:33 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
WARNING:
since 1st July 2014 the Yubico applets: OpenPGP, YubiOATH(AKA Yubico Authenticator), Yubico PIV - come PRE-INSTALLED. 99% of the users will not need to touch GPShell nor Yubikey NEO Manager. Don't execute commands which you do not understand you may disable your device




STEP 0

Understand what you are doing. If you have multiple smartcard reader disable them! plugin just the NEO. And be sure its in mode -m82


STEP 1

In this example i will show how to install the applet Yubico OATH available here:
https://github.com/Yubico/ykneo-oath

This applies to other applet as well. You may, for example, want to install your own applet (e.g. a PIV applet)


STEP 2

Install GPShell. Go here: http://sourceforge.net/projects/globalplatform/files/
Download GPShell and the Library. You have to make sure that this is installed correctly. This software is not released by Yubico and we cannot help it if messy, hard to understand or whatever you feel about. There are some PPA for Ubuntu/Debian where you can download and install this simply by using "apt-get install". Add this PPA https://launchpad.net/~klali/+archive/stuff for example.
For Windows there are binary files available on the GlobalPlatform website (yes, this means you don't need to type incomprehensible strange commands to make it work.)


STEP 3

You need the .CAP file for your applet and the GPinstall.txt file. To get the pre-compiled .CAP of the Yubico OATH applet go here:
http://opensource.yubico.com/ykneo-oath/releases.html

On http://opensource.yubico.com/ you will find other software as well, and if you want the pre-compiled just click the RELEASE link which is present in every subpage.

Now it is time to find the GPinstall.txt file. These are always in the Yubico GitHub page. Visit http://github.com/yubico. For the Yubikey NEO Yubico OATH applet, the install file will be found here:
https://github.com/Yubico/ykneo-oath/bl ... nstall.txt


NOTICE: the name of the projects on opensource.yubico.com and on the GitHub.com/Yubico page always match! In this case is "ykneo-oath"

STEP 4

Now, edit the gpinstall.txt to match the right location of your .cap file. Default location is:
Code:
install -file ./applet/bin/pkgYkneoOath/javacard/pkgYkneoOath.cap


Change it to /home/tom/Desktop/pkgYkneoOath.cap if your .cap file is located there ( THIS IS JUST AN EXAMPLE! )


STEP 5

On Linux run GPShell:

Code:
/usr/bin/gpshell /home/tom/Desktop/gpinstall.txt


On Windows the command would look like something like this:

Code:
C:\GPshelll-1.4.4\gpshell C:\User\Tom\Desktop\gpinstall.txt


STEP 6

The terminal will output a lot of stuff. If you get something like this at the end, then probably everything has gone well!

Code:
Command --> 80E88013D7C000C400BE00C700CA00CA00B400BE00CE00D200D500D700B000DB00C700DF00BEFFFF00BE00E400AC00AE00AE00DB00E700A
A00EA00ED00ED00ED00BE00EF00F100F400F100F700FA00FF00BE00F700AA01010103010700CA00C400B400AA00F700B400AA00B600C7010C
010C00AA0140012001B0056810B0013005600000056810E0011006B4B44304B44404B44106B44B4405B443400343B002410636810E06B4B44
407326810B004B43103441003334002B102B404B3B403BB4003B440076820A4100221024405B4341008B44600000231066820A100
Wrapped command --> 84E88013DFC000C400BE00C700CA00CA00B400BE00CE00D200D500D700B000DB00C700DF00BEFFFF00BE00E400AC00AE00AE00DB00E700A
A00EA00ED00ED00ED00BE00EF00F100F400F100F700FA00FF00BE00F700AA01010103010700CA00C400B400AA00F700B400AA00B600C7010C
010C00AA0140012001B0056810B0013005600000056810E0011006B4B44304B44404B44106B44B4405B443400343B002410636810E06B4B44
407326810B004B43103441003334002B102B404B3B403BB4003B440076820A4100221024405B4341008B44600000231066820A15D848CB77
27D0EDA00
Response <-- 009000
Command --> 80E60C002107A000000527210108A00000052721010108A000000527210101010003C901000000
Wrapped command --> 84E60C002907A000000527210108A00000052721010108A000000527210101010003C9010000B4648127914A4C7C00
Response <-- 009000
card_disconnect
release_context




STEP 7

Unplug your Yubikey NEO and go test it with a NEXUS device.

_________________
-Tom


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Sep 05, 2013 8:15 pm 
Offline

Joined: Tue Sep 03, 2013 8:27 pm
Posts: 4
Thank you. http://opensource.yubico.com/ykneo-oath/ says you need to set the YubiKey Neo in mode 82 (ykpersonalize -m82). I presume that is needed before installing this applet?

Also if you happen to use Windows, be sure to do it as local user and not remote to a machine. Otherwise you will get the following error:

establish_context failed with error 0x8010001D (The smart card resource manager is not running.)


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 13, 2013 3:58 pm 
Offline

Joined: Mon Aug 13, 2012 9:58 pm
Posts: 23
can anyone send me the PIV applet ? loaded ykneo-oath without issues


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 23, 2013 7:09 pm 
Offline

Joined: Wed Apr 28, 2010 8:32 pm
Posts: 6
So I couldn't get this working on my Crouton Ubuntu (Chromebook) but I got everything installed on my work Windows machine and it appeared that everything worked as described. The only problem I have right now is that with the YubiOATH application installed on my Galaxy Nexus when I hold my NEO against it I get an NFC detection sound but nothing happens. Am I missing something?


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 24, 2013 9:21 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
You need to scan a secret from a service and store it on the NEO first, in order for something to happen.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 24, 2013 1:52 pm 
Offline

Joined: Wed Apr 28, 2010 8:32 pm
Posts: 6
I tried the following:

1. Start YubiOATH Android application
2. Choose "Scan new QR-code"
3. Scanned the QR code for the service
4. YubiOATH directs me to "Swipe you YubiKey NEO to store"
5. I Swipe the NEO and I get the same NFC recognition sound that I hear before doing any of that, and the YubiOATH application doesn't do anything

Once I set the mode to 82 and install the .cap file via gpshell what needs to be done with the slot 1/2 configuration? Do I need to use the personalization tool to set any additional flags? It seem like there is something missing. How do I know for sure that the NEO is in mode 82? When I've run the tool to set mode 82 it prompts me to confirm (y/n) I hit "y" and then it just returns to a prompt without indicating if it has done anything. The gpshell .cap install looks like it worked as has been indicated here, but it doesn't really seem to be working. My Windows 8 machine sees the NEO plugged in and it lists it as YubiKey NEO OTP+CCID.


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 26, 2013 7:40 pm 
Offline

Joined: Mon Aug 01, 2011 10:27 pm
Posts: 16
I tried really hard to get this up and running. :/

On Windows, I downloaded the GPShell-1.4.4 package as well as the .cap and the gpinstall.txt files.
I edited the gpinstall.txt file to point to the .cap file.
After setting my yubikey to mode82 using the commandline ypersonalize, I ran:
GPShell.exe gpinstall.txt

I get the following output:
Code:
mode_211
enable_trace
establish_context
card_connect
card_connect() returns 0x80100066 (The smart card is not responding to a reset.)


I tried it on Mac, but there is no precompiled binary for GPShell, and the build instructions were too confusing to follow. I couldn't find a clear list of dependencies to install from README or INSTALL. The install instructions are for OSX-Tiger, and a simple ./configure didn't work.

I tried it on an Ubunto 13.04 box. Used the packages found in https://launchpad.net/~klali/+archive/stuff/ to install gpshell as well as libpcsc and libccid, but when I inserted the yubikey and ran gpshell, it failed with error 0x8010001D (Service not available.) so I imagine there is some missing step to get Ubuntu to actually recognize and load the smart card drivers?

Very sad, but maybe someone can fill in some holes and I'll try again later.


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 27, 2013 9:01 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Do you have multiple smartcard readers on your machine?

Do you power cycle the Yubikey after setting it to mode 82?

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 27, 2013 1:54 pm 
Offline

Joined: Wed Apr 28, 2010 8:32 pm
Posts: 6
deinspanjer:
I experienced the same issues with Ubuntu (though running on a Chromebook) and I ended up having to do this all via Windows. I still can't get my NEO working with the YubiOATH Android app. Did you actually get your NEO changed to mode 82? I downloaded the ykpersonalize for Windows from here: http://opensource.yubico.com/yubikey-pe ... eases.html and that allowed me to change my NEO mode to 82. I have verified that in the Windows device manager by NEO is being recognized as a smartcard. I also have gpg installed and was also able to verify via the "gpg --card-status" command that my NEO appears to be in the correct mode. I was able to install the .CAP file from http://opensource.yubico.com/ykneo-oath/releases.html (installed version 0.2.0) using the Windows binary of GPShell. Now Tom asked the very good question about multiple smartcard readers. If you are trying to do the GPShell install on a laptop many times they have a built-in smartcard reader. You'll most likely need to disable this in order to get things working.

Tom:
I still can't get my NEO working with Android YubiOATH. Am I suppose to remove both slot configurations, or configure a slot in a specific way? What about NDEF programming, does something need to be done there? According to your instructions after install the .CAP file it should just start working with the Android app. Is perhaps the 0.2.0 version of the .CAP file bad, did you use an older .CAP file version? Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 27, 2013 2:37 pm 
Offline

Joined: Mon Aug 01, 2011 10:27 pm
Posts: 16
I guess my windows laptop (An Alienware M-81) might have an additional SC reader, there is a slot on the right hand side that reminds me of the old PCMCIA cards (are those still a thing now-a-days?) I'll have to look into disabling it.

That said, the error message seems to indicate that it can see the yubikey SC, it just can't properly communicate with it.

I do know the yubikey is in mode 82 because the windows box recognizes it as the dual type USB device when I plug it in.

Not sure what is meant by power cycling it other than just taking it out and waiting a bit before putting it back in.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 54 posts ]  Go to page 1, 2, 3, 4, 5, 6  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group