Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:08 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Sun Oct 08, 2017 12:42 am 
Offline

Joined: Sun Oct 08, 2017 12:32 am
Posts: 3
I've set up an OpenPGP key on my YubiKey4, and also activated the setting that I have to confirm any use of the key by pressing it (via the command line utility
Code:
ykman openpgp touch aut ...
). However, whenever I issue a GPG command, there is about a 6 second delay before the YubiKey starts flashing (indicating that it's ready for my finger). More specifically, the YubiKey flickers once (very quickly) immediately after I issue the GPG command, then once more at about 3 seconds, and then start slow-flashing after 6 seconds (for 15 seconds, until it times out).

If I touch the key before the 6 seconds, it enters the OTP password.

Is there any way to configure the key so that I can touch it immediately after issuing the GPG command? Six seconds feels like an eternity on the command line!


Last edited by goerz on Sun Oct 08, 2017 10:44 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sun Oct 08, 2017 1:43 pm 
Offline
User avatar

Joined: Sun Jul 24, 2011 12:48 am
Posts: 37
Is that an undocumented feature? I have never seen that listed anywhere. I need to press my finger to get a TOTP from the authenticator app but openPGP needs nothing other than my pin.

_________________
My GnuPG (PGP) Key ID: 614D98E6


Top
 Profile  
Reply with quote  
PostPosted: Sun Oct 08, 2017 8:11 pm 
Offline

Joined: Sun Oct 08, 2017 12:32 am
Posts: 3
It's a feature that was introduced on the Yubikey 4 (off by default), and is documented at e.g. https://developers.yubico.com/PGP/Card_edit.html. Personally, I found that it's most easily configured using the ykman command line utility (https://github.com/Yubico/yubikey-manager), rather than through the shell script linked in the documentation. In any case the documentation does not mention that there should be any delay.


Top
 Profile  
Reply with quote  
PostPosted: Sun Oct 08, 2017 9:15 pm 
Offline
User avatar

Joined: Sun Jul 24, 2011 12:48 am
Posts: 37
I don't know, it seems a bit dodgy to me. I can understand, maybe, a full reset of the OpenPGP applet being command-liny and complex looking but if you have to use scripts and things to enable a "feature" it seems more like a beta or test feature than something that Yubico expect users to do. I have been all over the personalisation tool and I have seen no mention anywhere of this. I would be concerned about wrecking something. Does this work on a new Neo too? If this is something I can experiment without breaking either my 4 or Neo then I might give it a try and let you know what happens.

_________________
My GnuPG (PGP) Key ID: 614D98E6


Top
 Profile  
Reply with quote  
PostPosted: Sun Oct 08, 2017 9:16 pm 
Offline
User avatar

Joined: Sun Jul 24, 2011 12:48 am
Posts: 37
I cannot find the download link for it. I am on windows. What would I need to experiment with this any way?

_________________
My GnuPG (PGP) Key ID: 614D98E6


Top
 Profile  
Reply with quote  
PostPosted: Sun Oct 08, 2017 9:49 pm 
Offline
User avatar

Joined: Sun Jul 24, 2011 12:48 am
Posts: 37
I have tracked it down: https://developers.yubico.com/yubikey-m ... /Releases/

I did:

Code:
C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch aut on
Current touch policy of AUTHENTICATE key is OFF.
Set touch policy of AUTHENTICATE key to ON? [y/N]: y
Enter admin PIN:
Touch policy successfully set.

C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch enc on
Current touch policy of ENCRYPT key is OFF.
Set touch policy of ENCRYPT key to ON? [y/N]: y
Enter admin PIN:
Touch policy successfully set.

C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch sig on
Current touch policy of SIGN key is OFF.
Set touch policy of SIGN key to ON? [y/N]: y
Enter admin PIN:
Touch policy successfully set.


Then I unplugged and plugged back in. Now as soon as I type in my pin to sign, it sits there forever waiting. So then I press the button and it works. I repeat, same thing only I can press it as soon as I want and it will complete. same with decrypting things, I enter my pin and tough the contact on the Yubikey, else it sits there, presumably until it times out or something. I like this feature and it should be part of the normal personalisation tool in my opinion.

If you are using linux, perhaps there is a difference between that and the windows version? It is BETA after all, so I don't know what else to tell you. I am going to leave the feature disabled I think though, because if I cannot protect my Neo with it, I do not want to the false sense of security that could come from relying on this and forgetting when I use the Neo. But if it were available on both, I would leave it enabled.

_________________
My GnuPG (PGP) Key ID: 614D98E6


Top
 Profile  
Reply with quote  
PostPosted: Sun Oct 08, 2017 10:42 pm 
Offline

Joined: Sun Oct 08, 2017 12:32 am
Posts: 3
Ok, since it seems it's working for you without the 6 second delay, I just de- and then re-activated the touch feature, and now it seems to work immediately. This was on MacOS, btw.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group