Yubico Forum https://forum.yubico.com/ |
|
[Solved] GPG PIN retry counter not decrementing on wrong pin https://forum.yubico.com/viewtopic.php?f=35&t=2257 |
Page 1 of 1 |
Author: | ssendev [ Sat Mar 19, 2016 6:38 pm ] |
Post subject: | [Solved] GPG PIN retry counter not decrementing on wrong pin |
I have set up gpg on fedora23 to use a yubikey 4 (4.2.7). It is working and 'gpg2 --card-edit' shows keys as ssb> entering `echo a | gpg2 -e | gpg2` for the first time after inserting the yubikey requires the pin to be entered issuing the command a second time does not. which is expected. Trying it without the key results in `gpg: public key decryption failed: Card error` which should mean that gpg does indeed use the yubikey. But when the key is inserted and a wrong pin is entered `gpg --card-status` still shows a retry counter of 3 0 3. issuing `gpg-connect-agent --hex "scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40" /bye` as suggested by https://developers.yubico.com/ykneo-openpgp/ResetApplet.html results in a count of 2 0 3 I used https://developers.yubico.com/PGP/Card_edit.html to require touch on all gpg actions and enabled forcesig Unrelated to that i have a few other questions. I saw mentions of a puk, reset code but no clear descriptions. Is there a default reset code which could circumvent my pin/admin pin or is it only activated with `gpg2 --card-edit` `passwd` `set Reset Code`. After using gpg the yubikey led glows permanently and the invert led flag seems to have no effect am i doing something wrong or is it not possible to change? A question i wish would be in the faq. What are irreversible actions:
did i miss something irreversible? |
Author: | ChrisHalos [ Tue Mar 22, 2016 1:09 am ] |
Post subject: | Re: PIN retry counter not decrementing on wrong pin |
Just a thought, but if you enter a PIN that doesn't meet the minimum requirements (must be at least 6 characters, Admin PIN must be at least 8 characters), it won't count as a failed PIN attempt. OpenPGP on the YubiKey 4 and the YubiKey NEO has a PIN and an Admin PIN. If you lock out the PIN, you can still reset the PIN by providing the Admin PIN (12345678, by default). It's similar to PIN/PUK with PIV, if you're familiar. The YubiKey 4 has no knowledge of "invert LED." 1) The Personalization Tool has a warning when attempting to overwrite slot 1 that it contains a Yubico OTP credential and the action cannot be undone. Salesforce is the only service that currently accepts Yubico OTP but doesn't accept "vv" credentials. 2) If the Admin PIN is locked, yes, that is correct. The OpenPGP applet follows these standards - http://g10code.com/docs/openpgp-card-2.0.pdf 3) There is no counter, so yes it's possible to brute force it. When an access code is set, this is written to the configuration log file that is automatically generated by the Personalization Tool. 4) That is correct, the flag has to be set initially when programming a credential. |
Author: | ssendev [ Tue Mar 22, 2016 11:35 am ] |
Post subject: | Re: PIN retry counter not decrementing on wrong pin |
Ok that was the problem. Interesting. The pdf you linked explained the reset code. For the future reader: It can be used instead of the admin pin to reset the pin. e.g. in cases where a company issues the keys and doesn't provide the admin pin to the user. By default the reset code has a count of 0 so can't be used. It's the middle counter hence it's 3 0 3. What a pity. I would have liked to disable the led (that includes the flash every 8 seconds) except for the flashing when a touch is required. Like it is now it draws a lot of attention to the YubiKey Nano. Maybe it's possible with a future YubiKey. Oh and while I am dreaming it would be nice if different actions like sign, decrypt, authenticate, u2f could use different led colors / flash patterns. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |