Yubico Forum
https://forum.yubico.com/

[QUESTION] Can I have U2F, OTP and SSH/PGP on the same key?
https://forum.yubico.com/viewtopic.php?f=16&t=2033
Page 1 of 1

Author:  tsmalmbe [ Thu Sep 17, 2015 9:46 am ]
Post subject:  [QUESTION] Can I have U2F, OTP and SSH/PGP on the same key?

Hi, new here and just got my keys yesterday. I work as a security consultant, and if I get this thing configured and setup, this will most probably be my go-to solution for quite a few of my customers. So on to the questions.

Pre's: I'm working in a windows environment. I'm familiar with PGP and SSH as well as ldap, linux and 2FA in general. I have the EDGE-version of the key, but keep in mind I can choose the neo for my customers just as well.

Aim: To be able to provide a secure and convenient solution for my customers needs. It has to be convenient.
I need the following:
* U2F foor google apps and google-based email
* U2F for local Linux-servers
* SSH-keys for Linux-servers
* OTP for various(like this forum for instance)
* PGP-keys for email - both windows and Mac (thunderbird/enigmail/kleopatra)

Problems: I've ran into a few already.
0) Are my needs even realistic with EDGE or NEO - is Yubikey the way to go?
1) Modes. It seems most guides say switch to mode 82. This effectively disables the Google authentication. Can I use mode 86 just as well? I'm in 86 right now, and the OTP to this forum works as well as Google (U2F?) with chrome.
2) Windows drivers for modes 82 and 86 - I have to manually install/select NIST SP 800-73 - Windows 7 does not find drivers manually. Is this a bug - and moreover, does it make a difference
3) Is it even possible to get the desired setup, U2F, OTP (in slot 1) and SSH/PGP (in slot 2)
4) What is wrong: C:\Users\tsmalmbe>gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
ERR 100663297 General error <SCD>
5) What is wrong: C:\Users\tsmalmbe>gpg --card-status
gpg: OpenPGP card not available: Not supported
6) Am I missing this: https://developers.yubico.com/PGP/Card_edit.html - it does not say anything about windows?

So all in all. It seems like a huge undertaking to get everything up and running. I would not like to bother my customers with one key per need/requirement. And I cannot have them go thru most of this process themselves - I need to get the keys preconfigured as far as possible, and only have instructions for adding their privates. That's the aim.

I will surely appreciate any pointers and all help. I've been playing around for two days now and reading tons of blogs and docs - the basics should be clear to me (but not sure if they are).

Thanks.

Author:  tsmalmbe [ Thu Sep 17, 2015 9:47 am ]
Post subject:  Re: [QUESTION] Can I have U2F, OTP and SSH/PGP on the same k

...and my next set of questions will then be around the different Linux PAM-approaches as soon as possible. So to make things clear - I would like to have both SSH-keys on the yubico as well as the U2F or OTP pam-module as an option for my customers ssh-logins. All of them are using putty as the client. I'm not really sure which PAM-module is the right way to go. Looking at Centos, RHEL and Ubuntu.

Author:  Tom2 [ Mon Nov 23, 2015 9:28 am ]
Post subject:  Re: [QUESTION] Can I have U2F, OTP and SSH/PGP on the same k

0) Are my needs even realistic with EDGE or NEO - is Yubikey the way to go?

You need Yubikey4 - yubi.co/yk4

1) Modes. It seems most guides say switch to mode 82. This effectively disables the Google authentication. Can I use mode 86 just as well? I'm in 86 right now, and the OTP to this forum works as well as Google (U2F?) with chrome.

Depends on what you want activated. If you want supercombo modes (all on) "ykneomgr -M 86" is the command you're looking for

2) Windows drivers for modes 82 and 86 - I have to manually install/select NIST SP 800-73 - Windows 7 does not find drivers manually. Is this a bug - and moreover, does it make a difference

This is a problem of your workstation. Windows detects the Yubikey 4 as a PIV smartcard from Windows 7 onward

3) Is it even possible to get the desired setup, U2F, OTP (in slot 1) and SSH/PGP (in slot 2)

U2F does not consume a "slot". Slots are only for the OTP side of the device. Please read documentation about U2F at https://developers.yubico.com/U2F/

4) What is wrong: C:\Users\tsmalmbe>gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
ERR 100663297 General error <SCD>

Most likely your Yubikey has CCID interface off or your gpg-agent is not properly configured. You mentioned you have an EDGE which has no smartcard capabilities, thus no OpenPGP. Please read about what your product does on www.yubico.com

5) What is wrong: C:\Users\tsmalmbe>gpg --card-status
gpg: OpenPGP card not available: Not supported

Same as 4)

6) Am I missing this: https://developers.yubico.com/PGP/Card_edit.html - it does not say anything about windows?

APDUs are operating system independent. Here is some beginners reading about smart-card which are required to understand common operations:
http://www.smartcardbasics.com/
https://en.wikipedia.org/wiki/Smart_car ... _data_unit
http://www.cardwerk.com/smartcards/smar ... tions.aspx


7 ish

Yes you can have OTP, U2F and use your Yubikey for SSH/PAM all together

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/