Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:58 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Wed Mar 19, 2014 5:53 pm 
Offline

Joined: Tue Nov 04, 2008 8:55 pm
Posts: 19
WARNING:
since 1st July 2014 the Yubico applets: OpenPGP, YubiOATH(AKA Yubico Authenticator), Yubico PIV - come PRE-INSTALLED. 99% of the users will not need to touch GPShell nor Yubikey NEO Manager. Don't execute commands which you do not understand you may disable your device




Requirements:
A Yubikey Neo, A computer with an internet connection and a Debian installation CD. Oh and a lot of time...

Description:
This guide will take you from a Debian installation CD, through all the dependencies, compiling and installing a new applet for the Neo and finish with preparing and copying GPG subkeys on the Neo (not generating directly on the Neo). I doubt many people will need the whole guide but hope that parts of it will be of use to some.


Initial Linux Setup


The first thing you will need to do is get a Yubikey Neo.

For this guide I started with a fresh install of Debian 7.3.0 64 bit from the netinstall image and then upgraded to testing (from Wheezy to Jessie). I did not install the Desktop or Print Server components during install but if you do this with a desktop installation then it should not make much difference. Any recent Linux distro should work but writing this guide from a fresh install means you can reproduce my steps exactly if required. I had multiple issues with Gnupg 2.0.19 which is the version in Debian Stable which is why I upgraded to Testing which has version 2.0.22 (improved support for card readers).

The first step is therefore to install Debian Stable and check internet access is working. To upgrade to Debian Testing edit /etc/apt/sources.list and change every instance of the word wheezy to jessie. Then start the upgrade - this step will take a while.
Quote:
# apt-get update
# apt-get dist-upgrade
- Accept warning about needing to uninstall a few packages that are blocking the upgrade, then later press q to close the screen of upgrade notices about various packages.

After upgrading I always prefer to reboot to ensure there are no unexpected issues that will appear next time I turn the machine on. There are then a few packages that you need to install from the repositories so you might as well get them all now:

To compile the new applet for installing on your Yubikey you will need:

Quote:
# aptitude install openjdk-6-jdk ant
# aptitude install junit4

To compile the Yubikey Personalisation Tool you also need:
Quote:
# aptitude install libyubikey-dev pkg-config libusb-1.0-0-dev libjson0-dev make

And to compile gpshell (for installing the new applet on the Neo) you need:
Quote:
# apt-get install libpcsclite-dev zlib1g-dev libssl-dev

GPG version 2 is required for this:
Quote:
# apt-get install gnupg2 scdaemon

Finally to actually access the card you need pcsc:
Quote:
# apt-get install pcscd

Download the Java Card Classic Development Kit from http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javame-419430.html#java_card_kit-2.2.2-oth-JPR, then extract some of the files:
Quote:
# mkdir jckit
# cd jckit
# unzip /path/to/java_card_kit-2_2_2-linux.zip
# cd java_card_kit-2_2_2/
# unzip java_card_kit-2_2_2-rr-bin-linux-do.zip



Compile the new Applet


Then you will need to download and compile an upgraded applet from https://github.com/Yubico/ykneo-openpgp ... res/jckit3. Download the applet source directly from https://github.com/Yubico/ykneo-openpgp/archive/master.zip, unzip and compile it.

Quote:
# wget https://github.com/Yubico/ykneo-openpgp ... master.zip
# unzip master.zip
# cd ykneo-openpgp-master
# ant -DJAVACARD_HOME=/path/to/jckit/java_card_kit-2_2_2/

You should now have a cap file in the sub folder applet/bin/openpgpcard/javacard/openpgpcard.cap


Enable CCID mode on Neo


By default the Yubikey Neo does not have CCID smartcard functionality enabled, so that needs to be turned on. http://opensource.yubico.com/yubikey-personalization/


Note: If you want a slightly quicker way to do this then download the Windows version - it comes with a pre-compiled executable so you can jump straight to running the command.

Quote:
# wget http://opensource.yubico.com/yubikey-pe ... 5.0.tar.gz
# tar xvf ykpers-1.15.0.tar.gz
# cd ykpers-1.15.0
# ./configure
# make check install
# ldconfig


Plug in your Neo now - you are ready to enable the CCID functionality.
Quote:
# ykpersonalize -m82


Confirm that you want to set mode 0x82 Take the NEO out and plug it back in to restart it in the new mode.


Install updated openPGP Applet on Neo


Download the gpshell, global platform and the gppcscconnectionplugin from http://sourceforge.net/projects/globalplatform/
Quote:
# tar zxvf globalplatform-6.0.0.tar.gz
# cd globalplatform-6.0.0
# ./configure
# make
# make install
# cd ..

Quote:
# tar zxvf gpshell-1.4.4.tar.gz
# cd gpshell-1.4.4
# ./configure
# make
# make install
# cd ..

Quote:
# tar zxvf gppcscconnectionplugin-1.1.0.tar.gz
# cd gppcscconnectionplugin-1.1.0.tar.gz
# ./configure
# make
# make install


Unplug the Neo and plug it in again so it is detected correctly. Now you need to go back to the ykneo-openpgp-master folder (from when you compiled the applet) and install the applet on the Yubikey:
Quote:
# LD_LIBRARY_PATH=/usr/local/lib gpshell gpinstall.txt

You should be rewarded with several screens of text rushing by.


Prepare GPG key and back it up


The Yubikey NEO can support GPG keys up to 2048 bit RSA - bigger keys will not fit. A lot of people store their main key offline and generate encryption and signing subkeys which they import onto a card for day to day use. This has the advantage that if the card is lost they can just generate new encryption and signing subkeys and their main GPG identity will not lose all the signatures which validate their real identity. Another advantage is that the main key can then be 4096 bits in strength (if you are that paranoid) and the subkeys only 2048 bit so they fit on the The certification part of the key is not present however so they will not be able to certify any other persons key is genuine without getting access to their main/full key.

By default GPG will create 2 keys - the first is used for signing (files) and certifying (other GPG keys). The second is used for Encryption. I'm going to create a new subkey for signing so only this goes onto the Yubikey. Gpg outputs a lot of text and this post feels big enough already so I'm going to skip most of the output - you will get far more on your screen than is shown here.

First to add a new signing key of 2048 bit size. My main key ID in this example is 3edda8ae - change this for your ID:
Quote:
# gpg2 --edit-key 3edda8ae
pub 2048R/3EDDA8AE created: 2014-03-14 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/581671D8 created: 2014-03-14 expires: never usage: E
[ultimate] (1). test key (test 2048R key) <test@example.com>
gpg> addkey
Please enter the passphrase to unlock the secret key: *****

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
What keysize do you want? (2048) 2048
Key is valid for? (0) 1y
Is this correct? (y/N) y
Really create? (y/N) y
pub 2048R/3EDDA8AE created: 2014-03-14 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/581671D8 created: 2014-03-14 expires: never usage: E
sub 2048R/5B48E4AF created: 2014-03-14 expires: 2015-03-14 usage: S
[ultimate] (1). test key (test 2048R key) <test@example.com>

You should now be able to see the extra line ending in "usage: S" to denote the signing only key. If you are using an existing key and the Encryption key is not shown as "sub 2048R" then you will need to create a new encryption subkey as above but choosing "RSA (encrypt only) as the type.

Final step before you move the keys to the Neo is to back them all up. If you do not want to trap your only copy of the private key on a Neo then back it up first! Once more because this step is important: BACK UP YOUR KEYS!
Quote:
gpg> save

Quote:
# gpg2 --export -a 3edda8ae >public_key_backup.key
# gpg2 --export-secret-key -a 3edda8ae > private_key_backup.key
# ls
private_key_backup.key public_key_backup.key


Move these backup files somewhere safe - you do not want to accidentally overwrite or delete them. Next lets put the encryption subkey onto the Yubikey (you need to pulg the Yubikey in now if it is not already):


Move the keys to the Neo

Quote:
# gpg2 --edit-key 3edda8ae

Quote:
gpg> toggle
sec 2048R/3EDDA8AE created: 2014-03-14 expires: never
ssb 2048R/581671D8 created: 2014-03-14 expires: never
ssb 2048R/5B48E4AF created: 2014-03-14 expires: 2015-03-14
(1) test key (test 2048R key) <test@example.com>
gpg> key 1
sec 2048R/3EDDA8AE created: 2014-03-14 expires: never
ssb* 2048R/581671D8 created: 2014-03-14 expires: never
ssb 2048R/5B48E4AF created: 2014-03-14 expires: 2015-03-14
(1) test key (test 2048R key) <test@example.com>
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection?
2
Please enter the passphrase to unlock the secret key: *****
scdaemon[22389]: 3 Admin PIN attempts remaining before card is permanently locked
Please enter the Admin PIN: *****
writing new key
sec 2048R/3EDDA8AE created: 2014-03-14 expires: never
ssb* 2048R/581671D8 created: 2014-03-14 expires: never
card-no: 0000 00000001
ssb 2048R/5B48E4AF created: 2014-03-14 expires: 2015-03-14
(1) test key (test 2048R key) <test@example.com>

"key 1" selects the first subkey (it is shown with an asterisk). "keytocard" MOVES the selected subkey to the card after you have confirmed both the gpg pass-phrase as well as the card administrator pin. There is only one slot to store this kind of key so you need to choose option 2. Finally the keys are shown but with the encryption key having a card number underneath it to show it is no longer present on the computer.

Next we need to move the signing key to the NEO:
Quote:
gpg> key 1
gpg> key 2
sec 2048R/3EDDA8AE created: 2014-03-14 expires: never
ssb 2048R/581671D8 created: 2014-03-14 expires: never
card-no: 0000 00000001
ssb* 2048R/5B48E4AF created: 2014-03-14 expires: 2015-03-14
(1) test key (test 2048R key) <test@example.com>
gpg> keytocard
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
Please enter the passphrase to unlock the secret key: *****
writing new key
sec 2048R/3EDDA8AE created: 2014-03-14 expires: never
ssb 2048R/581671D8 created: 2014-03-14 expires: never
card-no: 0000 00000001
ssb* 2048R/5B48E4AF created: 2014-03-14 expires: 2015-03-14
card-no: 0000 00000001
(1) test key (test 2048R key) <test@example.com>
gpg> quit
Save changes? (y/N) y

"key 1" deselects the first (encryption) subkey, then "key 2" selects the second (signing) subkey. "keytocard" is used to MOVE the signing subkey to the NEO. Finally quit saving changes.

As a quick test remove the Neo. Encrypt a random file to this new key and then try to decrypt it - you will get an error:
Quote:
# echo "my secret message" > test.txt
# gpg2 -r test -e test.txt
# ls
test.txt test.txt.gpg
# gpg -d test.txt.gpg
gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
gpg: card reader not available
gpg: encrypted with 2048-bit RSA key, ID 581671D8, created 2014-03-14
"test key (test 2048R key) <test@example.com>"
gpg: public key decryption failed: general error
gpg: decryption failed: secret key not available

Now plug the NEO in again and run exactly the same command:
Quote:
# gpg -d test.txt.gpg
gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
Please enter the PIN
Enter PIN:
*****
gpg: encrypted with 2048-bit RSA key, ID 581671D8, created 2014-03-14
"test key (test 2048R key) <test@example.com>"
my secret message


The output at the end will be the secret message you added to test.txt. This would only be possible to decrypt with the NEO plugged in, as only a stub of the private encryption key is stored on the local hard drive.

You can now backup the private key from your computer (which only contains a stub of the full private key). This stub and the public key you saved earlier can be manually imported on any other computer without risking loss of control of your keys as you also need the Yubikey connected to use it.

From your working computer:
Quote:
# gpg2 --export-secret-key -a 3edda8ae > private_key_backup_STUB.key

Copy those 2 files to another computer and import them with:
Quote:
# gpg2 --import public_key_backup.key
# gpg2 --allow-secret-key-import --import private_key_backup_STUB.key

You can make life a bit easier in 2 ways. Firstly if you upload your key to a keyserver then you can automatically pull down the required files with this command (after plugging in the NEO):

Quote:
# gpg2 --card-edit
gpg/card> fetch


If however you do not want to upload this key to the public keyservers you can upload it to a specific url and program the NEO to look there. The --armor switch below instructs gpg to only use a character set that is safe to use in emails (mail programs have a habit of treating some obscure characters inconsistently which is not good if those characters are in the middle of your key!

# gpg2 --armor --export 3edda8ae > public_key_armor.key

Upload this file to anywhere you control and make a note of the direct link to the file. I uploaded to my Dropbox account so for me the file was accessible at https://dl.dropboxusercontent.com/u/120 ... _armor.key. We need to add this link to the URL field of the NEO:
Quote:
# gpg2 --card-edit
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 26EF 14F4 A5B6 B24A 0EFE E39C F5E2 68CB 5B48 E4AF
created ....: 2014-03-14 16:56:48
Encryption key....: CFA0 0AE0 1C27 0463 36DE 2960 0FBF CAD4 5816 71D8
created ....: 2014-03-14 16:22:28
Authentication key: [none]
General key info..:
pub 2048R/5B48E4AF 2014-03-14 test key (test 2048R key) <test@example.com>
sec 2048R/3EDDA8AE created: 2014-03-14 expires: never
ssb> 2048R/581671D8 created: 2014-03-14 expires: never
card-no: 0000 00000001
ssb> 2048R/5B48E4AF created: 2014-03-14 expires: 2015-03-14
card-no: 0000 00000001
gpg/card> admin
Admin commands are allowed
gpg/card> url
URL to retrieve public key: https://dl.dropboxusercontent.com/u/120364/public_key_armor.key
scdaemon[2887]: 3 Admin PIN attempts remaining before card is permanently locked
Please enter the Admin PIN :
gpg/card> quit

You can check this worked as expected by running gpg2 --card-status and checking the output now contains your URL. To make this a decent test I am going to delete the entire local public and private keyring files, then import the keys using the NEO and online public file before repeating the encryption test I performed earlier to prove decryption only works with the NEO installed. First to delete the local files:
Quote:
# cd .gnupg/
:~/.gnupg# ls
gpg.conf private-keys-v1.d pubring.gpg pubring.gpg~ random_seed reader_0.status secring.gpg trustdb.gpg
:~/.gnupg# rm pub ring.gpg
:~/.gnupg# rm pubring.gpg~ :~/.gnupg# rm secring.gpg :~/.gnupg# rm trustdb.gpg


Trying to list keys will now just show GPG creating new keyring files:
:~/.gnupg# gpg2 --list-keys
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created

Time to fetch the public key. Plug in the NEO and run the following commands:
Quote:
:~/.gnupg# gpg2 --card-edit
gpg: keyring `/root/.gnupg/secring.gpg' created
scdaemon[3125]: reading public key failed: Card error
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
<SNIP extra info>
Sex ..............: unspecified
URL of public key : https://dl.dropboxusercontent.com/u/120 ... _armor.key
Login data .......: [not set]
<SNIP extra info>
gpg/card> fetch
gpg: requesting key 5B48E4AF from https server dl.dropboxusercontent.com
gpg: key 3EDDA8AE: public key "test key (test 2048R key) <test@example.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg/card> quit


You can now try encrypting a message to your private key and it will only decrypt if the NEO is plugged in:
Quote:
# echo "my secret message encrypted to NEO key" > test_file_Neo.txt
# gpg2 -r test -e test_file_Neo.txt
# gpg2 -d test_file_Neo.txt.gpg
scdaemon[3285]: DBG: asking for PIN '||Please enter the PIN'
"test key (test 2048R key) <test@example.com>"
my secret message encrypted to NEO key

Congratulations! Firstly for reading through everything above (assuming you didn't cheat and skip all the way down here!) You should now have a GPG key which you can use relatively easily on any computer with GPG but you do not need to place the private key on that computer. For me this means I can freely use my personal GPG key on work computers without any chance of losing control of a copy, but it could just as easily be that you want to protect your work GPG key when visiting client sites.

    I have not tested this thoroughly on different distributions but as far as I know any distro with gnupg 2.0.22 available should also meet the other requirements. If you know of any distros that this will or will not work on then please let me know and I'll update this guide. Any questions please ask - I'll help if I can.


    Changing the user and admin pin on the NEO

    Use of the gpg key stored on the NEO requires you to enter a pin code (default is normally 123456). Getting the pin code wrong 3 times locks the user pin. The default admin pin is normally 12345678. Getting the admin pin code wrong 3 times will lock the card and cannot be reset. Make sure you remember these pin codes!

    use the "gpg --change-pin" command and change both the user and admin pin to something you will remember:
    Quote:
    # gpg2 --change-pin
    gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
    gpg: OpenPGP card no. D2760001240102000000000000010000 detected
    1 - change PIN
    2 - unblock PIN
    3 - change Admin PIN
    4 - set the Reset Code
    Q - quit



    Other things to do

    There are several other things you should do to if you have not already:



    Problems...

    There are a few problems that are worth bearing in mind when following this guide depending on how secure you want your end result to be.

    Randomness matters. A computer builds up a pool of entropy from various sources during use. This entropy is then used by /dev/random when anything needs random numbers - however on a clean install with no extra software running that has probably only just booted up there is not much entropy to go around. This could lead to weak keys being generated. A program like haveged may well eliminate this problem if you can not use a genuine hardware random number generator like the Entropykey (I know nothing about this project beyond the fact is looks cool and is reasonably cheap).

    By using Debian Testing I am also using a system with less immediate security patching. Stable Debian receives security patches very quickly and Unstable Debian also receives them quickly (but then it receives everything quickly, including patches, new software and new bugs/security problems - that is why it is called "Unstable" Testing Debian tends to receive updates after they have been tested a for a while and have no known serious bugs so sometimes a security problem might be unpatched on Testing after both Stable has been patched and Unstable has received a newer version that also fixes the problem. Alternatives if you are concerned - gnupg 2.0.22 is not in Debian Backports so you could either manually install packages from the Debian Jessie repository or use a different distro with a later version of gnupg. Or compile gnupg from source if you were feeling adventurous.

    I did all this as the root user. Normally bad but in my defense: A lot of this had to be done as root anyway, you need to trust the system you are generating the keys on completely (eg don't use if for browsing facebook!) and you have to trust the software you are installing completely. Since I'm using a fresh minimal install and not connecting to random internet sites the risks are minimized.


    Troubleshooting



    Yubikey Neo not recognised as a CCID device.

    If you are using an older distro that does not fully recognise the Yubikey Neo as a ccid device then you need to take a few more steps:

    A Debian Wheezy install I have been using does not know that the Yubikey can be a smart card. Not too hard to fix though: edit /etc/libccid_Info.plist. You need to add two lines at the top of 3 sections.
    Find array ifdVendorID and add the following two lines at the top:
    Quote:
    <string>0x1050</string>
    <string>0x1050</string>

    Find array ifdProductID and add the following two lines at the top:
    Quote:
    <string>0x0111</string>
    <string>0x0112</string>

    Find array ifdFriendlyName and add the following two lines at the top:
    Quote:
    <string>YubiKey Neo Composite</string>
    <string>YubiKey Neo CCID</string>


    Restart the service:
    Quote:
    /etc/init.d/pcscd restart


    Unplug and replug the neo and the output of dmesg should now include "Yubikey NEO OTP+CCID"


    Guides used to create this guide:


    Far too many web pages to list fully, but the main sources of information I used were:
    https://github.com/Yubico/ykneo-openpgp

    Yubico Forums eg: Adding the Yubikey Neo to known hardware (not required in the end as I switched to Debian Testing) viewtopic.php?f=26&amp;t=982&amp;start=10#p3767
    Creating subkeys and seperating out from the main key for security reasons: http://www.void.gr/kargig/blog/2013/12/ ... h-subkeys/
    How to add GPG keys to cards: http://www.gnupg.org/howtos/card-howto/en/ch05.html

    If you have any comments or suggestions then please let me know.


    Last edited by Neal on Wed Apr 09, 2014 3:46 pm, edited 1 time in total.

    Top
     Profile  
    Reply with quote  

    Share On:

    Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

    PostPosted: Tue Apr 08, 2014 9:34 pm 
    Offline

    Joined: Tue Sep 24, 2013 7:16 pm
    Posts: 7
    questions around the subkeys are explained here:
    http://www.gnupg.org/gph/en/manual.html#AEN526

    Do I understand correctly that the NEO can only have 1 keypair onboard? So there is no place for an active encryption key and a number of expired keys for the sake of reading old communication??


    Top
     Profile  
    Reply with quote  
    PostPosted: Tue Apr 08, 2014 10:42 pm 
    Offline

    Joined: Tue Nov 04, 2008 8:55 pm
    Posts: 19
    xychix wrote:
    Do I understand correctly that the NEO can only have 1 keypair onboard? So there is no place for an active encryption key and a number of expired keys for the sake of reading old communication??


    As I understand it the NEO can't even store one complete key pair - it only stores the private key and the public key is fetched from a keyserver when you first use the key. The NEO has 3 slots - one for encryption subkey, one for signing subkey and one for authentication subkey (eg ssh logins). So you are correct that if you lost your NEO and decided to create a new subkey for a new NEO then you would no longer be able to use the NEO for decrypting messages encrypted to the previous subkey. You would still have these older private subkeys stored elsewhere (unless they were generated on the NEO itself) so could decrypt those messages there. The only possible (but clunky, expensive and unrealistic) work around I can think of would be to buy a separate NEO for every new encryption subkey that you *might* need to decrypt messages with.

    Not ideal but I'm not aware of any smartcards that can store multiple keys (I could be wrong here - if so please let me know - but I have only ever seen details of cards that can take a single private encryption subkey).

    Regards,
    Neal.


    Top
     Profile  
    Reply with quote  
    PostPosted: Wed Apr 09, 2014 2:54 pm 
    Offline

    Joined: Tue Sep 24, 2013 7:16 pm
    Posts: 7
    Code:
    root@kali:~/Desktop/ykneo-openpgp-master# LD_LIBRARY_PATH=/usr/local/lib gpshell gpinstall.txt
    mode_211
    enable_trace
    establish_context
    card_connect
    card_connect() returns 0x8010000C (No smart card inserted.)


    unfortunately it doesn't work for me.
    I'm doing this on a fresh updated KALI linux on an USB stick (so I can destroy it afterwards)

    the card is working:
    Code:
    root@kali:~/Desktop/ykneo-openpgp-master# gpg --card-status
    Application ID ...: D276000XXXX1020XXXXXXXXXX
    Version ..........: 2.0
    Manufacturer .....: test card
    Serial number ....: 00000001
    Name of cardholder: [not set]
    Language prefs ...: [not set]
    Sex ..............: unspecified
    URL of public key : [not set]
    Login data .......: [not set]
    Signature PIN ....: forced
    Key attributes ...: 2048R 2048R 2048R
    Max. PIN lengths .: 127 127 127
    PIN retry counter : 3 3 3
    Signature counter : 0
    Signature key ....: [none]
    Encryption key....: [none]
    Authentication key: [none]
    General key info..: [none]
    root@kali:~/Desktop/ykneo-openpgp-master# gpg --card-status
    gpg: detected reader `Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00'
    gpg: apdu_send_simple(0) failed: no card
    Please insert the card and hit return or enter 'c' to cancel: c
    gpg: Interrupt caught ... exiting

    second command is with card ejected

    Code:
    ./ykinfo -a
    serial: 2XXX017
    serial_hex: 2XXX19
    serial_modhex: dXXXbk
    version: 3.1.2
    touch_level: 1541
    programming_sequence: 1
    slot1_status: 1

    also looks fine :(

    I'll dd a debian and install that to the USB drive and rerun the howto.


    Top
     Profile  
    Reply with quote  
    PostPosted: Wed Apr 09, 2014 3:43 pm 
    Offline

    Joined: Tue Nov 04, 2008 8:55 pm
    Posts: 19
    xychix wrote:
    Code:
    root@kali:~/Desktop/ykneo-openpgp-master# gpg --card-status
    gpg: detected reader `Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00'
    gpg: apdu_send_simple(0) failed: no card
    Please insert the card and hit return or enter 'c' to cancel: c
    gpg: Interrupt caught ... exiting



    I suspect that the "Broadcom" bit is another smartcard reader and the applet is trying to install to a card in that reader (just a guess though). Can you disable/remove the broadcom Corp 5880 card reader or try with a different computer if it is built in? Failing that you could edit the /etc/libccid_Info.plist file discussed in my post and try to manually remove the lines related to this Broadcom device so KALI no longer recognizes it as a smartcard reader.

    On a related note I've just noticed how messed up that bit in the guide is - obviously something went wrong when I converted it. I'll go fix that now...

    Cheers,
    Neal.


    Top
     Profile  
    Reply with quote  
    PostPosted: Wed Apr 09, 2014 3:53 pm 
    Offline

    Joined: Tue Nov 04, 2008 8:55 pm
    Posts: 19
    xychix wrote:
    root@kali:~/Desktop/ykneo-openpgp-master# gpg --card-status


    Probably not related to your current issue but I also had many problems with gpg from debian stable - which is why I upgraded to testing to get version 2.0.22 which has better support for smartcards. If you get stuck actually adding the keys to the NEO then check your GPG version as that gave me errors along the lines of "card not found" or "card not supported". If "gpg" is not actually calling version 2 of GPG then use eg: "gpg2 --card-status".


    Top
     Profile  
    Reply with quote  
    PostPosted: Wed Apr 09, 2014 7:48 pm 
    Offline

    Joined: Tue Sep 24, 2013 7:16 pm
    Posts: 7
    I'm already up and running with debian testing, applet is on the key now. Now only the key-gen. Will do that tomorrow with a clear head :)
    I've noted all the commands in a .sh file which I'll post here afterwards. (commands from the start post but in workable cut'n paste format)

    After walking trough it all I've decided on 2 changes.

    1. give the master key a long lifetime but not 'forever' some clients/persons might whine about this because they aren't aware of the rotating yearly keys on the yubi
    2. also generate a 3rd authentication key (as far as I'm aware this is a singing key in slot 3.....) just in case you decide you want to play with gpg-agent for ssh authentication (as I did 2 hours after I had my yubi ready and the master keys stored away)

    Note: I've installed debian on a usb stick (full disk encryption), upgraded to testing, ran all the downloads and compiled everything.
    Disconnected the internet (never to be connected again to this OS) and then generate keys. After all is done and keys are stored on a 2nd (and 3rd) usb stick I'll wipe the bootable USB key a few times.

    Each year in order to re-generate additional keys I'll go trough this procedure. (when I get sick of it I might up to 2 year lifetimes)

    for future reference:
    http://budts.be/weblog/2012/08/ssh-auth ... ur-pgp-key
    a howto on creating an authentication sub-key in expert mode.

    another interesting reading for making good keypairs:
    https://alexcabal.com/creating-the-perfect-gpg-keypair/

    (NOTE: i hope this post stays editable, i will clean this mess up one day!)


    Top
     Profile  
    Reply with quote  
    PostPosted: Thu Aug 14, 2014 4:02 am 
    Offline

    Joined: Mon Jul 21, 2014 7:09 am
    Posts: 8
    I run in to an error at the key import stage. The keys are show correctly as in screenshots and until this point all is well:

    gpg> keytocard
    gpg: can't connect to the agent - trying fall back
    The card does not support the import of keys


    gpg> scdaemon[6631]: updating slot 0 status: 0x0000->0x0007 (0->1)


    I found one other thread on here referring to this and the cure was to ensure that that pcscd was running, but in my case it definitely is (pcscd -v correctly gives the version)

    Any suggestions appreciated


    Top
     Profile  
    Reply with quote  
    PostPosted: Thu Aug 14, 2014 7:24 am 
    Offline
    Site Admin
    Site Admin

    Joined: Wed Nov 14, 2012 2:59 pm
    Posts: 666
    Dear hqarrse,

    What is the serial number on your Yubikey NEO, you may have a very old version of the OpenPGP back in a time when the import was not supported yet.

    _________________
    -Tom


    Top
     Profile  
    Reply with quote  
    PostPosted: Thu Aug 14, 2014 7:32 am 
    Offline

    Joined: Mon Jul 21, 2014 7:09 am
    Posts: 8
    hi Tom,

    it's a shiny new one (3000052)


    Top
     Profile  
    Reply with quote  
    Display posts from previous:  Sort by  
    Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2, 3  Next

    All times are UTC + 1 hour


    Who is online

    Users browsing this forum: No registered users and 9 guests


    You cannot post new topics in this forum
    You cannot reply to topics in this forum
    You cannot edit your posts in this forum
    You cannot delete your posts in this forum
    You cannot post attachments in this forum

    Search for:
    Jump to:  
    Powered by phpBB® Forum Software © phpBB Group