Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:40 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Tue Mar 01, 2016 1:15 pm 
Offline

Joined: Tue Mar 01, 2016 12:50 pm
Posts: 6
Hello,

I am trying to configure a key using tutorial: https://www.yubico.com/2012/12/yubikey-neo-openpgp/ but unfortunately it seems my device is somehow locked (and PIN counter is 3 3 3 - so I am not sure if installing new applet is a solution).

Code:
13:11 $ gpg --card-edit

Application ID ...: D276xxxxxxxxxxxxxxxxxxxx30000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 0xxxxxxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 1 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000006045288830000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
gpg: sending command `SCD PASSWD' to agent failed: ec=6.131
Error changing the PIN: general error


Same happens when I try to generate the keys or change the admin password. What I should do?

I am using Ubuntu Trusty 14.04.

Not sure if this does matter, but:

Code:
13:28 $ pcsc_scan
PC/SC device scanner
V 1.4.22 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.10
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Tue Mar  1 13:28:20 2016
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
  Card state: Card inserted, Exclusive Mode,
  ATR: 3B XX XX XX


+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
  Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
        NONE

find: `/home/bluszcz/.cache/smartcard_list.txt': No such file or directory
Your card is not present in the database.
Please submit your unknown card at:
http://smartcard-atr.appspot.com/parse?ATR=


Edit: After updating pcsc-tools from the ubuntu xenial package I am getting following:

Code:
Tue Mar  1 14:53:31 2016
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
  Card state: Card removed, Exclusive Mode,
Scanning present readers...
Waiting for the first reader...found one
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Tue Mar  1 14:53:35 2016
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
  Card state: Card inserted,
  ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1

ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
  Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
        YubiKey NEO (PKI)
        http://www.yubico.com/


but still cannot make any operation on my NEO key.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Mar 02, 2016 5:36 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Hey,

as a first step I would start adding some logging output to scdaemon.

Add the following two lines to ~/.gnupg/scdaemon.conf (create the file if it doesn't exist):
log-file /tmp/scdaemon.log
debug-level guru

After restarting scdaemon you will start seeing messages in /tmp/scdaemon.log some of these messages might help to trace down the problem (just be aware the this is the highest logging level and also logs PIN insertions).

Given what you're trying to do, what should normally happen next is that a program called pinentry is invoked. As the name implies this is a tool designed to input PINs in a safe way. However there are different versions available and each one uses a different way of reading the input (such as gtk2, curses, tty). One possibility is that the right one is missing from your system and/or the wrong one is invoked. Something like this should show up in the log files.


Top
 Profile  
Reply with quote  
PostPosted: Sun Mar 06, 2016 8:51 pm 
Offline

Joined: Tue Mar 01, 2016 12:50 pm
Posts: 6
Hi Alessio,

thank you for answering.

I am getting pin asking window for password, and after entering password it crashes.

Code:
2016-03-06 19:19:54 scdaemon[31658] DBG: check_pcsc_pinpad: command=24, r=27265
2016-03-06 19:19:54 scdaemon[31658] DBG: send apdu: c=00 i=CA p1=00 p2=C4 lc=-1 le=256 em=0
2016-03-06 19:19:54 scdaemon[31658] DBG:   PCSC_data: 00 CA 00 C4 00
2016-03-06 19:19:54 scdaemon[31658] DBG:  response: sw=9000  datalen=7
2016-03-06 19:19:54 scdaemon[31658] DBG:       dump:  00 7F 7F 7F 03 03 03
2016-03-06 19:19:54 scdaemon[31658] 3 Admin PIN attempts remaining before card is permanently locked
2016-03-06 19:19:54 scdaemon[31658] DBG: asking for PIN '|A|Please enter the Admin PIN'
scdaemon[31658]: chan_7 -> INQUIRE NEEDPIN |A|Please enter the Admin PIN
scdaemon[31658]: chan_7 <- [ 44 20 31 32 33 34 35 36 37 38 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
scdaemon[31658]: chan_7 <- END
2016-03-06 19:19:57 scdaemon[31658] DBG: asking for PIN '|AN|New Admin PIN'
scdaemon[31658]: chan_7 -> INQUIRE NEEDPIN |AN|New Admin PIN
scdaemon[31658]: chan_7 <- [ 44 20 31 32 33 34 00 00 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
scdaemon[31658]: chan_7 <- END
2016-03-06 19:20:00 scdaemon[31658] DBG: send apdu: c=00 i=24 p1=00 p2=83 lc=12 le=-1 em=0
2016-03-06 19:20:00 scdaemon[31658] DBG:   PCSC_data: 00 24 00 83 0C 31 32 33 34 35 36 37 38 31 32 33 34
2016-03-06 19:20:00 scdaemon[31658] DBG:  response: sw=6985  datalen=0
2016-03-06 19:20:00 scdaemon[31658] operation change_pin result: Conditions of use not satisfied
2016-03-06 19:20:00 scdaemon[31658] command passwd failed: Conditions of use not satisfied
scdaemon[31658]: chan_7 -> ERR 100663427 Conditions of use not satisfied <SCD>
2016-03-06 19:23:53 scdaemon[31658] pcsc_status failed: unknown reader (0x80100009)
2016-03-06 19:23:53 scdaemon[31658] updating slot 0 status: 0x0007->0x0000 (1->1)
2016-03-06 19:23:53 scdaemon[31658] sending signal 12 to client 30369


Alessio wrote:
Hey,

as a first step I would start adding some logging output to scdaemon.

Add the following two lines to ~/.gnupg/scdaemon.conf (create the file if it doesn't exist):
log-file /tmp/scdaemon.log
debug-level guru

After restarting scdaemon you will start seeing messages in /tmp/scdaemon.log some of these messages might help to trace down the problem (just be aware the this is the highest logging level and also logs PIN insertions).

Given what you're trying to do, what should normally happen next is that a program called pinentry is invoked. As the name implies this is a tool designed to input PINs in a safe way. However there are different versions available and each one uses a different way of reading the input (such as gtk2, curses, tty). One possibility is that the right one is missing from your system and/or the wrong one is invoked. Something like this should show up in the log files.


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 07, 2016 10:03 am 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
From what I can see from the log files, you're trying to set ad Admin PIN of 4 characters. This is not a legal Admin PIN.

The specifications require the following PIN lengths:
User PIN: at least 6 characters
Admin PIN: at least 8 characters

What happens if you try a legal PIN?


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 07, 2016 2:37 pm 
Offline

Joined: Tue Mar 01, 2016 12:50 pm
Posts: 6
Hi Alessio,

I think it could help, however something happened and my computer hang.

After restart I had this:

Code:
PIN retry counter : 3 3 0


What is the best way to restart the counter? Link please?

Alessio wrote:
From what I can see from the log files, you're trying to set ad Admin PIN of 4 characters. This is not a legal Admin PIN.

The specifications require the following PIN lengths:
User PIN: at least 6 characters
Admin PIN: at least 8 characters

What happens if you try a legal PIN?


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 07, 2016 3:07 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
That means that you have locked out your Admin PIN. The only way to recover is by resetting the PGP application.

Follow the instructions at this link https://developers.yubico.com/ykneo-ope ... pplet.html


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 07, 2016 3:27 pm 
Offline

Joined: Tue Mar 01, 2016 12:50 pm
Posts: 6
Hi Alessio,

I am getting following:

Code:
15:28 $ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
ERR 100663406 Card removed <SCD>
(oppnet) ✔ ~/Yubico


and

Code:
15:25 $ /home/bluszcz/opt/gpshell/bin/gpshell gpinstall.txt
mode_211
enable_trace
establish_context
card_connect
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479112103800734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
Command --> 80500000087C9CBDC3AFA4466900
Wrapped command --> 80500000087C9CBDC3AFA4466900
Response <-- 000043190125289328120202000228899B7335585A8B54A2A69533169000
mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)


Alessio wrote:
That means that you have locked out your Admin PIN. The only way to recover is by resetting the PGP application.

Follow the instructions at this link https://developers.yubico.com/ykneo-ope ... pplet.html


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 07, 2016 3:36 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
The commands you're interested in are the one in the "Reset the applet" section.

If you get a card not present error make sure that you don't have other processes taking exclusive access to the card. One quick way to make sure of that is to re-plug your YubiKey and run the commands as root (if everything is configured correctly there shouldn't be any need for that tho).

Also, gpshell is irrelevant in this case. You won't be able to make changes to the applications present in the YubiKey.


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 07, 2016 5:19 pm 
Offline

Joined: Tue Mar 01, 2016 12:50 pm
Posts: 6
Hi Alessio,

problem has bee solved! Thank you.

Alessio wrote:
The commands you're interested in are the one in the "Reset the applet" section.

If you get a card not present error make sure that you don't have other processes taking exclusive access to the card. One quick way to make sure of that is to re-plug your YubiKey and run the commands as root (if everything is configured correctly there shouldn't be any need for that tho).

Also, gpshell is irrelevant in this case. You won't be able to make changes to the applications present in the YubiKey.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group