Yubico Forum

Yubikey limitations or just user error? Work-arounds plz?
Page 1 of 1

Author:  SnakeByte [ Fri Jun 05, 2015 8:49 pm ]
Post subject:  Yubikey limitations or just user error? Work-arounds plz?

Trying to get this key to do what I need has been a frustrating journey. I've followed the many guides out there to get it to work with the various things I use on a daily biases, but invariably some limitation comes up that prevents my use of the key.

What I thought I'd do is explain what I want to do, show the link to the instructions I followed, and then explain the problem with the hopes that someone here has a better method, or a work-around.

1. Windows Logon / remote access of smb shares.
I want to be able to log in to windows with the yubikey for added security.
Instructions: https://www.yubico.com/applications/com ... ows-login/
After implemented problem: Cannot remote desktop in, nor access any smb shares on the machine using my credentials remotely. I had hoped that by sharing my "ports" via Remote Desktop Connection, the yubikey logon authenticator running on the remote workstation would be able to communicate with the key, but no love.
Possible workaround for remote desktop issue is to pay for and use Rohos Logon Key instead: http://www.rohos.com/support/knowledge- ... h-yubikey/
However, I do not believe this will solve the remote access of smb shares from another machine. The only other workaround I can think of is to create another user account in windows and use that instead... Of course, that account wouldn't have the protections of a yubikey.

Other possible workaround: Configure Yubikey's CCID as a Smart Card? I know that windows has had some built-in smart card abilities for quite some time, so maybe these usability issues have been solved if I can get the yubikey to play nice with windows?

2. Sign and Encrypt emails.
I want to be able to sign and encrypt emails using GPG (via Kleopatra)
Instructions: https://www.yubico.com/2012/12/yubikey-neo-openpgp/
After implemented problem 1: Cannot add email aliases to the certificate via Kleopatra like I can with my other gpg certificates. I have email accounts that have LOTS of email aliases... Without the ability to add email aliases, I cannot "send on behalf" of those aliases and use gpg to sign or encrypt. Is there a way to "generate" and supply those aliases during generation from the command line?
After implemented problem 2: Cannot have more than one certificate stored on the Yubikey, so I cannot have a gpg certificate for all the other email accounts I use. Is there a way to add more than one certificate to the key?

I think this forum post may hold the solution for #2?

Maybe what I should do instead is create a master cert that isn't associated with the yubikey at all, add ALL my email aliases (and perhaps my other real email addresses?) using Kleopatra first, and then create two sub certs, sign / cert that I would store on the key following the instructions above. I assume I'd then be able to remove the master cert from the production computers and store it safely while using the yubikey for my sign/encrypt needs?

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group