Yubico Forum
https://forum.yubico.com/

Yubikey NEO U2F blocks PIV applet
https://forum.yubico.com/viewtopic.php?f=26&t=1613
Page 1 of 1

Author:  rxcomm [ Thu Nov 20, 2014 6:26 pm ]
Post subject:  Yubikey NEO U2F blocks PIV applet

Enabling U2F on the Yubikey NEO (3.3 fw) disables the PIV applet.

Author:  Tom [ Fri Nov 21, 2014 11:46 am ]
Post subject:  Re: Yubikey NEO U2F blocks PIV applet

No it doesn't.

Enabling U2F mode and disabling CCID mode, will of course prevent you from accessing the CCID interface. Please refer to documentation
https://developers.yubico.com

Author:  DavidW [ Fri Nov 21, 2014 9:26 pm ]
Post subject:  Re: Yubikey NEO U2F blocks PIV applet

rxcomm wrote:
Enabling U2F on the Yubikey NEO (3.3 fw) disables the PIV applet.


As Tom says, this is not the case - I'm using a OTP+CCID+U2F Neo with 3.3 firmware using the PIV functionality in Windows 7.


What can happen with a multi-function device like the Neo is that something accessing one function on the Neo blocks access to the smartcard. GPG can be a culprit - once you access the card once, scdaemon typically holds the card open in exclusive mode. The GPG programmers seem not to have thought of multi-function devices like the Neo, even though the open source JavaCard implementation of the openpgp smartcard standard, from which the Neo's openpgp applet is derived, has been around for some time.

If something is blocking access to the smartcard, touching the button or removing and reinserting the Neo will almost certainly clear the problem.

Author:  rxcomm [ Tue Nov 25, 2014 12:04 am ]
Post subject:  Re: Yubikey NEO U2F blocks PIV applet

Quote:
No it doesn't.

Hmmm...

This is what happens when I try OpenVPN with OTP+CCID+U2F enabled:

Code:
user@host:~$ /usr/sbin/openvpn  --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

(Nothing is reported)

Trying to start OpenVPN:

Code:
user@host:~$ sudo openvpn --config client.conf
Mon Nov 24 16:39:22 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Mon Nov 24 16:39:22 2014 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
NEED-OK|token-insertion-request|Please insert PIV_II (PIV Card Holder pin) token:
NEED-OK|token-insertion-request|Please insert PIV_II (PIV Card Holder pin) token:

(and yes, the Yubikey was inserted)

And here is what happens when I run exactly the same commands with only OTP+CCID enabled:

Code:
user@host:~$ /usr/sbin/openvpn  --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             O=..., OU=..., CN=client
       Serial:         0E
       Serialized id:  piv_II/...

(The certificate I've stored with the PIV applet is described)

Successfully starting OpenVPN:

Code:
user@host:~$ sudo openvpn --config client.conf
Mon Nov 24 16:41:32 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Mon Nov 24 16:41:32 2014 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
Mon Nov 24 16:41:32 2014 UDPv4 link local: [undef]
Mon Nov 24 16:41:32 2014 UDPv4 link remote: [AF_INET]###.###.###.###:1194
Mon Nov 24 16:41:32 2014 VERIFY OK: ...
Mon Nov 24 16:41:32 2014 VERIFY OK: nsCertType=SERVER
Mon Nov 24 16:41:32 2014 VERIFY OK: ...
Enter PIV_II (PIV Card Holder pin) token Password:
Mon Nov 24 16:41:40 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 24 16:41:40 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 24 16:41:40 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 24 16:41:40 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 24 16:41:40 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Nov 24 16:41:40 2014 [server] Peer Connection Initiated with [AF_INET]###.###.###.###:1194
Mon Nov 24 16:41:43 2014 TUN/TAP device tun0 opened
Mon Nov 24 16:41:43 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 24 16:41:43 2014 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 24 16:41:43 2014 /sbin/ip addr add dev tun0 local 10.8.0.46 peer 10.8.0.45
Mon Nov 24 16:41:45 2014 Initialization Sequence Completed

(Here OpenVPN starts up as expected)

Looks like the PIV applet doesn't work with OTP+CCID+U2F to me!

Author:  rxcomm [ Tue Nov 25, 2014 12:06 am ]
Post subject:  Re: Yubikey NEO U2F blocks PIV applet

One other note: the GPG applet works fine for both OTP+CCID and OTP+CCID+U2F.

Author:  DavidW [ Fri Dec 19, 2014 5:27 am ]
Post subject:  Re: Yubikey NEO U2F blocks PIV applet

You appear to have the issue described in another recent thread - your udev rules are out of date. Follow the link to that thread for the solution.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/