Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:24 pm

All times are UTC + 1 hour

Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Fri Jun 05, 2015 8:49 pm 

Joined: Fri Feb 06, 2015 9:37 am
Posts: 5
Trying to get this key to do what I need has been a frustrating journey. I've followed the many guides out there to get it to work with the various things I use on a daily biases, but invariably some limitation comes up that prevents my use of the key.

What I thought I'd do is explain what I want to do, show the link to the instructions I followed, and then explain the problem with the hopes that someone here has a better method, or a work-around.

1. Windows Logon / remote access of smb shares.
I want to be able to log in to windows with the yubikey for added security.
Instructions: https://www.yubico.com/applications/com ... ows-login/
After implemented problem: Cannot remote desktop in, nor access any smb shares on the machine using my credentials remotely. I had hoped that by sharing my "ports" via Remote Desktop Connection, the yubikey logon authenticator running on the remote workstation would be able to communicate with the key, but no love.
Possible workaround for remote desktop issue is to pay for and use Rohos Logon Key instead: http://www.rohos.com/support/knowledge- ... h-yubikey/
However, I do not believe this will solve the remote access of smb shares from another machine. The only other workaround I can think of is to create another user account in windows and use that instead... Of course, that account wouldn't have the protections of a yubikey.

Other possible workaround: Configure Yubikey's CCID as a Smart Card? I know that windows has had some built-in smart card abilities for quite some time, so maybe these usability issues have been solved if I can get the yubikey to play nice with windows?

2. Sign and Encrypt emails.
I want to be able to sign and encrypt emails using GPG (via Kleopatra)
Instructions: https://www.yubico.com/2012/12/yubikey-neo-openpgp/
After implemented problem 1: Cannot add email aliases to the certificate via Kleopatra like I can with my other gpg certificates. I have email accounts that have LOTS of email aliases... Without the ability to add email aliases, I cannot "send on behalf" of those aliases and use gpg to sign or encrypt. Is there a way to "generate" and supply those aliases during generation from the command line?
After implemented problem 2: Cannot have more than one certificate stored on the Yubikey, so I cannot have a gpg certificate for all the other email accounts I use. Is there a way to add more than one certificate to the key?

I think this forum post may hold the solution for #2?

Maybe what I should do instead is create a master cert that isn't associated with the yubikey at all, add ALL my email aliases (and perhaps my other real email addresses?) using Kleopatra first, and then create two sub certs, sign / cert that I would store on the key following the instructions above. I assume I'd then be able to remove the master cert from the production computers and store it safely while using the yubikey for my sign/encrypt needs?

Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group