| Yubico Forum https://forum.yubico.com/ |
|
| [SOLVED] Disable 6 second delay for openpgp touch prompt https://forum.yubico.com/viewtopic.php?f=35&t=2747 |
Page 1 of 1 |
| Author: | goerz [ Sun Oct 08, 2017 12:42 am ] |
| Post subject: | [SOLVED] Disable 6 second delay for openpgp touch prompt |
I've set up an OpenPGP key on my YubiKey4, and also activated the setting that I have to confirm any use of the key by pressing it (via the command line utility Code: ykman openpgp touch aut ... ). However, whenever I issue a GPG command, there is about a 6 second delay before the YubiKey starts flashing (indicating that it's ready for my finger). More specifically, the YubiKey flickers once (very quickly) immediately after I issue the GPG command, then once more at about 3 seconds, and then start slow-flashing after 6 seconds (for 15 seconds, until it times out).If I touch the key before the 6 seconds, it enters the OTP password. Is there any way to configure the key so that I can touch it immediately after issuing the GPG command? Six seconds feels like an eternity on the command line! |
|
| Author: | Morthawt [ Sun Oct 08, 2017 1:43 pm ] |
| Post subject: | Re: [QUESTION] Disable 6 second delay for openpgp touch prom |
Is that an undocumented feature? I have never seen that listed anywhere. I need to press my finger to get a TOTP from the authenticator app but openPGP needs nothing other than my pin. |
|
| Author: | goerz [ Sun Oct 08, 2017 8:11 pm ] |
| Post subject: | Re: [QUESTION] Disable 6 second delay for openpgp touch prom |
It's a feature that was introduced on the Yubikey 4 (off by default), and is documented at e.g. https://developers.yubico.com/PGP/Card_edit.html. Personally, I found that it's most easily configured using the ykman command line utility (https://github.com/Yubico/yubikey-manager), rather than through the shell script linked in the documentation. In any case the documentation does not mention that there should be any delay. |
|
| Author: | Morthawt [ Sun Oct 08, 2017 9:15 pm ] |
| Post subject: | Re: [QUESTION] Disable 6 second delay for openpgp touch prom |
I don't know, it seems a bit dodgy to me. I can understand, maybe, a full reset of the OpenPGP applet being command-liny and complex looking but if you have to use scripts and things to enable a "feature" it seems more like a beta or test feature than something that Yubico expect users to do. I have been all over the personalisation tool and I have seen no mention anywhere of this. I would be concerned about wrecking something. Does this work on a new Neo too? If this is something I can experiment without breaking either my 4 or Neo then I might give it a try and let you know what happens. |
|
| Author: | Morthawt [ Sun Oct 08, 2017 9:16 pm ] |
| Post subject: | Re: [QUESTION] Disable 6 second delay for openpgp touch prom |
I cannot find the download link for it. I am on windows. What would I need to experiment with this any way? |
|
| Author: | Morthawt [ Sun Oct 08, 2017 9:49 pm ] |
| Post subject: | Re: [QUESTION] Disable 6 second delay for openpgp touch prom |
I have tracked it down: https://developers.yubico.com/yubikey-m ... /Releases/ I did: Code: C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch aut on Current touch policy of AUTHENTICATE key is OFF. Set touch policy of AUTHENTICATE key to ON? [y/N]: y Enter admin PIN: Touch policy successfully set. C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch enc on Current touch policy of ENCRYPT key is OFF. Set touch policy of ENCRYPT key to ON? [y/N]: y Enter admin PIN: Touch policy successfully set. C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch sig on Current touch policy of SIGN key is OFF. Set touch policy of SIGN key to ON? [y/N]: y Enter admin PIN: Touch policy successfully set. Then I unplugged and plugged back in. Now as soon as I type in my pin to sign, it sits there forever waiting. So then I press the button and it works. I repeat, same thing only I can press it as soon as I want and it will complete. same with decrypting things, I enter my pin and tough the contact on the Yubikey, else it sits there, presumably until it times out or something. I like this feature and it should be part of the normal personalisation tool in my opinion. If you are using linux, perhaps there is a difference between that and the windows version? It is BETA after all, so I don't know what else to tell you. I am going to leave the feature disabled I think though, because if I cannot protect my Neo with it, I do not want to the false sense of security that could come from relying on this and forgetting when I use the Neo. But if it were available on both, I would leave it enabled. |
|
| Author: | goerz [ Sun Oct 08, 2017 10:42 pm ] |
| Post subject: | Re: [SOLVED] Disable 6 second delay for openpgp touch prompt |
Ok, since it seems it's working for you without the 6 second delay, I just de- and then re-activated the touch feature, and now it seems to work immediately. This was on MacOS, btw. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|