Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:01 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 51 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
PostPosted: Tue Oct 21, 2014 9:04 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Jul 23, 2012 9:59 pm
Posts: 27
returntrip wrote:
Thanks.... That's a great answer! Is there any downside in enabling all modes at once using the personalisation tool? I assume U2F would not work anyway on Chrome v38....but I guess the rest would work OK?


On the YubiKey NEO or NEO-N, there should be no issue with all 3 modes - let us know if that is not the case in all situations, as this is a new implementation with U2F thrown in the mix.

That being said, while we don't expect any issues with all 3 modes on new U2F browser clients, we only can test against what's been released as public; Again, don't hesitate to let us know if there are any issues observed using your YubiKey in any configuration.

Thanks!

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Oct 22, 2014 1:47 am 
Offline

Joined: Wed Oct 22, 2014 1:37 am
Posts: 1
For those who may not be familiar with the various personalization tools and the modes you can configure, here is what you need to do to manually enable all 3:

Quote:
NOTE - as Yubico support already mentioned, you need to be running Chrome 39 beta. I've been running the beta for years. It's normally very stable. You can switch to the beta version here: https://www.google.com/chrome/browser/beta.html

Download the personalization command line tool from here: https://developers.yubico.com/yubikey-personalization/Releases/

Extract the files and then run the ykpersonalize tool like so:
ykpersonalize -m6

Mode 6 is the OTP+U2F+CCID mode (and isn't listed in -help, which means if you aren't on a linux machine you don't have access to the manpage and have to go searching through source code to find the applicable mode)

You can now use your Yubico NEO (purchased starting in Oct 2014) with both LastPass in OTP mode and with Google U2F. I've just tested this and it works like a charm.


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 22, 2014 3:05 am 
Offline

Joined: Wed Oct 22, 2014 2:58 am
Posts: 5
David wrote:
returntrip wrote:
Thanks.... That's a great answer! Is there any downside in enabling all modes at once using the personalisation tool? I assume U2F would not work anyway on Chrome v38....but I guess the rest would work OK?


On the YubiKey NEO or NEO-N, there should be no issue with all 3 modes - let us know if that is not the case in all situations, as this is a new implementation with U2F thrown in the mix.

That being said, while we don't expect any issues with all 3 modes on new U2F browser clients, we only can test against what's been released as public; Again, don't hesitate to let us know if there are any issues observed using your YubiKey in any configuration.

Thanks!


I've noticed weird issues with the YubiOATH client on both Windows and OSX not detecting the Yubikey once it has been set to mode 6, so if you do depend on using the YubiOATH client, you'll need to either set it to mode 1 (CCID only) or 2 (OTP + CCID). I've reported this as a bug on github: https://github.com/Yubico/yubioath-desktop/issues/14


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 22, 2014 9:33 am 
Offline

Joined: Tue Oct 21, 2014 5:58 pm
Posts: 3
EvanOH wrote:
For those who may not be familiar with the various personalization tools and the modes you can configure, here is what you need to do to manually enable all 3:

Quote:
NOTE - as Yubico support already mentioned, you need to be running Chrome 39 beta. I've been running the beta for years. It's normally very stable. You can switch to the beta version here: https://www.google.com/chrome/browser/beta.html

Download the personalization command line tool from here: https://developers.yubico.com/yubikey-personalization/Releases/

Extract the files and then run the ykpersonalize tool like so:
ykpersonalize -m6

Mode 6 is the OTP+U2F+CCID mode (and isn't listed in -help, which means if you aren't on a linux machine you don't have access to the manpage and have to go searching through source code to find the applicable mode)

You can now use your Yubico NEO (purchased starting in Oct 2014) with both LastPass in OTP mode and with Google U2F. I've just tested this and it works like a charm.


Genius!! Agreed, this does work like a charm. Only thing I needed to do was once I'd change the mode was to reinsert the key so that Windows reinstalled the appropriate drivers. It then worked perfectly with OTP, LastPass and U2F, Google.
Thanks for this!!


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 22, 2014 12:52 pm 
Offline

Joined: Wed Oct 22, 2014 11:33 am
Posts: 7
I am experiencing some issues running Linux (Ubuntu 14.04 trusty).




First I set my Yubikey NEO N to mode 6 (OTP+CCID+U2F). It still emits OTP and static password as configured but I had following issues:

  • YK not recognized by the Yubico Authenticator:
    Code:
    'NoneType' object has no attribute '_cmd_ok'
    No smartcard reader found with YubiOath applet

    The YubiOATH Android app is working just fine.

    This might be an issue related to what @spectralblu experienced. A comment in the bug he reported suggests that it might be due to a libccid version <1.4.18.

  • U2F does not work either with the Yubico demopage or Google Accounts as normal user (running Chrome 39.0.2171.27 beta (64-bit)):
    Code:
     Traceback (most recent call last):
      File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 130, in __call__
        raise Exception("FIDO Client error: %s" % error)
    Exception: FIDO Client error: 5 (TIMEOUT)

    I was able to perform registration and authentication while running Chrome beta as root.

  • It is not possible to access the yubikey via ykpersonalize as normal user.
    Code:
    user@machine:~$ ykpersonalize -m2
    USB error: Access denied (insufficient permissions)

    It does however work as root.

After that I tried Mode 3 (U2F only) and had following issues:

  • The Yubikey was not recognized at all by ykpersonalize
    Code:
    Yubikey core error: no yubikey present
    I had to boot into Windows and use the Yubikey Neo Manager to get it recognized again.


  • U2F Authentication is not working unless running Chrome as root as described above.



Conclusion

It seems like there are some USB security permissions preventing the YK to work properly under Ubuntu when enabling U2F mode.


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 22, 2014 9:02 pm 
Offline

Joined: Thu Aug 28, 2014 9:24 pm
Posts: 23
Location: California
David wrote:
On the YubiKey NEO or NEO-N, there should be no issue with all 3 modes - let us know if that is not the case in all situations, as this is a new implementation with U2F thrown in the mix.

That being said, while we don't expect any issues with all 3 modes on new U2F browser clients, we only can test against what's been released as public; Again, don't hesitate to let us know if there are any issues observed using your YubiKey in any configuration.


David,

I can't test the new modes right now - but let me ask you this: will it be possible (once compatibility issues are resolved) to have U2F, OTP and CCID at the same time, with touch eject enabled too? I have not seen any mention regarding touch eject in the documentation referring to the new U2F mode and NEO, such as this PDF:

https://www.yubico.com/wp-content/uploa ... ey-NEO.pdf

Touch eject is pretty important for the way I want to use the NEO - as an OTP generator for some services, and as a smartcard for other services. Without touch eject it's pretty cumbersome to use in this scenario. Having all 3 modes enabled with touch eject would be fantastic. We could give NEO tokens to everyone in the company and use them to authenticate pretty much any service.

_________________
Florin Andrei
http://florin.myip.org/


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 23, 2014 10:21 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
For Linux workign on root only, you need to dump this:
https://github.com/Yubico/libu2f-host/b ... -u2f.rules

into this file:
/etc/udev/rules.d/

We are planning to make this automatic with Yubikey NEO manager, in future releases of our software.

Please install latest libraries and software from our PPA
https://launchpad.net/~yubico/+archive/ubuntu/stable


jskvbinmv3 wrote:
After that I tried Mode 3 (U2F only) and had following issues:

The Yubikey was not recognized at all by ykpersonalize
Code:
Yubikey core error: no yubikey present


The Yubikey is in MODE 3 U2F only, that is why you get that error. If you want to use the Yubikey with the personalization tool, Switch to HID mode

Please read documentation about the different supported modes:
HID, CCID, and U2F interface

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 23, 2014 7:26 pm 
Offline

Joined: Wed Oct 22, 2014 11:33 am
Posts: 7
Thank you for your reply and please excuse the other thread I opened...

Tom wrote:
For Linux workign on root only, you need to dump this:
https://github.com/Yubico/libu2f-host/b ... -u2f.rules

into this file:
/etc/udev/rules.d/

We are planning to make this automatic with Yubikey NEO manager, in future releases of our software.


[s]Unfortunaley this did not solve the issue.[/s]

Edit: It works now in Mode 3. It does not work with HID+CCID+U2F (using chrome beta 39.0xx)

Tom wrote:
Please install latest libraries and software from our PPA
https://launchpad.net/~yubico/+archive/ubuntu/stable




[s]Got the latest libraries installed from ppa.[/s]

Edit: My bad. I overlooked a library.

jskvbinmv3 wrote:
After that I tried Mode 3 (U2F only) and had following issues:

The Yubikey was not recognized at all by ykpersonalize
Code:
Yubikey core error: no yubikey present


Tom wrote:
The Yubikey is in MODE 3 U2F only, that is why you get that error. If you want to use the Yubikey with the personalization tool, Switch to HID mode


If I can't access the yubikey there is no way to switch modes. Please note that I am not talking about the graphical personalization tool or Yubikey NEO Manager but the ykpersonalize command line tool.
In order to switch modes I have to boot into Windows and use the Yubikey NEO Manager to do so.


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 24, 2014 2:23 am 
Offline

Joined: Fri Oct 24, 2014 2:10 am
Posts: 1
Tom wrote:
For Linux workign on root only, you need to dump this:
https://github.com/Yubico/libu2f-host/b ... -u2f.rules

into this file:
/etc/udev/rules.d/

We are planning to make this automatic with Yubikey NEO manager, in future releases of our software.

Please install latest libraries and software from our PPA
https://launchpad.net/~yubico/+archive/ubuntu/stable


jskvbinmv3 wrote:
After that I tried Mode 3 (U2F only) and had following issues:

The Yubikey was not recognized at all by ykpersonalize
Code:
Yubikey core error: no yubikey present


The Yubikey is in MODE 3 U2F only, that is why you get that error. If you want to use the Yubikey with the personalization tool, Switch to HID mode

Please read documentation about the different supported modes:
HID, CCID, and U2F interface


To make the udev rules in the github repo work I had to make a small change, modify product id in the rule to "0116". The yubikey product id in the OTP+U2F+CCID mode is "0116" not "116". (ATTRS{idProduct}=="0116").
Now it works ok in Chrome (v39) as u2f, ccid, yubiauth-applet, OTP.

Note: I also have to create plugdev group and add my user to it, as my distro does not have the plugdev group.


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 24, 2014 2:42 am 
Offline

Joined: Sat Oct 18, 2014 3:41 am
Posts: 6
David wrote:
returntrip wrote:
Thanks.... That's a great answer! Is there any downside in enabling all modes at once using the personalisation tool? I assume U2F would not work anyway on Chrome v38....but I guess the rest would work OK?


On the YubiKey NEO or NEO-N, there should be no issue with all 3 modes - let us know if that is not the case in all situations, as this is a new implementation with U2F thrown in the mix.

That being said, while we don't expect any issues with all 3 modes on new U2F browser clients, we only can test against what's been released as public; Again, don't hesitate to let us know if there are any issues observed using your YubiKey in any configuration.

Thanks!



I switched to 3way and changed to chrome 39 beta my win7 pro laptop. I can use the demo site to confirm u2f is working fine.

But it seems Password Safe doesn't react well to the neo being in "all 3" mode. it doesn't "see" the neo when it's plugged in. When i go to enter a "safe combination" The "yubikey" button stays grayed out so i can't press the button on the yubikey for a otp.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 51 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group