Yubico Forum :: View topic - [Problem] Cannot configure Yubikey NEO with OpenPGP

13:11 $ gpg --card-edit

Application ID ...: D276xxxxxxxxxxxxxxxxxxxx30000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 0xxxxxxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 1 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000006045288830000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
gpg: sending command `SCD PASSWD' to agent failed: ec=6.131
Error changing the PIN: general error

13:28 $ pcsc_scan
PC/SC device scanner
V 1.4.22 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.10
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Tue Mar 1 13:28:20 2016
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
Card state: Card inserted, Exclusive Mode,
ATR: 3B XX XX XX

+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
NONE

find: `/home/bluszcz/.cache/smartcard_list.txt': No such file or directory
Your card is not present in the database.
Please submit your unknown card at:
http://smartcard-atr.appspot.com/parse?ATR=

Tue Mar 1 14:53:31 2016
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
Card state: Card removed, Exclusive Mode,
Scanning present readers...
Waiting for the first reader...found one
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Tue Mar 1 14:53:35 2016
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
Card state: Card inserted,
ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1

ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
YubiKey NEO (PKI)
http://www.yubico.com/

2016-03-06 19:19:54 scdaemon[31658] DBG: check_pcsc_pinpad: command=24, r=27265
2016-03-06 19:19:54 scdaemon[31658] DBG: send apdu: c=00 i=CA p1=00 p2=C4 lc=-1 le=256 em=0
2016-03-06 19:19:54 scdaemon[31658] DBG: PCSC_data: 00 CA 00 C4 00
2016-03-06 19:19:54 scdaemon[31658] DBG: response: sw=9000 datalen=7
2016-03-06 19:19:54 scdaemon[31658] DBG: dump: 00 7F 7F 7F 03 03 03
2016-03-06 19:19:54 scdaemon[31658] 3 Admin PIN attempts remaining before card is permanently locked
2016-03-06 19:19:54 scdaemon[31658] DBG: asking for PIN '|A|Please enter the Admin PIN'
scdaemon[31658]: chan_7 -> INQUIRE NEEDPIN |A|Please enter the Admin PIN
scdaemon[31658]: chan_7 <- [ 44 20 31 32 33 34 35 36 37 38 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
scdaemon[31658]: chan_7 <- END
2016-03-06 19:19:57 scdaemon[31658] DBG: asking for PIN '|AN|New Admin PIN'
scdaemon[31658]: chan_7 -> INQUIRE NEEDPIN |AN|New Admin PIN
scdaemon[31658]: chan_7 <- [ 44 20 31 32 33 34 00 00 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
scdaemon[31658]: chan_7 <- END
2016-03-06 19:20:00 scdaemon[31658] DBG: send apdu: c=00 i=24 p1=00 p2=83 lc=12 le=-1 em=0
2016-03-06 19:20:00 scdaemon[31658] DBG: PCSC_data: 00 24 00 83 0C 31 32 33 34 35 36 37 38 31 32 33 34
2016-03-06 19:20:00 scdaemon[31658] DBG: response: sw=6985 datalen=0
2016-03-06 19:20:00 scdaemon[31658] operation change_pin result: Conditions of use not satisfied
2016-03-06 19:20:00 scdaemon[31658] command passwd failed: Conditions of use not satisfied
scdaemon[31658]: chan_7 -> ERR 100663427 Conditions of use not satisfied <SCD>
2016-03-06 19:23:53 scdaemon[31658] pcsc_status failed: unknown reader (0x80100009)
2016-03-06 19:23:53 scdaemon[31658] updating slot 0 status: 0x0007->0x0000 (1->1)
2016-03-06 19:23:53 scdaemon[31658] sending signal 12 to client 30369

PIN retry counter : 3 3 0

15:28 $ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
ERR 100663406 Card removed <SCD>
(oppnet) ✔ ~/Yubico

15:25 $ /home/bluszcz/opt/gpshell/bin/gpshell gpinstall.txt
mode_211
enable_trace
establish_context
card_connect
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479112103800734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
Command --> 80500000087C9CBDC3AFA4466900
Wrapped command --> 80500000087C9CBDC3AFA4466900
Response <-- 000043190125289328120202000228899B7335585A8B54A2A69533169000
mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)

Author:	bluszcz [ Tue Mar 01, 2016 1:15 pm ]
Post subject:	[Problem] Cannot configure Yubikey NEO with OpenPGP
Hello, I am trying to configure a key using tutorial: https://www.yubico.com/2012/12/yubikey-neo-openpgp/ but unfortunately it seems my device is somehow locked (and PIN counter is 3 3 3 - so I am not sure if installing new applet is a solution). Code: 13:11 $ gpg --card-edit Application ID ...: D276xxxxxxxxxxxxxxxxxxxx30000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: 0xxxxxxx Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 1 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> admin Admin commands are allowed gpg/card> passwd gpg: OpenPGP card no. D2760001240102000006045288830000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 1 gpg: sending command `SCD PASSWD' to agent failed: ec=6.131 Error changing the PIN: general error Same happens when I try to generate the keys or change the admin password. What I should do? I am using Ubuntu Trusty 14.04. Not sure if this does matter, but: Code: 13:28 $ pcsc_scan PC/SC device scanner V 1.4.22 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.8.10 Using reader plug'n play mechanism Scanning present readers... 0: Yubico Yubikey NEO OTP+CCID 00 00 Tue Mar 1 13:28:20 2016 Reader 0: Yubico Yubikey NEO OTP+CCID 00 00 Card state: Card inserted, Exclusive Mode, ATR: 3B XX XX XX + TS = 3B --> Direct Convention + T0 = FC, Y(1): 1111, K: 12 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33 Category indicator byte: 59 (proprietary format) + TCK = E1 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): NONE find: `/home/bluszcz/.cache/smartcard_list.txt': No such file or directory Your card is not present in the database. Please submit your unknown card at: http://smartcard-atr.appspot.com/parse?ATR= Edit: After updating pcsc-tools from the ubuntu xenial package I am getting following: Code: Tue Mar 1 14:53:31 2016 Reader 0: Yubico Yubikey NEO OTP+CCID 00 00 Card state: Card removed, Exclusive Mode, Scanning present readers... Waiting for the first reader...found one Scanning present readers... 0: Yubico Yubikey NEO OTP+CCID 00 00 Tue Mar 1 14:53:35 2016 Reader 0: Yubico Yubikey NEO OTP+CCID 00 00 Card state: Card inserted, ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 + TS = 3B --> Direct Convention + T0 = FC, Y(1): 1111, K: 12 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33 Category indicator byte: 59 (proprietary format) + TCK = E1 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 YubiKey NEO (PKI) http://www.yubico.com/ but still cannot make any operation on my NEO key.

Author:	Alessio [ Wed Mar 02, 2016 5:36 pm ]
Post subject:	Re: [Problem] Cannot configure Yubikey NEO with OpenPGP
Hey, as a first step I would start adding some logging output to scdaemon. Add the following two lines to ~/.gnupg/scdaemon.conf (create the file if it doesn't exist): log-file /tmp/scdaemon.log debug-level guru After restarting scdaemon you will start seeing messages in /tmp/scdaemon.log some of these messages might help to trace down the problem (just be aware the this is the highest logging level and also logs PIN insertions). Given what you're trying to do, what should normally happen next is that a program called pinentry is invoked. As the name implies this is a tool designed to input PINs in a safe way. However there are different versions available and each one uses a different way of reading the input (such as gtk2, curses, tty). One possibility is that the right one is missing from your system and/or the wrong one is invoked. Something like this should show up in the log files.

Author:	bluszcz [ Sun Mar 06, 2016 8:51 pm ]
Post subject:	Re: [Problem] Cannot configure Yubikey NEO with OpenPGP
Hi Alessio, thank you for answering. I am getting pin asking window for password, and after entering password it crashes. Code: 2016-03-06 19:19:54 scdaemon[31658] DBG: check_pcsc_pinpad: command=24, r=27265 2016-03-06 19:19:54 scdaemon[31658] DBG: send apdu: c=00 i=CA p1=00 p2=C4 lc=-1 le=256 em=0 2016-03-06 19:19:54 scdaemon[31658] DBG: PCSC_data: 00 CA 00 C4 00 2016-03-06 19:19:54 scdaemon[31658] DBG: response: sw=9000 datalen=7 2016-03-06 19:19:54 scdaemon[31658] DBG: dump: 00 7F 7F 7F 03 03 03 2016-03-06 19:19:54 scdaemon[31658] 3 Admin PIN attempts remaining before card is permanently locked 2016-03-06 19:19:54 scdaemon[31658] DBG: asking for PIN '\|A\|Please enter the Admin PIN' scdaemon[31658]: chan_7 -> INQUIRE NEEDPIN \|A\|Please enter the Admin PIN scdaemon[31658]: chan_7 <- [ 44 20 31 32 33 34 35 36 37 38 00 00 00 00 00 00 ...(76 byte(s) skipped) ] scdaemon[31658]: chan_7 <- END 2016-03-06 19:19:57 scdaemon[31658] DBG: asking for PIN '\|AN\|New Admin PIN' scdaemon[31658]: chan_7 -> INQUIRE NEEDPIN \|AN\|New Admin PIN scdaemon[31658]: chan_7 <- [ 44 20 31 32 33 34 00 00 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ] scdaemon[31658]: chan_7 <- END 2016-03-06 19:20:00 scdaemon[31658] DBG: send apdu: c=00 i=24 p1=00 p2=83 lc=12 le=-1 em=0 2016-03-06 19:20:00 scdaemon[31658] DBG: PCSC_data: 00 24 00 83 0C 31 32 33 34 35 36 37 38 31 32 33 34 2016-03-06 19:20:00 scdaemon[31658] DBG: response: sw=6985 datalen=0 2016-03-06 19:20:00 scdaemon[31658] operation change_pin result: Conditions of use not satisfied 2016-03-06 19:20:00 scdaemon[31658] command passwd failed: Conditions of use not satisfied scdaemon[31658]: chan_7 -> ERR 100663427 Conditions of use not satisfied <SCD> 2016-03-06 19:23:53 scdaemon[31658] pcsc_status failed: unknown reader (0x80100009) 2016-03-06 19:23:53 scdaemon[31658] updating slot 0 status: 0x0007->0x0000 (1->1) 2016-03-06 19:23:53 scdaemon[31658] sending signal 12 to client 30369 Alessio wrote: Hey, as a first step I would start adding some logging output to scdaemon. Add the following two lines to ~/.gnupg/scdaemon.conf (create the file if it doesn't exist): log-file /tmp/scdaemon.log debug-level guru After restarting scdaemon you will start seeing messages in /tmp/scdaemon.log some of these messages might help to trace down the problem (just be aware the this is the highest logging level and also logs PIN insertions). Given what you're trying to do, what should normally happen next is that a program called pinentry is invoked. As the name implies this is a tool designed to input PINs in a safe way. However there are different versions available and each one uses a different way of reading the input (such as gtk2, curses, tty). One possibility is that the right one is missing from your system and/or the wrong one is invoked. Something like this should show up in the log files.

Author:	Alessio [ Mon Mar 07, 2016 10:03 am ]
Post subject:	Re: [Problem] Cannot configure Yubikey NEO with OpenPGP
From what I can see from the log files, you're trying to set ad Admin PIN of 4 characters. This is not a legal Admin PIN. The specifications require the following PIN lengths: User PIN: at least 6 characters Admin PIN: at least 8 characters What happens if you try a legal PIN?

Author:	bluszcz [ Mon Mar 07, 2016 2:37 pm ]
Post subject:	Re: [Problem] Cannot configure Yubikey NEO with OpenPGP
Hi Alessio, I think it could help, however something happened and my computer hang. After restart I had this: Code: PIN retry counter : 3 3 0 What is the best way to restart the counter? Link please? Alessio wrote: From what I can see from the log files, you're trying to set ad Admin PIN of 4 characters. This is not a legal Admin PIN. The specifications require the following PIN lengths: User PIN: at least 6 characters Admin PIN: at least 8 characters What happens if you try a legal PIN?

Yubico Forum https://forum.yubico.com/

[Problem] Cannot configure Yubikey NEO with OpenPGP https://forum.yubico.com/viewtopic.php?f=26&t=2242	Page 1 of 1

Author:	Alessio [ Mon Mar 07, 2016 3:07 pm ]
Post subject:	Re: [Problem] Cannot configure Yubikey NEO with OpenPGP
That means that you have locked out your Admin PIN. The only way to recover is by resetting the PGP application. Follow the instructions at this link https://developers.yubico.com/ykneo-ope ... pplet.html

Author:	bluszcz [ Mon Mar 07, 2016 3:27 pm ]
Post subject:	Re: [Problem] Cannot configure Yubikey NEO with OpenPGP
Hi Alessio, I am getting following: Code: 15:28 $ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye ERR 100663406 Card removed <SCD> (oppnet) ✔ ~/Yubico and Code: 15:25 $ /home/bluszcz/opt/gpshell/bin/gpshell gpinstall.txt mode_211 enable_trace establish_context card_connect select -AID a000000003000000 Command --> 00A4040008A000000003000000 Wrapped command --> 00A4040008A000000003000000 Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479112103800734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000 open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f Command --> 80CA006600 Wrapped command --> 80CA006600 Response <-- 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000 Command --> 80500000087C9CBDC3AFA4466900 Wrapped command --> 80500000087C9CBDC3AFA4466900 Response <-- 000043190125289328120202000228899B7335585A8B54A2A69533169000 mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.) Alessio wrote: That means that you have locked out your Admin PIN. The only way to recover is by resetting the PGP application. Follow the instructions at this link https://developers.yubico.com/ykneo-ope ... pplet.html

Author:	Alessio [ Mon Mar 07, 2016 3:36 pm ]
Post subject:	Re: [Problem] Cannot configure Yubikey NEO with OpenPGP
The commands you're interested in are the one in the "Reset the applet" section. If you get a card not present error make sure that you don't have other processes taking exclusive access to the card. One quick way to make sure of that is to re-plug your YubiKey and run the commands as root (if everything is configured correctly there shouldn't be any need for that tho). Also, gpshell is irrelevant in this case. You won't be able to make changes to the applications present in the YubiKey.

Author:	bluszcz [ Mon Mar 07, 2016 5:19 pm ]
Post subject:	Re: [Solved] Cannot configure Yubikey NEO with OpenPGP
Hi Alessio, problem has bee solved! Thank you. Alessio wrote: The commands you're interested in are the one in the "Reset the applet" section. If you get a card not present error make sure that you don't have other processes taking exclusive access to the card. One quick way to make sure of that is to re-plug your YubiKey and run the commands as root (if everything is configured correctly there shouldn't be any need for that tho). Also, gpshell is irrelevant in this case. You won't be able to make changes to the applications present in the YubiKey.

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/