Hi,
We ordered a batch of limited edition 3-colour yubikeys (red/white/green) and the first short-press slot is working fine in OTP mode, but we're having trouble with the long-press second slot. Are there some limitations on these yubikeys that would prevent us from using the second slot in otp mode?
We're programming both slots into otp mode using the personalization tool on windows, closing the tool and then adding a keypress and aes code into the local yubipam user helper. The first slot will authenticate fine and returns codes yubipam accepts, yubipam rejects all logins from the second slot.
This was tested by reinitialising both slots on the yubikey, registering each slot against a new user and then only the user mapped to the first slot works, the user mapped to the second slot cannot authenticate at all.
We have tested some upgrades and alternative versions of yubipam, but it only appears to be these new yubikeys and the second slot it has issue with. An older yubikey running firmware 2.2.3 works fine, the new ones just dont seem to be happy with that second slot.
Any ideas? I've included some data below that may be useful but some help would be much appreciated!
Cheers,
Code:
[11:32 root:~]# ykpasswd -a -u test1 -o vvibuirgjcelegnvclekiltljngchvfnifvlnfnnvtgh
Adding Yubikey entry for test1
AES key [exactly 32 hex chars]: 3bcfef7da404e7f700719af19d6106b7
Using public UID: ff 71 e7 c5 80 3a
Using private UID: 22 ff f8 14 3a 05
Completed successfully.
[11:34 root:~]# ykpasswd -a -u test2 -o vvntfltfgncgurnuegciulbfrejntnlclnuledudhbrc
Adding Yubikey entry for test2
AES key [exactly 32 hex chars]: 1031577e37f3709f8b3e1c9ef0b906d1
Using public UID: ff bd 4a d4 5b 05
Using private UID: 98 a8 76 3a 8d 8b
# first press of slot 1
[11:34 root:~]# ykvalidate -u test1 vvibuirgjceluvbklnienvbvvlllrjrrcvrhkgviriev
test1: OTP is VALID.
# first press of slot 2
[11:34 root:~]# ykvalidate -u test2 vvntfltfgncgcgjtinntuitctlgthrbedcnfdbbgdrnv
test2: OTP is INVALID!
We then reran it with an older yubikey:
[12:07 root:~]# ykpasswd -a -u test1 -o vvedjfgfrtdfkfhikugekeckgdbhvlukvdgddhevvbcu
Adding Yubikey entry for test1
AES key [exactly 32 hex chars]: 73a6ad28ea768aabe735d66000bc594d
Using public UID: ff 32 84 54 cd 24
Using private UID: be 62 3c 0b 7a df
Completed successfully.
[12:07 root:~]# ykpasswd -a -u test2 -o vvbueitifvlecnvtnhffieiuurcubgfencejrcnkuhii
Adding Yubikey entry for test2
AES key [exactly 32 hex chars]: 06a6bbd78aecdf22926bbd55228023e2
Using public UID: ff 1e 37 d7 4f a3
Using private UID: 91 ce 05 ef 55 7a
Completed successfully.
[12:07 root:~]# ykvalidate -u test1 vvedjfgfrtdfknukvigjnrnnjtdrnjnhrnrjbcchubcv
test1: OTP is VALID.
[12:07 root:~]# ykvalidate -u test2 vvbueitifvlegvnvhcfibivcnubviijcrhcnjhgltjkh
test2: OTP is VALID.