Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:43 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Nov 14, 2014 5:58 pm 
Offline

Joined: Sat Jul 20, 2013 6:05 pm
Posts: 18
Long story short:-

Code:
$ gpg --card-status
gpg: OpenPGP card not available: Not supported


Slightly longer story:-
1. Generated key
2. Changed the admin/normal pin
3. Card went insane and started accusing me that my admin pin was incorrect, and that my normal pin was incorrect when attempting to regenerate keys (But only there, all other occurrences of normal pin worked fine) despite the fact that GPG accepted the pin (It accepted, went through the questions, then complained once it got to actually generating, an incorrect-incorrect pin would error out instantly).
4. I, purposefully, got my admin password incorrect to lock the device, assuming this would reset it
5. Locked.

Any assistance?

Bit more information:-
Neo firmware:- 3.3.0
Neo mode:- U2F+CCID
Neo U2F version:- "1.0.1 installed"
Neo OpenPGP version:- "Installed" (All other apps state their version, this one, however, does not)


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Nov 14, 2014 6:11 pm 
Offline

Joined: Tue Mar 05, 2013 12:53 pm
Posts: 17
Check ResetApplet.


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 14, 2014 6:15 pm 
Offline

Joined: Sat Jul 20, 2013 6:05 pm
Posts: 18
bmalkow wrote:


Code:
$ gpg-connect-agent --hex
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
ERR 100663408 Card not present <SCD>


Since I read somewhere this should only occur if you're in smart-card only mode when you push the button on the Yubikey (Even though I was in u2f+ccid mode), I switched to ccid then started messing with the button:-

Code:
$ gpg-connect-agent --hex
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
ERR 100663406 Card removed <SCD>
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
ERR 100663406 Card removed <SCD>
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
ERR 100663406 Card removed <SCD>
> scd apdu 00 e6 00 00
ERR 100663406 Card removed <SCD>
> scd apdu 00 e6 00 00
ERR 100663406 Card removed <SCD>


Keeps telling me the card is removed, despite (obviously), there being no card to remove. Tapping the button does nothing.

EDIT:- Messing around a little more got me:-
Code:
ERR 100663427 Conditions of use not satisfied <SCD>
> scd apdu 00 e6 00 00
ERR 100663427 Conditions of use not satisfied <SCD>
> scd apdu 00 44 00 00
ERR 100663427 Conditions of use not satisfied <SCD>


EDIT:- I also am unable to reinstall the OpenGPG applet (I thought I read somewhere doing this would wipe all related data to it):-
>mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)

From the gpshell command.


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 17, 2014 10:12 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
what is the serial number on your NEO?

Could you submit a support ticket on yubi.co/support

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 17, 2014 11:52 am 
Offline

Joined: Sat Jul 20, 2013 6:05 pm
Posts: 18
Tom wrote:
what is the serial number on your NEO?

Could you submit a support ticket on yubi.co/support


Make a ticket including my serial number, but, for public reference (In case anyone else is having this issue, and I'm not too sure what the serial actually contains (I.E. if it's private or not)), it's >3,000,000, which I believe is the question you were actually asking.


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 17, 2014 2:22 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
No, we have a subset of serial with a bug in the openpgp applet, thus i need to know the exact serial number. It has nothing to do with transport key.

You can send that to me via PM if you wish i'll forward that to the support guys.

Tom

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 17, 2014 5:49 pm 
Offline

Joined: Sat Jul 20, 2013 6:05 pm
Posts: 18
Tom wrote:
No, we have a subset of serial with a bug in the openpgp applet, thus i need to know the exact serial number. It has nothing to do with transport key.

You can send that to me via PM if you wish i'll forward that to the support guys.

Tom


The reason I didn't PM it to you was because I did include it in my support ticket, I have, however, just sent you a PM with it again. Thanks.


Top
 Profile  
Reply with quote  
PostPosted: Wed Nov 19, 2014 2:45 pm 
Offline

Joined: Sat Jul 20, 2013 6:05 pm
Posts: 18
Thought I may add this update:- I updated my neo manager to 1.0.0 to test out the OTP+U2F+CCID functionality (Although, apparently my Distro's Chromium package is still on v38, so, I'll have to wait to test this as I don't feel like compiling Chromium myself), while messing around in the neo manager I did spot these errors floating around in the command line:-

Code:
$ neoman
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/neoman/model/jsapi.py", line 66, in send_apdu
    return self._neo.send_apdu(apdu.decode('hex')).encode('hex')
  File "/usr/lib/python2.7/site-packages/neoman/model/neo.py", line 40, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/neoman/device_ccid.py", line 104, in send_apdu
    byref(buf_size)))
  File "/usr/lib/python2.7/site-packages/neoman/device_ccid.py", line 62, in check
    raise YkNeoMgrError(status)
neoman.exc.YkNeoMgrError: ykneomgr error: -4
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985
LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985


As I normally run neomanager from dmenu (A little tool that launches applications, sort of like the 'run' dialog on Windows) I've never really seen the std{out,err} of neoman. The neoman interface works fine, even with these errors/exceptions, but, obviously something is going on behind the scenes that even your own software can't deal with, unfortunately, I don't know the APDU command list, so, I don't know what the actual commands it's issuing are, nor what the response is.


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 24, 2014 12:50 pm 
Offline

Joined: Sat Jul 20, 2013 6:05 pm
Posts: 18
Sorry for bumping this, I just received my replacement Yubikey Neo in the mail today (Yay!), I have yet to plug it in yet as I'm a little bit scared of it dying on me again though.

Can I verify with you guys before I plug it in and start configuring it:-

1. I can change the smart-card pins with no limitations of how many times I change it (Within reason, I'm not going to change it thousands of times, maybe three or four times, just to verify it works).
2. I can change the smart-card pins to whatever I want with no limitations of characters (I'm allowed alpha? numerical? special? Unicode? Which characters are not allowed?)
3. I can lock the device by getting the pin (Both admin & normal) incorrect three times, and I can actually unlock it using the above 'reset applet' link, correct? It's not going to lock up on me once I get it wrong three times and be bricked again?
4. I can modify all the special values surrounding the smart-card (Name, public key URL, sex, etc...)

I'd rather verify this with you guys first and miss out of a day of use while waiting for you to respond than have it brick on me and have to go through this whole ordeal again. I hope you understand.

Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 27, 2014 2:38 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Automatic wrote:
Sorry for bumping this, I just received my replacement Yubikey Neo in the mail today (Yay!), I have yet to plug it in yet as I'm a little bit scared of it dying on me again though.

Can I verify with you guys before I plug it in and start configuring it:-

1. I can change the smart-card pins with no limitations of how many times I change it (Within reason, I'm not going to change it thousands of times, maybe three or four times, just to verify it works).
Yes, you can
Automatic wrote:
2. I can change the smart-card pins to whatever I want with no limitations of characters (I'm allowed alpha? numerical? special? Unicode? Which characters are not allowed?)
yes it can be alphanumeric, not sure about unicode you have to check gpg manual
Automatic wrote:
3. I can lock the device by getting the pin (Both admin & normal) incorrect three times, and I can actually unlock it using the above 'reset applet' link, correct? It's not going to lock up on me once I get it wrong three times and be bricked again?
You can reset it only when user/admin pin are both block
Automatic wrote:
4. I can modify all the special values surrounding the smart-card (Name, public key URL, sex, etc...)
yes
Automatic wrote:

I'd rather verify this with you guys first and miss out of a day of use while waiting for you to respond than have it brick on me and have to go through this whole ordeal again. I hope you understand.

Thanks!

_________________
-Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group