Yubico Forum

I bought a Yubikey4 nano and wanted to use it primarily for OpenPGP support. Unfortunately, having it in my laptop, I often would accidentally touch it and it would put an OTP into whatever program I am running (often a Vim or bash session, causing much grievance).

It occurred to me that I could disable the OTP part, so I fired up the neoman program on my Ubuntu 16.04, selected the "Change connection mode" button and unchecked OTP and U2F modes. After clicking "OK", it told me to remove the nano and then put it back it. I did so, and now neoman says I haven't got a Yubikey inserted. OpenPGP just says card error when I probe (gpg2 --card-status). According to my kernel log, I am inserting an idVendor=1050, idProduct=0404 "Yubikey 4 CCID" device, so the OS seems to think things are fine. However, nothing else seems happy about this.

I also note that, before this change, the device would blink a bit on insertion and be done, just periodically flashing after that, or if I do an OpenPGP on it, it would light and stay light with a periodic flicker. Now, however, it does some initial blinking and then flickers about 7 times, about 0.5 seconds between each light. It does this again when I try to do the card status bit with gpg2.

How can I get my key working again? (preferably, working in CCID only mode, but I'd be happy with it at least being back to the way it was before)

I assume you have pcscd installed, along with the file /etc/libccid_Info.plist (this probably needs to be patched with the device ID for the YubiKey 4 / Nano with CCID only enabled

('0x1050', '0x0404', 'Yubico Yubikey 4 CCID')

I would go to this post (viewtopic.php?f=26&t=1609#p6270) and enter the command from step 8. This will patch libccid_Info.plist, as well as add the udev rule for U2F in Linux (which it sounds like you don't really need, but it certainly won't hurt anything). You can view what the command actually does here (https://raw.githubusercontent.com/Yubic ... -ccid-udev) Afterwards, reboot and try again.

Assuming this works, you may want to try and swap configuration slots with the YubiKey Personalization Tool (if you have the PPA added, "sudo apt-get install yubikey-personalization-gui"). You can go to Settings > Update Settings, select a configuration slot, and click "Swap." This will at least require that you tap the Nano longer before the OTP is sent. Of course this all requires that OTP mode be enabled, as most of our tools require OTP to be enabled to order to recognize the YubiKey.

Thanks Chris!

My libccid_Info.plist already had the Yubico entries. I ran the script anyway and it didn't change the file. It did add the U2F udev rule and (re?)started pscd. At that point, I tried inserting the Nano again and it is working in gpg2. Neoman still didn't see it until I killed pscd (which was then running as root). Now neoman can see it [i]and[/] gpg2 can see it.

I'm not sure what got stuck. I never did reboot (though I did suspend the laptop between my original post and following the instructions just now). I'm guessing it was the start or restart of pscd that actually did the trick.

Thanks again for your help!

I'm sure you know more about this stuff that I do

Restarting pcsd is certainly a likely possibility. If you'd changed modes with ykpersonalize I'd say you first need to tap the Nano to start the card, but that wouldn't be the case with neoman.