| Yubico Forum https://forum.yubico.com/ |
|
| [SOLVED] Config Protection of EXISTING "Challange-Response" https://forum.yubico.com/viewtopic.php?f=35&t=2767 |
Page 1 of 1 |
| Author: | LD2gIlShWrA2J9qFcwS5 [ Sat Oct 28, 2017 8:52 pm ] |
| Post subject: | [SOLVED] Config Protection of EXISTING "Challange-Response" |
I had previously posed this question in another thread -- viewtopic.php?f=35&t=2722 -- but never received a definitive answer. So I'm trying again here w/ a more "descriptive" Subj line Question: Is it possible to config-protect a "Challenge-Reply" configuration in Slot 2 WITHOUT changing / over-writing the previously-entered "Secret Key" ? I've tried several times but have been unsuccessful on each attempt. |
|
| Author: | My1 [ Sun Oct 29, 2017 4:49 pm ] |
| Post subject: | Re: Config Protection of EXISTING "Challange-Response" |
you go into settings press update settings and there you can set the protection. |
|
| Author: | ChrisHalos [ Tue Oct 31, 2017 12:21 am ] |
| Post subject: | Re: Config Protection of EXISTING "Challange-Response" |
I think I figured out what's going on here. Firmware 4.3.4 and 4.3.5 there was a bug that didn't allow updating configuration protection on the slot credentials. 4.2.6-4.3.3 work, as do 4.3.6 and newer. When I responded on the other thread I'm speaking from experience (works). When my colleague responded on the support case that was referred to on the other post, he was testing on 4.3.4 because he wasn't sure (hence the two different answers). So on a 4.3.4 or 4.3.5 firmware YK4, you need to reprogram the credential in order to set an access code. If you have the configuration log (csv file), you can simply choose the same settings in the Personalization Tool and set the access code during programming. Just remember... forgetting an access code after setting one means there's no way to make changes to that slot anymore (or enable/disable modes - OTP/CCID/U2F). |
|
| Author: | My1 [ Tue Oct 31, 2017 8:06 pm ] |
| Post subject: | Re: Config Protection of EXISTING "Challange-Response" |
ChrisHalos wrote: Just remember... forgetting an access code after setting one means there's no way to make changes to that slot anymore (or enable/disable modes - OTP/CCID/U2F). how does that last part even make sense? the config protection applies to slot 1 or 2, but the modes the Yubi acts in are neither related to the slots to nor the personalization tool in the first place. |
|
| Author: | LD2gIlShWrA2J9qFcwS5 [ Wed Nov 01, 2017 2:27 am ] |
| Post subject: | Re: Config Protection of EXISTING "Challange-Response" |
My1 wrote: ... you go into settings press update settings and there you can set the protection ... My1: Thank you so much!  I'd never investigated that innocuous little button down there at the bottom of the page w/ the grayed-out text. It was EXACTLY what I was looking for. Thanks again, Cheers, |
|
| Author: | LD2gIlShWrA2J9qFcwS5 [ Wed Nov 01, 2017 2:33 am ] |
| Post subject: | Re: Config Protection of EXISTING "Challange-Response" |
ChrisHalos wrote: ... I think I figured out what's going on here ... Chris: A sincere "Thank You" for the extra clarifications re: potentially differing behaviors based on firmware versions. Cheers, |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|