| Yubico Forum https://forum.yubico.com/ |
|
| Support for OTP+U2F mode? https://forum.yubico.com/viewtopic.php?f=26&t=1519 |
Page 2 of 6 |
| Author: | David [ Tue Oct 21, 2014 9:04 pm ] |
| Post subject: | Re: Support for OTP+U2F mode? |
returntrip wrote: Thanks.... That's a great answer! Is there any downside in enabling all modes at once using the personalisation tool? I assume U2F would not work anyway on Chrome v38....but I guess the rest would work OK? On the YubiKey NEO or NEO-N, there should be no issue with all 3 modes - let us know if that is not the case in all situations, as this is a new implementation with U2F thrown in the mix. That being said, while we don't expect any issues with all 3 modes on new U2F browser clients, we only can test against what's been released as public; Again, don't hesitate to let us know if there are any issues observed using your YubiKey in any configuration. Thanks! |
|
| Author: | EvanOH [ Wed Oct 22, 2014 1:47 am ] |
| Post subject: | Re: Support for OTP+U2F mode? |
For those who may not be familiar with the various personalization tools and the modes you can configure, here is what you need to do to manually enable all 3: Quote: NOTE - as Yubico support already mentioned, you need to be running Chrome 39 beta. I've been running the beta for years. It's normally very stable. You can switch to the beta version here: https://www.google.com/chrome/browser/beta.html Download the personalization command line tool from here: https://developers.yubico.com/yubikey-personalization/Releases/ Extract the files and then run the ykpersonalize tool like so: ykpersonalize -m6 Mode 6 is the OTP+U2F+CCID mode (and isn't listed in -help, which means if you aren't on a linux machine you don't have access to the manpage and have to go searching through source code to find the applicable mode) You can now use your Yubico NEO (purchased starting in Oct 2014) with both LastPass in OTP mode and with Google U2F. I've just tested this and it works like a charm. |
|
| Author: | spectralblu [ Wed Oct 22, 2014 3:05 am ] |
| Post subject: | Re: Support for OTP+U2F mode? |
David wrote: returntrip wrote: Thanks.... That's a great answer! Is there any downside in enabling all modes at once using the personalisation tool? I assume U2F would not work anyway on Chrome v38....but I guess the rest would work OK? On the YubiKey NEO or NEO-N, there should be no issue with all 3 modes - let us know if that is not the case in all situations, as this is a new implementation with U2F thrown in the mix. That being said, while we don't expect any issues with all 3 modes on new U2F browser clients, we only can test against what's been released as public; Again, don't hesitate to let us know if there are any issues observed using your YubiKey in any configuration. Thanks! I've noticed weird issues with the YubiOATH client on both Windows and OSX not detecting the Yubikey once it has been set to mode 6, so if you do depend on using the YubiOATH client, you'll need to either set it to mode 1 (CCID only) or 2 (OTP + CCID). I've reported this as a bug on github: https://github.com/Yubico/yubioath-desktop/issues/14 |
|
| Author: | carlgottlieb [ Wed Oct 22, 2014 9:33 am ] |
| Post subject: | Re: Support for OTP+U2F mode? |
EvanOH wrote: For those who may not be familiar with the various personalization tools and the modes you can configure, here is what you need to do to manually enable all 3: Quote: NOTE - as Yubico support already mentioned, you need to be running Chrome 39 beta. I've been running the beta for years. It's normally very stable. You can switch to the beta version here: https://www.google.com/chrome/browser/beta.html Download the personalization command line tool from here: https://developers.yubico.com/yubikey-personalization/Releases/ Extract the files and then run the ykpersonalize tool like so: ykpersonalize -m6 Mode 6 is the OTP+U2F+CCID mode (and isn't listed in -help, which means if you aren't on a linux machine you don't have access to the manpage and have to go searching through source code to find the applicable mode) You can now use your Yubico NEO (purchased starting in Oct 2014) with both LastPass in OTP mode and with Google U2F. I've just tested this and it works like a charm. Genius!! Agreed, this does work like a charm. Only thing I needed to do was once I'd change the mode was to reinsert the key so that Windows reinstalled the appropriate drivers. It then worked perfectly with OTP, LastPass and U2F, Google. Thanks for this!! |
|
| Author: | jskvbinmv3 [ Wed Oct 22, 2014 12:52 pm ] |
| Post subject: | Re: Support for OTP+U2F mode? |
I am experiencing some issues running Linux (Ubuntu 14.04 trusty). First I set my Yubikey NEO N to mode 6 (OTP+CCID+U2F). It still emits OTP and static password as configured but I had following issues:
Code: 'NoneType' object has no attribute '_cmd_ok' No smartcard reader found with YubiOath applet The YubiOATH Android app is working just fine. This might be an issue related to what @spectralblu experienced. A comment in the bug he reported suggests that it might be due to a libccid version <1.4.18. Code: Traceback (most recent call last): File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 130, in __call__ raise Exception("FIDO Client error: %s" % error) Exception: FIDO Client error: 5 (TIMEOUT) I was able to perform registration and authentication while running Chrome beta as root. Code: user@machine:~$ ykpersonalize -m2 USB error: Access denied (insufficient permissions) It does however work as root. After that I tried Mode 3 (U2F only) and had following issues:
Code: Yubikey core error: no yubikey present I had to boot into Windows and use the Yubikey Neo Manager to get it recognized again.Conclusion It seems like there are some USB security permissions preventing the YK to work properly under Ubuntu when enabling U2F mode. |
|
| Author: | FlorinAndrei [ Wed Oct 22, 2014 9:02 pm ] |
| Post subject: | Re: Support for OTP+U2F mode? |
David wrote: On the YubiKey NEO or NEO-N, there should be no issue with all 3 modes - let us know if that is not the case in all situations, as this is a new implementation with U2F thrown in the mix. That being said, while we don't expect any issues with all 3 modes on new U2F browser clients, we only can test against what's been released as public; Again, don't hesitate to let us know if there are any issues observed using your YubiKey in any configuration. David, I can't test the new modes right now - but let me ask you this: will it be possible (once compatibility issues are resolved) to have U2F, OTP and CCID at the same time, with touch eject enabled too? I have not seen any mention regarding touch eject in the documentation referring to the new U2F mode and NEO, such as this PDF: https://www.yubico.com/wp-content/uploa ... ey-NEO.pdf Touch eject is pretty important for the way I want to use the NEO - as an OTP generator for some services, and as a smartcard for other services. Without touch eject it's pretty cumbersome to use in this scenario. Having all 3 modes enabled with touch eject would be fantastic. We could give NEO tokens to everyone in the company and use them to authenticate pretty much any service. |
|
| Author: | Tom [ Thu Oct 23, 2014 10:21 am ] |
| Post subject: | Re: Support for OTP+U2F mode? |
For Linux workign on root only, you need to dump this: https://github.com/Yubico/libu2f-host/b ... -u2f.rules into this file: /etc/udev/rules.d/ We are planning to make this automatic with Yubikey NEO manager, in future releases of our software. Please install latest libraries and software from our PPA https://launchpad.net/~yubico/+archive/ubuntu/stable jskvbinmv3 wrote: After that I tried Mode 3 (U2F only) and had following issues: The Yubikey was not recognized at all by ykpersonalize Code: Yubikey core error: no yubikey present The Yubikey is in MODE 3 U2F only, that is why you get that error. If you want to use the Yubikey with the personalization tool, Switch to HID mode Please read documentation about the different supported modes: HID, CCID, and U2F interface |
|
| Author: | jskvbinmv3 [ Thu Oct 23, 2014 7:26 pm ] |
| Post subject: | Re: Support for OTP+U2F mode? |
Thank you for your reply and please excuse the other thread I opened... Tom wrote: For Linux workign on root only, you need to dump this: https://github.com/Yubico/libu2f-host/b ... -u2f.rules into this file: /etc/udev/rules.d/ We are planning to make this automatic with Yubikey NEO manager, in future releases of our software. [s]Unfortunaley this did not solve the issue.[/s] Edit: It works now in Mode 3. It does not work with HID+CCID+U2F (using chrome beta 39.0xx) Tom wrote: Please install latest libraries and software from our PPA https://launchpad.net/~yubico/+archive/ubuntu/stable [s]Got the latest libraries installed from ppa.[/s] Edit: My bad. I overlooked a library. jskvbinmv3 wrote: After that I tried Mode 3 (U2F only) and had following issues: The Yubikey was not recognized at all by ykpersonalize Code: Yubikey core error: no yubikey present Tom wrote: The Yubikey is in MODE 3 U2F only, that is why you get that error. If you want to use the Yubikey with the personalization tool, Switch to HID mode If I can't access the yubikey there is no way to switch modes. Please note that I am not talking about the graphical personalization tool or Yubikey NEO Manager but the ykpersonalize command line tool. In order to switch modes I have to boot into Windows and use the Yubikey NEO Manager to do so. |
|
| Author: | ybpp [ Fri Oct 24, 2014 2:23 am ] |
| Post subject: | Re: Support for OTP+U2F mode? |
Tom wrote: For Linux workign on root only, you need to dump this: https://github.com/Yubico/libu2f-host/b ... -u2f.rules into this file: /etc/udev/rules.d/ We are planning to make this automatic with Yubikey NEO manager, in future releases of our software. Please install latest libraries and software from our PPA https://launchpad.net/~yubico/+archive/ubuntu/stable jskvbinmv3 wrote: After that I tried Mode 3 (U2F only) and had following issues: The Yubikey was not recognized at all by ykpersonalize Code: Yubikey core error: no yubikey present The Yubikey is in MODE 3 U2F only, that is why you get that error. If you want to use the Yubikey with the personalization tool, Switch to HID mode Please read documentation about the different supported modes: HID, CCID, and U2F interface To make the udev rules in the github repo work I had to make a small change, modify product id in the rule to "0116". The yubikey product id in the OTP+U2F+CCID mode is "0116" not "116". (ATTRS{idProduct}=="0116"). Now it works ok in Chrome (v39) as u2f, ccid, yubiauth-applet, OTP. Note: I also have to create plugdev group and add my user to it, as my distro does not have the plugdev group. |
|
| Author: | michaelk [ Fri Oct 24, 2014 2:42 am ] |
| Post subject: | Re: Support for OTP+U2F mode? |
David wrote: returntrip wrote: Thanks.... That's a great answer! Is there any downside in enabling all modes at once using the personalisation tool? I assume U2F would not work anyway on Chrome v38....but I guess the rest would work OK? On the YubiKey NEO or NEO-N, there should be no issue with all 3 modes - let us know if that is not the case in all situations, as this is a new implementation with U2F thrown in the mix. That being said, while we don't expect any issues with all 3 modes on new U2F browser clients, we only can test against what's been released as public; Again, don't hesitate to let us know if there are any issues observed using your YubiKey in any configuration. Thanks! I switched to 3way and changed to chrome 39 beta my win7 pro laptop. I can use the demo site to confirm u2f is working fine. But it seems Password Safe doesn't react well to the neo being in "all 3" mode. it doesn't "see" the neo when it's plugged in. When i go to enter a "safe combination" The "yubikey" button stays grayed out so i can't press the button on the yubikey for a otp. |
|
| Page 2 of 6 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|