Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:47 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Thu Nov 20, 2014 6:26 pm 
Offline

Joined: Thu Nov 20, 2014 6:24 pm
Posts: 3
Enabling U2F on the Yubikey NEO (3.3 fw) disables the PIV applet.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Nov 21, 2014 11:46 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
No it doesn't.

Enabling U2F mode and disabling CCID mode, will of course prevent you from accessing the CCID interface. Please refer to documentation
https://developers.yubico.com

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 21, 2014 9:26 pm 
Offline

Joined: Wed Nov 19, 2014 12:11 am
Posts: 31
rxcomm wrote:
Enabling U2F on the Yubikey NEO (3.3 fw) disables the PIV applet.


As Tom says, this is not the case - I'm using a OTP+CCID+U2F Neo with 3.3 firmware using the PIV functionality in Windows 7.


What can happen with a multi-function device like the Neo is that something accessing one function on the Neo blocks access to the smartcard. GPG can be a culprit - once you access the card once, scdaemon typically holds the card open in exclusive mode. The GPG programmers seem not to have thought of multi-function devices like the Neo, even though the open source JavaCard implementation of the openpgp smartcard standard, from which the Neo's openpgp applet is derived, has been around for some time.

If something is blocking access to the smartcard, touching the button or removing and reinserting the Neo will almost certainly clear the problem.


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 25, 2014 12:04 am 
Offline

Joined: Thu Nov 20, 2014 6:24 pm
Posts: 3
Quote:
No it doesn't.

Hmmm...

This is what happens when I try OpenVPN with OTP+CCID+U2F enabled:

Code:
user@host:~$ /usr/sbin/openvpn  --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

(Nothing is reported)

Trying to start OpenVPN:

Code:
user@host:~$ sudo openvpn --config client.conf
Mon Nov 24 16:39:22 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Mon Nov 24 16:39:22 2014 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
NEED-OK|token-insertion-request|Please insert PIV_II (PIV Card Holder pin) token:
NEED-OK|token-insertion-request|Please insert PIV_II (PIV Card Holder pin) token:

(and yes, the Yubikey was inserted)

And here is what happens when I run exactly the same commands with only OTP+CCID enabled:

Code:
user@host:~$ /usr/sbin/openvpn  --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             O=..., OU=..., CN=client
       Serial:         0E
       Serialized id:  piv_II/...

(The certificate I've stored with the PIV applet is described)

Successfully starting OpenVPN:

Code:
user@host:~$ sudo openvpn --config client.conf
Mon Nov 24 16:41:32 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Mon Nov 24 16:41:32 2014 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
Mon Nov 24 16:41:32 2014 UDPv4 link local: [undef]
Mon Nov 24 16:41:32 2014 UDPv4 link remote: [AF_INET]###.###.###.###:1194
Mon Nov 24 16:41:32 2014 VERIFY OK: ...
Mon Nov 24 16:41:32 2014 VERIFY OK: nsCertType=SERVER
Mon Nov 24 16:41:32 2014 VERIFY OK: ...
Enter PIV_II (PIV Card Holder pin) token Password:
Mon Nov 24 16:41:40 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 24 16:41:40 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 24 16:41:40 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 24 16:41:40 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 24 16:41:40 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Nov 24 16:41:40 2014 [server] Peer Connection Initiated with [AF_INET]###.###.###.###:1194
Mon Nov 24 16:41:43 2014 TUN/TAP device tun0 opened
Mon Nov 24 16:41:43 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 24 16:41:43 2014 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 24 16:41:43 2014 /sbin/ip addr add dev tun0 local 10.8.0.46 peer 10.8.0.45
Mon Nov 24 16:41:45 2014 Initialization Sequence Completed

(Here OpenVPN starts up as expected)

Looks like the PIV applet doesn't work with OTP+CCID+U2F to me!


Last edited by rxcomm on Tue Nov 25, 2014 12:13 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 25, 2014 12:06 am 
Offline

Joined: Thu Nov 20, 2014 6:24 pm
Posts: 3
One other note: the GPG applet works fine for both OTP+CCID and OTP+CCID+U2F.


Top
 Profile  
Reply with quote  
PostPosted: Fri Dec 19, 2014 5:27 am 
Offline

Joined: Wed Nov 19, 2014 12:11 am
Posts: 31
You appear to have the issue described in another recent thread - your udev rules are out of date. Follow the link to that thread for the solution.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group