Yubico Forum

JakobE wrote:

> If there is a concern that an attacker/saboteur would reconfigure the Yubikey, set the configuration access code.

The problem here is that this is settable, as far as I have been able to find, only using a GUI under WIndows. This is OK for testing with a small handful of users, but it isn't going to work for us for thousands of users in production. The Linux software I have been able to find on Google could be scripted, but it does not allow the programming access code to be set, or even for the token to be programmed if the access code is already set. Requiring every token to go through a Windows GUI is a non-starter for us.

I would like to modify the Linux code so that it can set the password, but I haven't found the source code for the Windows version yet so I don't have enough information to do this.

> The automatic navigation was previously seen as a gizmo that has been used for test and "playing around". It was a design parameter that this function should be configurable
> independently of the OTP configuration. Therefore, there is no password on it. Given that this has been seen as a potential risk, we've made a firmware change that locks the
> auto navigation configuration if the configuration access code is set.

How can I tell what version of the firmware I have and whether or not that version of the firmware has the protection?

> Therefore, if you don't like the automatic navigation feature, just leave it blank and set the configuration access code and the function will remain dead.

Same problem with inability to set the access code without using a Windows GUI.

Greg,

Perhaps the script that Ferrix provided for reprogramming to a static password will be helpful as a basis for creating a Linux script to do what needs to be done. It's at

http://s3.collectivesoftware.com/statickey.wsf

Also I assume that you've seen the stuff at

http://www.yubico.com/developers/personalization/

Dick

> Perhaps the script that Ferrix provided for reprogramming to a static password will be helpful as a basis for creating a Linux script to do what needs to be done. It's at
>
> http://s3.collectivesoftware.com/statickey.wsf

There are some helpful details in that script, but it still doesn't show me how I can modify the Linux programming software to be able to set the programming password. Until we can do this, it is trivial for an attacker to reprogram the key and DoS the user out of our servers, or activate the auto-navigation feature to obtain an OTP for cracking a user account.

> Also I assume that you've seen the stuff at
>
> http://www.yubico.com/developers/personalization/

Yes, but it doesn't (yet) have source code so I can't get the information I need from that. It does have the ability to set the password, but only by going through a Windows GUI. That's OK for testing, but isn't going to work for us with thousands of production users. At best, this would require mousing keys between the personalization GUI and a program that can generate random keys and then install those keys into the YubiPAM database.

What we really need is a way to program the tokens, disable the auto-navigation feature, and protect the token from reprogramming in the field, all from a Linux command line.