Yubico Forum

I have set up gpg on fedora23 to use a yubikey 4 (4.2.7).

It is working and 'gpg2 --card-edit' shows keys as ssb> entering `echo a | gpg2 -e | gpg2` for the first time after inserting the yubikey requires the pin to be entered issuing the command a second time does not. which is expected.

Trying it without the key results in `gpg: public key decryption failed: Card error` which should mean that gpg does indeed use the yubikey.

But when the key is inserted and a wrong pin is entered `gpg --card-status` still shows a retry counter of 3 0 3. issuing `gpg-connect-agent --hex "scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40" /bye` as suggested by https://developers.yubico.com/ykneo-openpgp/ResetApplet.html results in a count of 2 0 3

I used https://developers.yubico.com/PGP/Card_edit.html to require touch on all gpg actions and enabled forcesig

Unrelated to that i have a few other questions.

I saw mentions of a puk, reset code but no clear descriptions. Is there a default reset code which could circumvent my pin/admin pin or is it only activated with `gpg2 --card-edit` `passwd` `set Reset Code`.

After using gpg the yubikey led glows permanently and the invert led flag seems to have no effect am i doing something wrong or is it not possible to change?


A question i wish would be in the faq.

What are irreversible actions:

1. Slot 1 contains an otp with cc id which can not be recovered but a new one with a vv id can be generated but there might be services which require a cc id.
2. When the gpg pins are entered wrongly 3 times the gpg keys become inaccessible. But it is possible to reset the counter which deletes the current keys
3. When an access code is set there is no way to reset it when it is lost (is there a counter similar to gpg or would it be possible to brute force it?)
4. When a slot is set without updating enabled its settings can't be changed without also setting a new secret (when dormant and no update is set the slot becomes unusable until a new secret is set?)

did i miss something irreversible?

Just a thought, but if you enter a PIN that doesn't meet the minimum requirements (must be at least 6 characters, Admin PIN must be at least 8 characters), it won't count as a failed PIN attempt.

OpenPGP on the YubiKey 4 and the YubiKey NEO has a PIN and an Admin PIN. If you lock out the PIN, you can still reset the PIN by providing the Admin PIN (12345678, by default). It's similar to PIN/PUK with PIV, if you're familiar.

The YubiKey 4 has no knowledge of "invert LED."

1) The Personalization Tool has a warning when attempting to overwrite slot 1 that it contains a Yubico OTP credential and the action cannot be undone. Salesforce is the only service that currently accepts Yubico OTP but doesn't accept "vv" credentials.
2) If the Admin PIN is locked, yes, that is correct. The OpenPGP applet follows these standards - http://g10code.com/docs/openpgp-card-2.0.pdf
3) There is no counter, so yes it's possible to brute force it. When an access code is set, this is written to the configuration log file that is automatically generated by the Personalization Tool.
4) That is correct, the flag has to be set initially when programming a credential.

Ok that was the problem. Interesting.

The pdf you linked explained the reset code. For the future reader: It can be used instead of the admin pin to reset the pin. e.g. in cases where a company issues the keys and doesn't provide the admin pin to the user. By default the reset code has a count of 0 so can't be used. It's the middle counter hence it's 3 0 3.

What a pity. I would have liked to disable the led (that includes the flash every 8 seconds) except for the flashing when a touch is required. Like it is now it draws a lot of attention to the YubiKey Nano. Maybe it's possible with a future YubiKey. Oh and while I am dreaming it would be nice if different actions like sign, decrypt, authenticate, u2f could use different led colors / flash patterns.