| Yubico Forum https://forum.yubico.com/ |
|
| Completely reset PGP 'app'? https://forum.yubico.com/viewtopic.php?f=26&t=1603 |
Page 1 of 2 |
| Author: | Automatic [ Fri Nov 14, 2014 5:58 pm ] |
| Post subject: | Completely reset PGP 'app'? |
Long story short:- Code: $ gpg --card-status gpg: OpenPGP card not available: Not supported Slightly longer story:- 1. Generated key 2. Changed the admin/normal pin 3. Card went insane and started accusing me that my admin pin was incorrect, and that my normal pin was incorrect when attempting to regenerate keys (But only there, all other occurrences of normal pin worked fine) despite the fact that GPG accepted the pin (It accepted, went through the questions, then complained once it got to actually generating, an incorrect-incorrect pin would error out instantly). 4. I, purposefully, got my admin password incorrect to lock the device, assuming this would reset it 5. Locked. Any assistance? Bit more information:- Neo firmware:- 3.3.0 Neo mode:- U2F+CCID Neo U2F version:- "1.0.1 installed" Neo OpenPGP version:- "Installed" (All other apps state their version, this one, however, does not) |
|
| Author: | bmalkow [ Fri Nov 14, 2014 6:11 pm ] |
| Post subject: | Re: Completely reset PGP 'app'? |
Check ResetApplet. |
|
| Author: | Automatic [ Fri Nov 14, 2014 6:15 pm ] |
| Post subject: | Re: Completely reset PGP 'app'? |
bmalkow wrote: Check ResetApplet. Code: $ gpg-connect-agent --hex > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 ERR 100663408 Card not present <SCD> Since I read somewhere this should only occur if you're in smart-card only mode when you push the button on the Yubikey (Even though I was in u2f+ccid mode), I switched to ccid then started messing with the button:- Code: $ gpg-connect-agent --hex > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 ERR 100663406 Card removed <SCD> > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 ERR 100663406 Card removed <SCD> > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 ERR 100663406 Card removed <SCD> > scd apdu 00 e6 00 00 ERR 100663406 Card removed <SCD> > scd apdu 00 e6 00 00 ERR 100663406 Card removed <SCD> Keeps telling me the card is removed, despite (obviously), there being no card to remove. Tapping the button does nothing. EDIT:- Messing around a little more got me:- Code: ERR 100663427 Conditions of use not satisfied <SCD> > scd apdu 00 e6 00 00 ERR 100663427 Conditions of use not satisfied <SCD> > scd apdu 00 44 00 00 ERR 100663427 Conditions of use not satisfied <SCD> EDIT:- I also am unable to reinstall the OpenGPG applet (I thought I read somewhere doing this would wipe all related data to it):- >mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.) From the gpshell command. |
|
| Author: | Tom [ Mon Nov 17, 2014 10:12 am ] |
| Post subject: | Re: Completely reset PGP 'app'? |
what is the serial number on your NEO? Could you submit a support ticket on yubi.co/support |
|
| Author: | Automatic [ Mon Nov 17, 2014 11:52 am ] |
| Post subject: | Re: Completely reset PGP 'app'? |
Tom wrote: what is the serial number on your NEO? Could you submit a support ticket on yubi.co/support Make a ticket including my serial number, but, for public reference (In case anyone else is having this issue, and I'm not too sure what the serial actually contains (I.E. if it's private or not)), it's >3,000,000, which I believe is the question you were actually asking. |
|
| Author: | Tom [ Mon Nov 17, 2014 2:22 pm ] |
| Post subject: | Re: Completely reset PGP 'app'? |
No, we have a subset of serial with a bug in the openpgp applet, thus i need to know the exact serial number. It has nothing to do with transport key. You can send that to me via PM if you wish i'll forward that to the support guys. Tom |
|
| Author: | Automatic [ Mon Nov 17, 2014 5:49 pm ] |
| Post subject: | Re: Completely reset PGP 'app'? |
Tom wrote: No, we have a subset of serial with a bug in the openpgp applet, thus i need to know the exact serial number. It has nothing to do with transport key. You can send that to me via PM if you wish i'll forward that to the support guys. Tom The reason I didn't PM it to you was because I did include it in my support ticket, I have, however, just sent you a PM with it again. Thanks. |
|
| Author: | Automatic [ Wed Nov 19, 2014 2:45 pm ] |
| Post subject: | Re: Completely reset PGP 'app'? |
Thought I may add this update:- I updated my neo manager to 1.0.0 to test out the OTP+U2F+CCID functionality (Although, apparently my Distro's Chromium package is still on v38, so, I'll have to wait to test this as I don't feel like compiling Chromium myself), while messing around in the neo manager I did spot these errors floating around in the command line:- Code: $ neoman LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/neoman/model/jsapi.py", line 66, in send_apdu return self._neo.send_apdu(apdu.decode('hex')).encode('hex') File "/usr/lib/python2.7/site-packages/neoman/model/neo.py", line 40, in inner return func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/neoman/device_ccid.py", line 104, in send_apdu byref(buf_size))) File "/usr/lib/python2.7/site-packages/neoman/device_ccid.py", line 62, in check raise YkNeoMgrError(status) neoman.exc.YkNeoMgrError: ykneomgr error: -4 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 LOG [OpenPGP]: ERROR req: 00f10000, resp: 6985 As I normally run neomanager from dmenu (A little tool that launches applications, sort of like the 'run' dialog on Windows) I've never really seen the std{out,err} of neoman. The neoman interface works fine, even with these errors/exceptions, but, obviously something is going on behind the scenes that even your own software can't deal with, unfortunately, I don't know the APDU command list, so, I don't know what the actual commands it's issuing are, nor what the response is. |
|
| Author: | Automatic [ Mon Nov 24, 2014 12:50 pm ] |
| Post subject: | Re: Completely reset PGP 'app'? |
Sorry for bumping this, I just received my replacement Yubikey Neo in the mail today (Yay!), I have yet to plug it in yet as I'm a little bit scared of it dying on me again though. Can I verify with you guys before I plug it in and start configuring it:- 1. I can change the smart-card pins with no limitations of how many times I change it (Within reason, I'm not going to change it thousands of times, maybe three or four times, just to verify it works). 2. I can change the smart-card pins to whatever I want with no limitations of characters (I'm allowed alpha? numerical? special? Unicode? Which characters are not allowed?) 3. I can lock the device by getting the pin (Both admin & normal) incorrect three times, and I can actually unlock it using the above 'reset applet' link, correct? It's not going to lock up on me once I get it wrong three times and be bricked again? 4. I can modify all the special values surrounding the smart-card (Name, public key URL, sex, etc...) I'd rather verify this with you guys first and miss out of a day of use while waiting for you to respond than have it brick on me and have to go through this whole ordeal again. I hope you understand. Thanks! |
|
| Author: | Tom [ Thu Nov 27, 2014 2:38 pm ] |
| Post subject: | Re: Completely reset PGP 'app'? |
Automatic wrote: Sorry for bumping this, I just received my replacement Yubikey Neo in the mail today (Yay!), I have yet to plug it in yet as I'm a little bit scared of it dying on me again though. Yes, you canCan I verify with you guys before I plug it in and start configuring it:- 1. I can change the smart-card pins with no limitations of how many times I change it (Within reason, I'm not going to change it thousands of times, maybe three or four times, just to verify it works). Automatic wrote: 2. I can change the smart-card pins to whatever I want with no limitations of characters (I'm allowed alpha? numerical? special? Unicode? Which characters are not allowed?) yes it can be alphanumeric, not sure about unicode you have to check gpg manualAutomatic wrote: 3. I can lock the device by getting the pin (Both admin & normal) incorrect three times, and I can actually unlock it using the above 'reset applet' link, correct? It's not going to lock up on me once I get it wrong three times and be bricked again? You can reset it only when user/admin pin are both block Automatic wrote: 4. I can modify all the special values surrounding the smart-card (Name, public key URL, sex, etc...) yesAutomatic wrote: I'd rather verify this with you guys first and miss out of a day of use while waiting for you to respond than have it brick on me and have to go through this whole ordeal again. I hope you understand. Thanks! |
|
| Page 1 of 2 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|