Yubico Forum

I have set up a Yubikey 4 with SSH pubkey[1], and enabled touch on every use of the key.

My problem is that the authentication just hangs when it's waiting for a touch. Sure, the yubikey flashes, but if the user is looking at the screen and not the side of the laptop or at the computer under the desk, then it just looks like it's stuck. Especially if it's a Yubikey 4 Nano.

How do I inform the user "yo! You need to touch the yubikey to continue!"?

[1]
https://blog.habets.se/2016/01/Yubikey- ... ence-proof

No way to do this? I would like to not hook opensc-pk11.so to notify while the signing operation is outstanding, but I guess I could...

I'd enjoy this too, though for the OpenPGP app (I use gpg-agent for my ssh key, stored in my Yubikey).

I suspect the problem is that the programs have no way of knowing that they Yubikey is waiting for a touch vs. any hardware token just being slow to perform an operation. If this is true, it is a difficult problem to solve, because API (at the OpenPGP Card and PKCS#11 layers) would need to be changed/added, and protocol (at the PIV and OpenPGP layers) would need to be created, and would likely have to go through different standards body's processes.

As a workaround solution, it might be feasible to change the clients using these to timeout after a reasonable time (maybe 5 of the 15 seconds) and display a message asking the user if the token is waiting for input, but that would be at the application layer (e.g. gpg-agent or equivalent when doing PIV based keys, or possibly the ssh command itself). Unfortunately, not something I have time to hack on these days

In the mean time, I'm working on getting my physical setup such that the yubikey is both visible while looking at my monitor(s), and not so far from the keyboard that it is uncomfortable to reach.

Same problem here. SSH with gpg-agent works perfectly. But every now and then I get stuck because something (e.g. scp) is requesting touch and I don't see the led blinking on the side.
Would be great if one of the yk* tools did support notifications (like ykinfo --notify-touch-required) so then somebody could easily some UI on top.

I know it has been years since the original question, but I was struggling with the same problem and I managed to build a working solution that I'm happy about and want to share with you 🙂

It looks like this:



I built an app [1] that works in background and detects when YubiKey is waiting for a touch. It provides an easy way for other UI components to subscribe to the notifications and display some kind of a visible indicator on the screen. For example, the key indicator that you see above is provided by a py3status module [2] for i3wm.

Feedback and improvement ideas are always welcome!


[1]: https://github.com/maximbaz/yubikey-touch-detector
[2]: https://github.com/ultrabug/py3status/pull/1110