Yubico Forum
https://forum.yubico.com/

How to tell user the Yubikey is waiting for touch for SSH
https://forum.yubico.com/viewtopic.php?f=35&t=2397
Page 1 of 1

Author:  thabets [ Wed Aug 17, 2016 12:12 am ]
Post subject:  How to tell user the Yubikey is waiting for touch for SSH

I have set up a Yubikey 4 with SSH pubkey[1], and enabled touch on every use of the key.

My problem is that the authentication just hangs when it's waiting for a touch. Sure, the yubikey flashes, but if the user is looking at the screen and not the side of the laptop or at the computer under the desk, then it just looks like it's stuck. Especially if it's a Yubikey 4 Nano.

How do I inform the user "yo! You need to touch the yubikey to continue!"?

[1]
https://blog.habets.se/2016/01/Yubikey- ... ence-proof

Author:  thabets [ Mon Sep 12, 2016 4:25 pm ]
Post subject:  Re: How to tell user the Yubikey is waiting for touch for SS

No way to do this? I would like to not hook opensc-pk11.so to notify while the signing operation is outstanding, but I guess I could...

Author:  linsam [ Wed Sep 14, 2016 1:48 pm ]
Post subject:  Re: How to tell user the Yubikey is waiting for touch for SS

I'd enjoy this too, though for the OpenPGP app (I use gpg-agent for my ssh key, stored in my Yubikey).

I suspect the problem is that the programs have no way of knowing that they Yubikey is waiting for a touch vs. any hardware token just being slow to perform an operation. If this is true, it is a difficult problem to solve, because API (at the OpenPGP Card and PKCS#11 layers) would need to be changed/added, and protocol (at the PIV and OpenPGP layers) would need to be created, and would likely have to go through different standards body's processes.

As a workaround solution, it might be feasible to change the clients using these to timeout after a reasonable time (maybe 5 of the 15 seconds) and display a message asking the user if the token is waiting for input, but that would be at the application layer (e.g. gpg-agent or equivalent when doing PIV based keys, or possibly the ssh command itself). Unfortunately, not something I have time to hack on these days :(

In the mean time, I'm working on getting my physical setup such that the yubikey is both visible while looking at my monitor(s), and not so far from the keyboard that it is uncomfortable to reach.

Author:  primiano [ Sun Oct 16, 2016 1:17 pm ]
Post subject:  Re: How to tell user the Yubikey is waiting for touch for SS

Same problem here. SSH with gpg-agent works perfectly. But every now and then I get stuck because something (e.g. scp) is requesting touch and I don't see the led blinking on the side.
Would be great if one of the yk* tools did support notifications (like ykinfo --notify-touch-required) so then somebody could easily some UI on top.

Author:  maximbaz [ Sun Oct 15, 2017 3:15 pm ]
Post subject:  Re: How to tell user the Yubikey is waiting for touch for SS

I know it has been years since the original question, but I was struggling with the same problem and I managed to build a working solution that I'm happy about and want to share with you 🙂

It looks like this:

Attachment:
File comment: demo.gif
demo.gif
demo.gif [ 69.12 KiB | Viewed 689 times ]


I built an app [1] that works in background and detects when YubiKey is waiting for a touch. It provides an easy way for other UI components to subscribe to the notifications and display some kind of a visible indicator on the screen. For example, the key indicator that you see above is provided by a py3status module [2] for i3wm.

Feedback and improvement ideas are always welcome!


[1]: https://github.com/maximbaz/yubikey-touch-detector
[2]: https://github.com/ultrabug/py3status/pull/1110

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/