Saturday, February 7, 2015

Yubikey NEO-n

Just got my Yubikey NEO-n today and here is how I got it to work.
  • Downloaded Yubikey Manager (optionally, also Yubikey Personalization Tools).
    • I changed the connection mode to OTP+U2F+CCID.
    • Yubikey Personalization Tools only work if OTP mode is enabled. If not:
      • Both ykpersonalize, ykinfo report "no yubikey present"
    • Yubikey Manager can only enumerate CCID apps if:
      • No other programs are using PC/SC (e.g. gpg-agent).
      • ifdhandler has to be loaded (which may not be the case if the workaround below is applied for gpg-agent getting stuck).
    • The key already has OpenPGP app installed among others.
  • Followed the instruction in My Perfect GnuPG/SSH agent setup.
    • For Mac OS X, I downloaded GPGTools which came with the gpg command line and the gpg-agent.
    • If the 'generate' command doesn't ask for "Please specify how long the key should be valid" it might be that gpg-agent got stuck. Run killall -KILL gpg-agent and try the gpg command again.
  • Mac OS X Yosemite ships with a really buggy pcsc-lite implementation. Here is a workaround so that gpg-agent would not get stuck again.
    • sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ifdreader.plist
      • I added -w to make the unload persist across reboots.
    • After this, scdaemon will use its own CCID driver to talk to Yubikey. Both OTP and U2F will still work since neither are interfaced through PC/SC.
    • Yubikey Manager will suffer reduced functionality since it no longer has CCID access:
      • It can no longer enumerate Available apps.
      • If OTP and U2F are both disabled, it will report "No device found" even if CCID is enabled.
      • Use launchctl load -w to re-enable.
Currently I'm using Yubikey NEO-n with OpenPGP key for SSH login. Although the OpenPGP key is protected by a PIN, I only need to enter it once, and the key remains unlocked until I remove the NEO-n from USB. The problem is that while the key is unlocked, any malicious program I run could then gain access to my gpg-agent and impersonate me, which is not very secure.

With U2F, a touch would be required before authenticating with a server, which makes impersonation more difficult. A remote attacker would have to convince me to touch the Yubikey physically. There is a patch in progress making U2F work with SSH directly, but it hasn't been accepted upstream.

No comments: