Two Factor authentication and general improvement of my security infrastructure was long on my todo list. Some month ago I finally purchased a
Yubikey NEO from
Yubico and try to consistently use it as second factor, as well as gpg signing/encrypting device.
I am trying to get the best out of my Yubikey NEO by using as many of its functionality, in particular: Smartcard for my GNuPG keys, OTP similar to Google Authenticator and similar, as well as challenge-response for additional login security, as well as all that over NFC to not keep keys/passwords on my mobile phone.
While there are loads of guides (see the
previous article on GnuPG for some of them), many of them are out-of-date for current distributions and GnuPG etc. So I tried to collect all I could find not the least to have a place to look it up in case I forget it again.
The Hardware
The Yubikey NEO is a great peace of hardware. I not even remotely understand how they manage that this little beast can do all these things and still work out without mixing things up. As far as I understand (please correct me) it has three independent circuits of communication:
- HID mode working as keyboard and sending keystrokes
- CCID mode (smartcard) for PIV / GnuPG / OpenGPG functionality
- NFC for communication with your mobile
On top of these circuit of communication there is a variety of applications to make the most out of your Yubikey:
- various OTP: Yubico OTP (against a special server), TOTP, OATH-HOTP, Static PW, Challenge-Response
- Fido U2F mode universal two-factor authentication mode
- OpenGPG smartcard support 4 slots for private keys
- PIV
Yubikey mode setup
There are several modes, and using the
ykpersonalize tool (readily available for Windows, Mac, Linux, and in the Debian package
yubikey-personalization) one can program the key to work in a variety of modes. I chose to activate all options by passing in
-m86 which stand for
OTP/U2F/CCID composite device with MODE_FLAG_EJECT.
$ ykpersonalize -m86
Firmware version 3.4.3 Touch level 1792 Unconfigured
The USB mode will be set to: 0x86
Commit? (y/n) [n]: y
$ |
It is a good idea to unplug and replug the key after this operation.
Yubikey udev rules for user access
To allow users but root to use the Yubikey, additional udev rules are necessary:
SUBSYSTEMS=="usb", ATTRS idVendor =="1050", ATTRS idProduct =="0116", TAG+="uaccess" |
which I put into
/etc/udev/rules.d/99-yubikeys.rules on Debian. After that another unplug and replug should allow normal user to access the key. This can be checked by calling
getfacl on the newly created
/dev/hidraw? device.
Using the HID/Challenge-Response mode (slot 2)
If you want to secure your login with an additional second factor, there are several options documented on the Yubico site concerning
yubico-pam. Since I cannot be sure to be always online with my laptop, I choose Challenge-Response authentication, and followed one-to-one Yubico s docs
Local Authentication Using Challenge Response. Basically it boils down to install
libpam-yubico, select
mode-challenge-response when asked for configuration. Then one needs to personalizing the key (in particular slot 2) for challenge response with:
$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
...
Commit? (y/n) [n]: y
$ |
Next we need to save the challenge and expected response to the user s directory:
$ mkdir $HOME/.yubico
$ ykpamcfg -2 -v
...
Stored initial challenge and expected response in '/home/norbert/.yubico/challenge-123456'.
$ |
It might be a good idea to try this out, and if it works, activate it also for root. But be careful no key no login
Challenge: I am currently searching for a method to replace the second factor of they key optionally with a different authentication method, like a very difficult passphrase. This way I could log in even without my key, but in this case would need the complicated passphrase. From my reading of the pam manuals it seems to be possible, and I am planning to use
pam_ssh and a specific login key with a complicated passphrase. I will report back when this is done.
YubiOATH (TOTP) Time based One Time Passwords (aka Google Authenticator style)
Without any setup whatsoever this worked out of the box. I use the
Yubico Authenticator on my Android phone, and the dedicated application for the Linux desktop to create second factors for all kind of applications. Currently I am using it with Google login, Github, DropbBox, and WordPress (via the
Two Factor plugin which can also be tweaked to use the NEO key as USB key via the FIDO U2F).
Challenge: If I start the Yubico Personalization GUI, I see two free slots so where are the TOTPs computed? That also means that I have one slot free and for now I don t know what to do with it
Yubikey OpenGPG applet setup
The Yubikeys support OpenPGP, and the applet is pre-installed (afaik), meaning you can directly configure the key and upload your keys. Here I use gpg2 (2.1) as it seems to better support card operations. To not interfere with the current gpg setup I use a temporary gpg home:
$ mkdir gpgtmp
$ chmod go-rwx gpgtmp
$ gpg2 --homedir gpgtmp --list-keys
gpg: keybox 'gpgtmp/pubring.kbx' created
gpg: gpgtmp/trustdb.gpg: trustdb created |
Warning: The YubiKey NEO only supports 2048bit keys. If you want 4096bit keys you need to use one of the newer
YubiKey 4, which gives you this option, but does not have support for NFC, and thus no way to interact with an Android (or other) mobile phone.
Check the correct version of the applet
There has been a bug in an older version of the applet, but since 2 years all keys sold should have a correct applet. You can check by:
$ gpg-connect-agent --homedir gpgtmp --hex "scd apdu 00 f1 00 00" /bye"
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
D[0000] 01 00 10 90 00 .....
OK |
Looking at the output one sees
D[0000] 01 00 10 which means applet version 1.0.10, which is the first version fixed.
Replace pins of the key
The standard pins are 123456 for the user pin, and 12345678 for the admin pin. These need immediate change!
Warning: When changing the ping the normal pin must be 6 (at least?) digits, and the admin pin 8 (at least?), other gpg2 cannot use the key anymore. No idea why.
$ gpg2 --homedir gpgtmp --card-edit
Reader ...........: 1050:0116:X:0
Application ID ...: D2760001240102000006036457190000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03645719
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000006036457190000 detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? q
gpg/card> quit |
After this you need to use the new pins for all changes.
Setup basic data
The key can also save some basic data about yourself, like name, sex, language preferences, login name, and url to obtain the public key. As before start
gpg2 and then change these infos in the following way>
gpg/card> name
Cardholder's surname: Preining
Cardholder's given name: Norbert
gpg/card> sex
Sex ((M)ale, (F)emale or space): M
gpg/card> lang
Language preferences: de
gpg/card> login
Login data (account name): norbert
gpg/card> url
URL to retrieve public key: https://www.preining.info/preining-norbert.asc
gpg/card> list
Reader ...........: 1050:0116:X:0
Application ID ...: D2760001240102000006036457190000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03645719
Name of cardholder: Norbert Preining
Language prefs ...: de
Sex ..............: male
URL of public key : https://www.preining.info/preining-norbert.asc
Login data .......: norbert
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> quit |
Move sub keys to Yubikey
As laid out in the article on
GnuPG subkeys, we are having three subkeys for signing, encryption, and authentication. In reality I will practically only use the signing key, but upload all three keys to the card. In the following I expect that you have a setup more or less similar to the one described in the article linked before.
Again, we use
GnuPG v2, mostly because it was the version that worked out of the box. In addition, if you are setting up a similar stage like in my GNuPG article with gpg1 keys on the mail server, then you don t want the gpg1 keys being removed.
Basically you must have the Yubikey plugged in and call
keytocard after selecting each key in turn (and deselecting it afterwards).
Warning: There is another bug in the GnuPG applet that was fixed in later versions (but not in 1.0.10), namely that not all keys are accepted. This is a bit a pain. I needed to recreate a subkey to obtain a key that can be loaded onto the Yubikey. Unfortunately, Yubico has also stopped/disabled the ability to update applets (although I have to say their documentation is an incredible rubbish with respect to applets and upgrades ).
As
before, assume that
$MASTERKEY contains the hex id of your master key.
$ gpg2 --edit-key $MASTERKEY
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> key 2
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb* rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> keytocard
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb* rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> key 2
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> key 3
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb* rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb* rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> key 3
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> key 4
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb* rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> keytocard
Please select where to store the key:
(3) Authentication key
Your selection? 3
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb* rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> key 4
sec rsa4096/0x6CACA448860CDC13
created: 2010-09-14 expires: 2017-02-06 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xD1D2BD14810F62B3
created: 2010-09-14 expires: 2017-02-06 usage: E
ssb rsa2048/0xEC00B8DAD32266AA
created: 2016-02-07 expires: 2017-02-06 usage: S
ssb rsa2048/0xBF361ED434425B4C
created: 2016-02-07 expires: 2017-02-06 usage: E
ssb rsa2048/0x9C7CA4E294F04D49
created: 2016-02-07 expires: 2017-02-06 usage: A
[ultimate] (1). Norbert Preining <norbert@preining.info>
[ultimate] (2) Norbert Preining <preining@logic.at>
[ultimate] (3) Norbert Preining <preining@debian.org>
[ultimate] (4) Norbert Preining <preining@jaist.ac.jp>
[ultimate] (5) [jpeg image of size 4185]
gpg> save |
After that your keys are on the Yubikey (and only there!), and GNuPG will require the PIN (user pin) to sign/encrypt documents.
Usage
Many things have been said above, but to sum up when and how I am using the YubiKey now:
- Logging into my computer: I need to have the key plugged in, otherwise authentication will not succeed.
- GPG activities (signing, encryption): Key needs to be plugged in, GnuPG will ask the User pin.
- TOTP (Google, GitHub, WordPress, DropBox login): I use my mobile (Nexus 6p) and the Yubico Authenticator, touch the phone with the Yubikey, and see the TOTPs in the application windows.
- OpenKeychain (Android app) integrates with K-9 Mail signing, encryption and decryption is possible on the mobile via NFC (touching the device with the key)
Conclusions
With this setup I am now quite content, but not completely. What I still want to do is full disk encryption where I need the Yubikey to boot and again, with an alternative for a very long passphrase. At the end, adding a second factor to the login is not really optimal, and only protects you against quick hacks. If the laptop is actually stolen, only full disc protection helps. Access to the hardware always guarantees that one has access to everything on the disc.
Another thing I want to do is re-use the GnuPG key on the Yubikey as ssh key for logging into remote systems. That would mean that I get rid of even more keys on my laptop. But this is still in the work
The other open question is what to use the other available slot of the Yubikey for? I thought about some passwords (possible), but I don t feel to happy about having my password issued with the press of a key.
But all in all, I like the setup much more than before and not having any GnuPG key on the laptop is a big plus.