[securityguide: 1/3] Add a stub for a chapter on using the Yubikey Neo

Jared Smith jsmith at fedoraproject.org
Mon Mar 31 12:10:01 UTC 2014 

commit f90ff2c56c93b4dd3fb04c03774d09151f6eea56
Author: Jared K. Smith <jaredsmith at jaredsmith.net>
Date:   Fri Mar 21 20:40:40 2014 -0400

    Add a stub for a chapter on using the Yubikey Neo

 en-US/Yubikey_Neo.xml |   62 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 62 insertions(+), 0 deletions(-)
---
diff --git a/en-US/Yubikey_Neo.xml b/en-US/Yubikey_Neo.xml
new file mode 100644
index 0000000..74c5d7a
--- /dev/null
+++ b/en-US/Yubikey_Neo.xml
@@ -0,0 +1,62 @@
+<?xml version='1.0'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<section id="sect-Security_Guide-Yubikey_Neo">
+	<title>Yubikey Neo</title>
+	<para />
+	<section>
+		<title>Installing the necessary tools</title>
+		<para><command>sudo yum install libykneomgr pcsc-lite pcsc-tools gnupg2 gnupg2-smime --enablerepo=updates-testing</command></para>		
+		<para><command>sudo systemctl start pcscd.service pcscd.socket</command></para>
+		<para><command>sudo systemctl enable pcscd.service pcscd.socket</command></para>
+		<para><command>ykneomgr -a</command>, then copy the first 12 characters of last key to the clipboard.</para>
+		<para><command>ykneomgr -D <replaceable>d27600012401</replaceable></command>, and then it should return with no output. This deletes the version of the OpenPGP applet that is on the card.</para>
+		<para>Grab the latest version of the <literal>.cap</literal> file from <ulink url="http://opensource.yubico.com/ykneo-openpgp/releases.html"/>.  For this example, we downloaded <literal>ykneo-openpgp-1.0.5.cap</literal>.</para>
+		<remark>nb to figure out how to query the current version</remark>
+		<para><command>ykneomgr -i /tmp/ykneo-openpgp-1.0.5.cap</command> to install the new version of the OpenPGP applet.</para>
+		<para><command>gpg --card-status</command> to make sure GPG can see and talk to the card.
+			<screen>
+gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
+Application ID ...: D2760001240102000000000000010000
+Version ..........: 2.0
+Manufacturer .....: test card
+Serial number ....: 00000001
+Name of cardholder: [not set]
+Language prefs ...: [not set]
+Sex ..............: unspecified
+URL of public key : [not set]
+Login data .......: [not set]
+Signature PIN ....: forced
+Key attributes ...: 2048R 2048R 2048R
+Max. PIN lengths .: 127 127 127
+PIN retry counter : 3 3 3
+Signature counter : 0
+Signature key ....: [none]
+Encryption key....: [none]
+Authentication key: [none]
+General key info..: [none]
+</screen>
+      </para>
+		<remark>nb to tell us how to change the mode between yubikey only, gpg-only, or both</remark>
+		<para><command>gpg --card-edit</command> to edit the settings on the card.</para>
+		<para><command>admin</command> to turn on admin mode, do 1 and 3, and set a pin for each. Can be alpha-numeric.</para> 
+		<para><command>q</command> to quit.</para>
+		<para><command>name</command> to add your name.</para>
+		<para><command>lang</command> to set your language (<literal>en</literal> for example).</para>
+		<para><command>sex</command> to set your gender.</para>
+		<para><command>quit</command> to quit.</para>
+		<para><command>gpg --edit-key <literal>fingerprint</literal></command></para>
+		<para><command>addkey</command> to create a new key</para>
+		<para><command>RSA (sign only)</command> to create a subkey for signing</para>
+		<para><command>save</command> to save the key</para>
+		<para><command>quit</command> to quit</para>
+		<para>We can't write to the card from gpg itself, so let's switch to gpg2.  First, make sure that gpg2 can see your
+		card by running <command>gpg2 --card-status</command>.  If it can't see your card, you probably forgot to install the
+      <package>gnupg2-smime</package> package.</para>
+		<para>Run <command> sudo gpg2 --no-default-keyring --keyring ~/.gnupg/pubring.gpg --secret-keyring ~/.gnupg/secring.gpg --edit-key <replaceable>fingerprint</replaceable></command></para>
+		<para><command>toggle</command> to switch between public key and secret key</para>
+		<para>Subkeys are numbered starting with 1, so type <command>key <replaceable>2</replaceable></command> to select the 2nd subkey. Now you'll notice a <literal>*</literal> next to the key.</para>
+		<para><command>keytocard</command> to write the key to the Yubikey Neo.</para>
+	</section>
+
+</section>

More information about the docs-commits mailing list