blog.sinenie.cl/

YubiKey Manager and Void Linux

May 01, 2018 2 minutes

Context

After getting the YubiKey 4 working for GPG usage, we wanted to change the “touch” option, which requires us to physically touch a button on the device in addition to correctly inputting the PIN code in order for any of the SEA operations to work.

Yubico provides a CLI program called YubiKey Manager, which can be installed using pip.

Problem

Not really a “problem”, but we want to install the program in order to follow the instructions listed on this guide.

Solution

Install PCSC daemon and generic CCID drivers from the repo:

# xbps-install -Sy pcsclite
# xbps-install -Sy pcsc-ccid
# ln -s /etc/sv/pcscd /var/service/

Install dependencies of Python package yubikey-manager and dependency Pyscard.

# xbps-install -Sy swig
# xbps-install -Sy ykpers
# xbps-install -Sy libusb-devel
# xbps-install -Sy pcsclite-devel

NOTE: I’m not sure the development version of the packages are required. Just installed them directly as matter of habit, but uninstalling them after ykman was working didn’t produce any negative effect that I could observe.

Install pyscard, and yubikey-manager from PyPI. You could install them globally using pip, but I did install them in their own virtualenv and everything works as expected.

As an example, with a Pyenv+Pipenv setup the process was as follows:

$ mkdir /opt/ykman && cd /opt/ykman
$ pipenv install --python=3.6.5 pyscard
[... output ...]
$ pipenv install yubikey-manager
[... output ...]
$ pipenv shell
(ykman) $ ykman openpgp info
OpenPGP version: 4.3.7
PIN tries remaining: 3
Reset code tries remaining: 0
Admin PIN tries remaining: 3

A response like the one shown previously means that we can now enable the “touch” options:

(ykman) $ ykman openpgp touch aut on
Current touch policy of AUTHENTICATE key is OFF.
Set touch policy of AUTHENTICATE key to ON? [y/N]: y
Enter admin PIN:
Touch policy successfully set.
(ykman) $ ykman openpgp touch sig on
[... snip ...]
(ykman) $ ykman openpgp touch enc on
[... snip ...]

A response like Error: Failed connecting to the YubiKey. may mean that there are missing CCID drivers (e.g. installed pcsclite but not pcsc-ccid).

An response containing a EstablishContextException: ‘Failure to establish context: Service not available.’ exception, may mean that pcscd is not running.

If everything seems to be in order but errors still occur, then reconnect the YubiKey, and/or consider rebooting the system.

YubiKey, Void Linux and GPG
Better Windows Services with TopShelf
CC BY-SA 2.0 Cristian Ojeda Flores