From 87f48f547b76d978c2718b214b8e6b403a2c65d1 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Tue, 30 Mar 2021 14:00:24 -0400 Subject: [PATCH 1/2] clarify pins, drduh/YubiKey-Guide#248 - define each pin name, default, usage - call out special admin pin restrictions --- README.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 09b508d..f052132 100644 --- a/README.md +++ b/README.md @@ -1286,17 +1286,19 @@ Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) applica ## Change PIN -Your Yubikey has 2 PINs: The user PIN, which is used for end-user functionality such as signing and encryption and an admin PIN which is required for updating your information on the Yubikey. Entering the user PIN incorrectly three times consecutively will cause the PIN to become blocked. +The GPG interface is separate from other modules on a Yubikey such as the PIV interface. The GPG interface has its own PIN, PUK, and Admin PIN. It is highly encourage that you change all available PINs on the GPG interface. Entering the user PIN incorrectly three times consecutively will cause the PIN to become blocked. Entering the Admin PIN incorrectly three times destroys all GPG data. The Yubikey will have to be reconfigured. -Name|Default Value ----|--- -PIN|`123456` -Admin PIN|`12345678` -PUK|`12345678` +Name | Default Value +----------|-------------- +PIN | `123456` +Admin PIN | `12345678` +PUK | `12345678` CCID-mode PINs can be up to 127 ASCII characters. They have to be at least 6 (PIN) or 8 (PUK) ASCII characters. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for details. -First set your admin and user PINs: + +The Admin PIN is required for some card operations such as changing the PUK, Admin PIN, and setting owner information. The PUK is used to unblock a PIN that has been entered incorrectly more than three times. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for details. + ```console gpg/card> admin From 1a83925dda435b0a726015b699fa69719c11703c Mon Sep 17 00:00:00 2001 From: Pedro H <5179251+pedrohdz@users.noreply.github.com> Date: Tue, 10 Aug 2021 14:11:54 +0200 Subject: [PATCH 2/2] Expanded on GPG PIN config --- README.md | 38 ++++++++++++++------------------------ 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index f052132..bca7263 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,6 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d - [Export public keys](#export-public-keys) - [Configure Smartcard](#configure-smartcard) * [Change PIN](#change-pin) - * [Change PUK](#change-puk) * [Set information](#set-information) - [Transfer keys](#transfer-keys) * [Signing](#signing-1) @@ -1286,19 +1285,19 @@ Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) applica ## Change PIN -The GPG interface is separate from other modules on a Yubikey such as the PIV interface. The GPG interface has its own PIN, PUK, and Admin PIN. It is highly encourage that you change all available PINs on the GPG interface. Entering the user PIN incorrectly three times consecutively will cause the PIN to become blocked. Entering the Admin PIN incorrectly three times destroys all GPG data. The Yubikey will have to be reconfigured. +The [GPG interface](https://developers.yubico.com/PGP/) is separate from other modules on a Yubikey such as the [PIV interface](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html). The GPG interface has its own *PIN*, *Admin PIN*, and *Reset Code*. It is highly encourage that you change at least the *PIN* and *Admin PIN* on the GPG interface. -Name | Default Value -----------|-------------- -PIN | `123456` -Admin PIN | `12345678` -PUK | `12345678` +Entering the user *PIN* incorrectly three times consecutively will cause the PIN to become blocked and can be unblocked with either the *Admin PIN* or *Reset Code*. Entering the *Admin PIN* or *Reset Code* incorrectly three times consecutively destroys all GPG data. The Yubikey will have to be reconfigured. -CCID-mode PINs can be up to 127 ASCII characters. They have to be at least 6 (PIN) or 8 (PUK) ASCII characters. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for details. +Name | Default Value | Usage +-----------|---------------|------------------------------------------------------------- +PIN | `123456` | descrypt, authenticate (SSH) +Admin PIN | `12345678` | reset *PIN*, change *Reset Code*, add keys and owner information +Reset code | _**None**_ | reset *PIN* ([more information](https://forum.yubico.com/viewtopicd01c.html?p=9055#p9055)) +PINs/codes can be up to 127 ASCII characters. They have to be at least 6 (*PIN*) or 8 (*Admin PIN*, *Reset Code*) ASCII characters. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for details. -The Admin PIN is required for some card operations such as changing the PUK, Admin PIN, and setting owner information. The PUK is used to unblock a PIN that has been entered incorrectly more than three times. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for details. - +To update the GPG PINs on the Yubikey: ```console gpg/card> admin @@ -1334,17 +1333,10 @@ Q - quit Your selection? q ``` -## Change PUK +The number of retry attempts can be changed with the following command, documented [here](https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-access-set-retries-options-pin-retries-reset-code-retries-admin-pin-retries): -The PUK (Pin Unlock Key) can be used to reset the PIN if it is ever lost or becomes blocked after the maximum number of incorrect attempts (default 3). The default PUK is `12345678`. If the PUK is also entered incorrectly three times, the key is permanently irrecoverable. You can set your PUK to the same as your daily PIN, giving you a total of 6 attempts. - -```console -ykman piv change-puk - -Enter your current PUK: -Enter your new PUK: -Repeat for confirmation: -New PUK set. +```bash +ykman openpgp access set-retries 5 5 5 ``` ## Set information @@ -2707,11 +2699,9 @@ Admin PIN: 12345678 * https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO * https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ * https://blog.onefellow.com/post/180065697833/yubikey-forwarding-ssh-keys -* https://developers.yubico.com/PGP/Card_edit.html -* https://developers.yubico.com/PIV/Introduction/Admin_access.html -* https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html +* https://developers.yubico.com/PGP/ + * https://developers.yubico.com/PGP/Card_edit.html * https://developers.yubico.com/yubikey-personalization/ -* https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html * https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos * https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4 * https://github.com/herlo/ssh-gpg-smartcard-config