Security dongles Yubico Yubikey 4 (and 4C Nano): impossible to connect

Hi there
I bought 3 licenses to use on 3 computers and, after a lot of trial and errors, I finally succeeded setting up SSL, which I thought was an obvious necessity. ( Wanted to do the certificates with the macOS integrated assistant, but couldn't adapt the method you described on the site to their parameters. So it's detached from my Root CA)

Anyway, the problem is still that I can't use the application capacities for the security dongle Yubikey 4 (product of Yubico).

It serves to store certificates and their keys, and can be used continuously or sporadicaly depending which. That's why I thought I'd use it, because those keys have a limited capacity and I wanted to use on several computers the credentials available on several keys, the same... and to avoid copying the keys having a single one of each shared amongst the client softwares.

Here are some technical informations to identify the device :

Firmware: 4.3.7
vendor_id: 1050
product_id: 407

Hope you can have a solution.

Pierre.

#2

Hi Pierre, Can you see the yubikeys listed in the virtualhere client on each machine? And you are running the virtualhere server on each machine also?

#3

Hi Michael,

Yes indeed, the Yubikeys do all appear in the listing. And I tried 2 situations, with a single server, or with 2, and got the same problem wether the Yubikey was on the remote (local network still) server or on the computer itself. I have to say it's the macOS version,

because I tested the Windows versions just right now with one of the key and on the pc itself, the windows client can connect to the windows server and take control of the key.

Thus, I also tried to connect from a mac client, my 2016 laptop, but there I face another issue : it can not install the driver from the GUI. So I tried with the command line, with a sudo, and all I got is a kernel panic and black screen with messages in several languages to say the whole computer crashed.
I had removed the com.apple.quarantine already so I don't know why it bugs that way, but I can tell you it has reset the TouchID component, it forgot all my fingerprints !

#4

(sorry for double-post, as I couldn't edit...)

resume of past situation :

macOS:

  • succeded to setup the SSL basic certificates (openssl tutorial on your site) but not with those of Keychain, but let's say it's another problem
  • mention it has to install VirtualHere client drivers but can't do it
  • Client app can't install drivers from the GUI when clicking on the Yubikey
  • Client app totally crashed the computer when trying to install the client drivers as root in command line on a 2016 MBP (have not tried on the 2014 Mini)
  • BUT now drivers DID install from the GUI for another device (HyperFIDO token) without needing a manual command line call !
  • Client CAN now (5 minutes ago, after the drivers finally installed without kernel panic) access the Yubikey from the PC or the mac.

Windows:

  • Can't make it work with the .pem files I made with openssl following your tutorial
    • added the ca.crt file to the 3rd party certification catalog of Windows
    • In the System messages of the client app it says
      • "SSL Server verificatiion (passed in) error (20: unable to get local issuer certificate"
      • "SSL_connect error 1 (-1) when connecting to DESKTOP-.....local:7574 (null)" in the client log)
    • In the System messages of the server app it says
      • "Using SSLCAFile D:\...\ca.pem"
      • "Error in SSL_accept, error 14094418:SSL routine:ssl3_read_bytes:tlsv1 alert unknown ca"
  • Listing of the devices is fine and all that should appear just do without SSL
  • Sharing the Yubikey with the Server app works without SSL
  • Taking control of the Yubikey from the Client app also works when no SSL certs setup
---------------------------

I hope I won't have that kernel panic problem on the other macs...

thus now, I *just* need to make it work with the Windows Client in SSL mode, where actually it doesn't trust my CA (although I installed it in several folder of the Users Certificates)

#5

Update to my previous posts :

1. I realised there were updates to the windows apps, and just downloaded them... and now the client and server on windows are able to communicate safely with the .pem I had prepared.
2. Yubikey on PC can be "accessed " to by VirtualHere on mac laptop , but not all applications of Yubico recognized the key, actually at first I only found 1 configuration program that detects it sometimes.
3. A few reboot of the mac later, the Yubico apps (Yubikey PIV Manager, Yubikey Manager, Yubikey Personalization Tool for the GUIs) seem to work with either a local or a distant key, but a single one must be connected, should it be physically or by software mean (that's quite normal)
4. for the command line tools, it seems more complex, as they don't all rely upon the same libraries, even when they're made by Yubico. The CLI that work on my laptop (at least to extract basic infos like serial and card name) are ykinfo (with sudo), ykpersonalize (with sudo), yubico-piv-tool, piv-tool, opensc-tool.
5. GPG CLI seemed to access to something, but that content is *not* correct... it shows up an almost empty OpenPGP card without keys, when it correctly displays the data on the PC self. I think there must be something to do with the scdaemon, perhaps a reload script when card got "inserted" to refresh the connections ?? Haven't tried yet.

ps: This has nothing to do with the dongle problem in particular, but is there a way in Client app to hide duplicates of devices one is connected to ? Ignoring only allows to ignore vendor/product whole range, but not for a particular item when it can read its serial number.

#6

Thanks for all the info. What version of osx is your 2016 macbook running? Regarding ignoring certain devices at the moment no, they can only be qualifed by vendor id/product id not by serial number

#8

OK i think for 10.13.3 it might not yet be compatible with 3rd party yubico libraries instead of the standard libraries..

#9

Oh ok, well it's been a while since those have been updated, I doubt there will be an evolution of all libraries. I'll check what is usable in the state it actually is (I modified the OpenSC.conf file to adapt it to Yubikey4, I had found an example of configuration file but I did so much research I can't tell which one it is from my browser history)
One way to allow both openpgp and piv is by declaring the shared usage both for scdaemon (which is used by gpg) and in opensc for piv (which can do both openpgp and piv but there is already an access to the card by gpg itself if I understand well the mechanisms)

Usage by multiple applications at same time remain an issue, but the standard is not really made that way I think. Also one must check whether after authorizing one app, other app get access without consent request, that would be a security issue. (opensc allows to "leave" or "reset" the dongle after a transaction, and Yubikey allow different pin and touch policies, depending the slot used)

I hope those remarks may put someone wondering on tracks to configure.

Have a nice day.

#10

Hi again Michael,

Sorry to come back with that issue, I updated my apps on 2 computers today and I can't seem to get any YubiKey working with Yubico Authenticator I wanted to start using remotely (it is used to generate OTP codes from credentials stored on one key. It can be in CCID mode or "Slot" mode, I'm using CCID because it allows many credentials stored on the key).

Yubikey Personalization Tool detects the key, I don't know if it can actually write to it (I'm not supposed to change the keys configuration).
Yubikey PIV Manager detects the key too. Same remark I don't know if there is write access.

That would be wonderfull if you found a moment in your time to look why that app might not detect the remote yubikey.
There is no error message, simply No device in "about" window.

This is with a windows 10 computer as server, and accessed by a mac client with 10.13.4 - VH apps versions: 4.5.1 client/3.6.2 server).
I have OpenSC 0.17.0 installed too, tell me if you need its config file.

Yubico Authenticator app source is at https://github.com/Yubico/yubioath-desktop if you're okay to have a look.

If from the source you find cues, I can get the source too and debug if it helps or you don't have such hardware token (as I suppose you can't have all possible devices to test it all). I'm closer to the "power user" than the noob so I think I might use the IDE and inspect if I'm told what to search for.
Or is using EasyFind a solution for you to try on my device ?

Otherwise I'll start thinking I'll have very little use of your application as sharing those keys is the main reason :-/

Thank you for your help and sorry for my mistakes in english.
Pierre-Philippe

#11

I may add that I have those messages in the log after initialization :

LOG_ERR Error (0x38, 0x0000, 0x02be) finding plugin interface for usb device
LOG_ERR Failed to load descriptors

and when accessing Yubikey of the mac server with the windows client I have the following in mac server's log :

LOG_ERR captureDeviceNow: USBDeviceOpen error kIOReturnExclusiveAccess (exclusive access) at IOService:/IOResources/com_virtualhere_root@1com_virtualhrtr_vhhcd/Yubikey 4 OTP+U2F+CCID@1100000
LOG_ERR releaseOSXDevice : Release 0x00000001 (system=0x00 sub=0x0000 code=0x0001) at IOService:/IOResources/com_virtualhere_root@1/com_virtualhere_vhccd/Yubikey 4 OTP+U2F+CCID@1100000
LOG_ERR captureDeviceNow: IOObjectRelease 0x0000000f (system=0x00 sub=0x0000 code=0x0001) at IOService:/IOResources/com_virtualhere_root@1com_virtualhrtr_vhhcd/Yubikey 4 OTP+U2F+CCID@1100000
LOG_ERR Error binding device 17825792 [1050:0407] to connection 2, BIND_ERROR
LOG_INFO Unmanaging device 17825792 [1050:0407]
LOG_INFO Found Full speed device [1050:0407] "Yubico, Yubikey 4 OTP+U2F+CCID" at address 17825792
LOG_INFO Unmanaging device 17825792 [1050:0407]
LOG_INFO Found Full speed device [1050:0407] "Yubico, Yubikey 4 OTP+U2F+CCID" at address 17825792
LOG_INFO Unmanaging device 17825792 [1050:0407]
LOG_INFO Found Full speed device [1050:0407] "Yubico, Yubikey 4 OTP+U2F+CCID" at address 17825792
LOG_INFO Unmanaging device 17825792 [1050:0407]
LOG_INFO Found Full speed device [1050:0407] "Yubico, Yubikey 4 OTP+U2F+CCID" at address 17825792

#12

Hi Pierre, i didnt know you were still having issues. Im happy to give you a refund. If its causing this much trouble i dont think its going to work.

#13

Ow, but, well, I'm sorry if I sounded aggressive or something, I didn't intend to ask you a refund, just a sort of solution/debugging, maybe a patch if you find it can be useful for others too. Were my messages too overwhelming and full of informations ?

I know there is another usb sharing software but I can't really pay more than 200€ for a single USB port sharing, so your software seemed a perfect solution, budget-wise.
I just have to sort this issue, and there is margin to work on the exclusive access it mentioned in the error, thru OpenSC settings/gpg scdaemon settings, so I'm not totally desperate neither, I think there might be a solution, might a be for me to customise the Yubico Authenticator app, because it's the one faulty.

Would you accept to spend a little time with me on this ?

#14

Actually do you want to try this on a linux server. Its looking like the osx server doesnt want to give control of the device over to virtualhere. Linux is much better as a usb server. VirtualHere CloudHub can go on a cheap pocket router see https://www.virtualhere.com/hardware . You can just flash the cloudhub image and join the device to your network and use that as a dedicated usb server.

VirtualHere Easyfind is useful to access your keys over the internet remotely, but firstly its best to get it all running locally on your LAN before trying easyfind. I can give you a license key for the cloudhub server

#15

Is it almost the same to configure the SSL and services on that device ? cause I had so much trouble finding where the config file was when server was launched as a Daemon :-/
i also tried the AutoAttachToKernel, with 0 and 1 values
I have Qt downloaded, do you want me to debug ?

Actually, my real 24h online server is a Mac, but I can run virtual machines on it, but my services depend on macOS Server too so I must keep it the principal OS

So you advise me to use a very dedicated device for USB sharing, and thus a single license instead of 3 ? is it same price ?

#16

Shouldn't I try with a regular Linux server first to know if there is a chance a hardware server will do the trick ?

#17

Sure if you have a regular linux server available, its worth testing on that

Note: Virtualhere server may not work well if you are running the virtualhere usb server for linux inside a linux vm on your mac or windows machine so thats why i recommend a separate real machine to run the server.

VMWare or VirtualBox sometimes dont passthrough the USB device correctly themselves so when virtualhere get it inside the vm its not reliable. E.g it can disconnect itself for no reason.

#18

I sadly currently don't have a regular linux server. So, I'm trying with a linux in a VM...

again, it's detected by Personalization Tool and PIV Manager, but the Authenticator can't detect it.
The Windows client can well detect the Yubikey that is connected to the VM on the Mac Server AND it can read the credentials without problem.
That makes me think that it's rather at the level of the Mac client VH interface with the YubiKey libraries for that app that the problem lies not really on the server side, although I also had an issue with the Mac server keeping exclusive access (I guess to PCSC service, that is used by gpg and opensc and KeyChain)

I ordered a Raspberry Pi 3 (I think, or rather hope, it's not a B+ as I read too late it's not compatible) but now I'm thinking it might have been a little early without knowing that the Mac client would make an issue with a non-Mac server.

Can you help me with the Mac client ? I'll buy the raspberry license when I'll have it.

I'm aware it represents an extra burden of work for you but I'm convinced it could be useful for others, and as an marketing argument that the Mac version got more compatible.

#19

Unfortunately there is nothing i can do with the mac client. Apple has pulled support for 3rd party host controller drivers, but has recently put back in partial support. Until they officially support 3rd party host controller drivers again, it is "as is". There is no actual libraries i can compile against in osx 10.12 onward until apple officially adds support back in for USB controllers. Most dongles work ok with the osx client and support from apple is getting better in 10.13 but for those that don't work there is nothing that can be done.

#20

Alright, I understand... perhaps they have their reasons for that, but I'll go on their support community and ask about it. Minimum I can do is show there is someone interested in that feature back.

I have received my Raspberry Pi3 B, and installed it with raspbian, if your offer of a cloudhub server license still stand, I can give it a try :)

#21

Sure, just right click USB Hubs->License..->Copy to clipboard and paste into an email to mail [at] virtualhere.com (mail[at]virtualhere[dot]com)