1
0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2024-11-25 16:58:38 +00:00

Stick with 6/8 digit PINs

This commit is contained in:
drduh 2024-03-17 11:53:37 -07:00
parent 38a6c057aa
commit ac8ff82085

View File

@ -59,7 +59,7 @@ To suggest an improvement, send a pull request or open an [issue](https://github
# Purchase YubiKey # Purchase YubiKey
[Current YubiKeys](https://www.yubico.com/store/compare/) except the FIDO-only Security Key Series and Bios Series YubiKeys are compatible with this guide. [Current YubiKeys](https://www.yubico.com/store/compare/) except the FIDO-only Security Key Series and Bio Series YubiKeys are compatible with this guide.
[Verify YubiKey](https://support.yubico.com/hc/en-us/articles/360013723419-How-to-Confirm-Your-Yubico-Device-is-Genuine) by visiting [yubico.com/genuine](https://www.yubico.com/genuine/). Select *Verify Device* to begin the process. Touch the YubiKey when prompted and allow the site to see the make and model of the device when prompted. This device attestation may help mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf). [Verify YubiKey](https://support.yubico.com/hc/en-us/articles/360013723419-How-to-Confirm-Your-Yubico-Device-is-Genuine) by visiting [yubico.com/genuine](https://www.yubico.com/genuine/). Select *Verify Device* to begin the process. Touch the YubiKey when prompted and allow the site to see the make and model of the device when prompted. This device attestation may help mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf).
@ -415,9 +415,9 @@ EXPIRATION=2026-05-01
Generate a passphrase, which will be used to issue the Certify key and Subkeys. Generate a passphrase, which will be used to issue the Certify key and Subkeys.
The passphrase is recommended to consist of only upper case letters and numbers for improved readability. A strong diceware passphrase can also provide equivalent protection. The passphrase is recommended to consist of only upper case letters and numbers for improved readability. [Diceware](https://secure.research.vt.edu/diceware) is another method for creating strong and memorable passphrases.
The following command will generate a strong 30-character passphrase while avoiding ambiguous characters: The following command will generate a strong passphrase while avoiding ambiguous characters:
```console ```console
PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \ PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
@ -801,32 +801,28 @@ This step must be completed before changing PINs or moving keys or an error will
## Change PIN ## Change PIN
The [PGP interface](https://developers.yubico.com/PGP/) is separate from other modules on YubiKey, such as the [PIV interface](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html) - the PGP interface has its own *PIN*, *Admin PIN*, and *Reset Code* which must be changed from default values. YubiKey's PGP interface has its own PINs separate from other modules such as [PIV](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html):
Name | Default Value | Capability Name | Default value | Capability
-----------|---------------|------------------------------------------------------------- -----------|---------------|-------------------------------------------------------------
PIN | `123456` | cryptographic operations (decrypt, sign, authenticate) User PIN | `123456` | cryptographic operations (decrypt, sign, authenticate)
Admin PIN | `12345678` | reset PIN, change Reset Code, add keys and owner information Admin PIN | `12345678` | reset PIN, change Reset Code, add keys and owner information
Reset Code | None | reset PIN ([more information](https://forum.yubico.com/viewtopicd01c.html?p=9055#p9055)) Reset Code | None | reset PIN ([more information](https://forum.yubico.com/viewtopicd01c.html?p=9055#p9055))
Entering the *PIN* incorrectly 3 times will cause the PIN to become blocked. It can be unblocked with either the *Admin PIN* or *Reset Code*. Entering the *PIN* incorrectly 3 times will cause the PIN to become blocked. It can be unblocked with either the *Admin PIN* or *Reset Code*.
**Warning** Entering the *Admin PIN* or *Reset Code* incorrectly 3 times destroys all GnuPG data on the card. **Warning** Entering the *Admin PIN* or *Reset Code* incorrectly 3 times will destroy data on YubiKey.
Determine the desired PIN values. Determine the desired PIN values. They can be shorter than the GnuPG identity passphrase due to limited brute-forcing opportunities. The User PIN should be convenient enough to remember for every-day use.
*PIN* values must be at least 6 characters. *Admin PIN* values must be at least 8 characters. A maximum of 127 ASCII characters are allowed. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for more information. *PIN* values must be at least 6 characters. *Admin PIN* values must be at least 8 characters. A maximum of 127 ASCII characters are allowed. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for more information.
Set PINs manually or generate them, for example a 15 digit code: Set PINs manually or generate them, for example a 6 digit User PIN and 8 digit Admin PIN:
```console ```console
ADMIN_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | \ ADMIN_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | fold -w8 | head -1)
fold -w 15 | sed "-es/./ /"{1..26..5} | \
cut -c2- | tr " " "-" | head -1)
USER_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | \ USER_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | fold -w6 | head -1)
fold -w 15 | sed "-es/./ /"{1..26..5} | \
cut -c2- | tr " " "-" | head -1)
echo "\nAdmin PIN: $ADMIN_PIN\nUser PIN: $USER_PIN" echo "\nAdmin PIN: $ADMIN_PIN\nUser PIN: $USER_PIN"
``` ```
@ -1128,8 +1124,7 @@ Use a [shell function](https://github.com/drduh/config/blob/master/zshrc) to mak
secret () { secret () {
output=~/"${1}".$(date +%s).enc output=~/"${1}".$(date +%s).enc
gpg --encrypt --armor --output ${output} \ gpg --encrypt --armor --output ${output} \
-r 0x0000 -r 0x0001 -r 0x0002 "${1}" && \ -r $KEYID "${1}" && echo "${1} -> ${output}"
echo "${1} -> ${output}"
} }
reveal () { reveal () {