diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 12 |
1 files changed, 6 insertions, 6 deletions
@@ -4,7 +4,7 @@ Keys stored on YubiKey are [non-exportable](https://support.yubico.com/support/s **New!** [drduh/Purse](https://github.com/drduh/Purse) is a password manager which uses GPG and YubiKey. -**Security Note**: If you followed this guide before Jan 2021, your PUK (Pin Unblock Key) may be set to its default value of `12345678`. An attacker can use this to reset your PIN and use your Yubikey. Please see the [Change PUK](#change-puk) section for details on how to change your PUK. +> **Security Note**: If you followed this guide before Jan 2021, your GPG *PIN* and *Admin PIN* may be set to their default values (`123456` and `12345678` respectively). This would allow an attacker to use your Yubikey or reset your PIN. Please see the [Change PIN](#change-pin) section for details on how to change your PINs. If you have a comment or suggestion, please open an [Issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub. @@ -463,7 +463,7 @@ ydOmByxmDe63u7gqx2XI9eDgpvJwibNH Use upper case letters for improved readability if they are written down: ```console -$ tr -dc '[:upper:]' < /dev/urandom | fold -w 20 | head -n1 +$ LC_ALL=C tr -dc '[:upper:]' < /dev/urandom | fold -w 20 | head -n1 BSSYMUGGTJQVWZZWOPJG ``` @@ -1294,7 +1294,7 @@ General key info..: [none] Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this is not the similarly named older YubiKey NEO Manager) to enable CCID functionality. ## Enable KDF -Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. +Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. Note that this requires a relatively new version of GnuPG to work, and may not be compatible with other GPG clients (notably mobile clients). These incompatible clients will be unable to use the YubiKey GPG functions as the PIN will always be rejected. If you are not sure you will only be using your YubiKey on supported platforms, it may be better to skip this step. ```console gpg/card> admin @@ -1813,7 +1813,7 @@ Enter passphrase for /dev/mmcblk0p1: $ sudo mount /dev/mapper/secret /mnt/encrypted-storage ``` -Import the master key and configuration to a temporary working directory: +Import the master key and configuration to a temporary working directory. Note that Windows users should import mastersub.gpg: ```console $ export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX) @@ -2172,7 +2172,7 @@ For example, `tmux` does not have some environment variables like `$SSH_AUTH_SOC In the above steps, you have successfully configured a local ssh-agent. -You should now be able use `ssh -A remote` on the _local_ machine to log into _remote_, and should then be able to use YubiKey as if it were connected to the remote machine. For example, using e.g. `ssh-add -l` on that remote machine should show the public key from the YubiKey (note `cardno:`). (If you don't want to have to remember to use `ssh -A`, you can use `ForwardAgent yes` in `~/.ssh/config`. As a security best practice, always use `ForwardAgent yes` only for a single `Hostname`, never for all servers.) +You should now be able to use `ssh -A remote` on the _local_ machine to log into _remote_, and should then be able to use YubiKey as if it were connected to the remote machine. For example, using e.g. `ssh-add -l` on that remote machine should show the public key from the YubiKey (note `cardno:`). (If you don't want to have to remember to use `ssh -A`, you can use `ForwardAgent yes` in `~/.ssh/config`. As a security best practice, always use `ForwardAgent yes` only for a single `Hostname`, never for all servers.) ### Use S.gpg-agent.ssh @@ -2743,7 +2743,7 @@ Before you unmount your backup, ask yourself if you should make another one just ``` you need to adjust the trust associated with the key. See the above bullet. -- If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key` or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however. +- If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key`, `signing failed: Unusable secret key`, or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however. - Refer to Yubico article [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG) for additional guidance. |