Getting a Yubikey 4 working on Ubuntu 14.04 LTS and other older Linuxes (in PIV mode)
Suppose, not entirely hypothetically, that you have some brand new
Yubikeys that you're going to use in PIV mode for SSH keys.
Everything initially goes well in current Linux distributions like,
say, Fedora 24 (with a hiccup or two) and
Ubuntu 16.04, but then you plug one into an Ubuntu 14.04 machine
and all of a sudden nothing works. Not only does yubico-piv-tool
fail to be able to talk to the Yubikey to do things like let people
set their own PINs, but even basic SSH usage fails with 'ssh -I
...
' and 'ssh-keygen -D ...
' and so on. Nothing sees the Yubikey
as there at all.
Here is what's going on. All of these programs talk to the Yubikey
through the pcscd
daemon, which for USB
based devices like the Yubikey uses an underlying 'CCID' library to talk to the actual
devices. This CCID library only started supporting the Yubikey 4
in version 1.4.20 (per here), which
was released in August of 2015. This is too recent for it to be
included in older distributions like Ubuntu 14.04, which has 1.4.15
(in the libccid
package).
(This probably includes RHEL/CentOS 7, but RHEL might have updated
card support by hand without pulling in the new release as a whole.
The RHEL package is pcsc-lite-ccid
.)
One possible solution is to (re)build yourself an updated version
of the libccid
package; you can probably take the Ubuntu source
package from 16.04 and just drop it in. Fortunately there turns out
to be an easier way; you can just update a file to tell the CCID
library about the Yubikey 4's device IDs, after which things seem
to just work on Ubuntu 14.04. On Ubuntu, this file is found as
/etc/libccid_Info.plist
; on Fedora, it is
/usr/lib64/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist
.
So the quick approach is to get a copy of this file from a more
up-to-date system and drop it onto your 14.04 machine in place
of the stock libccid
version of the file. Once you do this,
you probably also need to restart the pcscd
daemon.
(It's possible that supporting new cards sometimes needs code
changes, especially for a sufficiently old libccid
package.
However, I've verified that the git commits that introduced support
for the Yubikey 4 only update data files that are used to build the
.plist file; they contain no code changes. An example is this one.
You can also see the master file for this.
The two hex fields appear to be a vendor ID and then a product ID.)
We only care about PIV mode for SSH keys at the moment, so I haven't tested what else is required to get U2F or Yubikey OTP personalization working on Ubuntu 14.04 (or even 16.04, for that matter; I've only tried it on my own Fedora 24 desktop). U2F apparently might require some udev changes to get the Yubikey recognized properly.
(On the other hand, on Ubuntu 14.04 you need to install some Yubikey related packages from Yubico's PPA and that may install the necessary udev rules if you pull in the right packages.)
|
|