John Pierce

. CISSP, SLAE, Security+

Setting up a Yubikey 4 in Debian Jessie

The packages that yubico has provided are specific to various Ubuntu versions.  I wanted to install on my Debian Jessie i386 which is running in VirtualBox Version 5.0.26 r108824 on a Windows 7 64 bit host.  It's not difficult, but it did take some searching to get everything up and running, integrated with Iceweasel.

If you're running as a VM, you have to register the Yubikey as a USB device.  It's just like a thumb drive: insert the yubikey, open the USB section of the machine description and select the "add" key.  Now you can boot up your machine.

You'll need to get a few packages.  Start at

https://packages.debian.org/unstable/main/yubikey-neo-manager

You'll see a list of dependencies.  Open a tab for 3libu2f-host0  and from there, open  another for libjson-c.  For each of these 3 packages, choose your architecture at the bottom and download from a good mirror.  Once that's done, install them using gdebi, in this order:

sudo gdebi libjson-c3_0.12.1-1_i386.deb

sudo gdebi libu2f-host0_1.1.2-1_i386.deb

sudo gdebi yubikey-neo-manager_1.4.0-2_all.deb

Now you should be able to go to the Accessories section of your launcher and see the Yubikey neo manager there.  Run it, and it will prompt you to insert your key at which point an offer to configure services pops up.  Select the modes you want and when applied, you'll be prompted to pull your key.

Next you have to set up Iceweasel to handle U2F, which requires an add-on.  You can try searching in the add-ons tab under Preferences, but it probably won't work.  Instead, search DuckDuckGo for Firefox U2F and you'll see an add-on from Mozilla.  No idea why it's out of band, but is.  Install it from there, then go to yubico.com/yubikey4 to test your device.  When I choose the U2F test, the site complains that my browser doesn't support U2F and I should get Chrome (sudo apt-get install chromium).  Go ahead and give the key a test, though, and it should work. Chrome requires an add-on as well, but I found it using the Chrome Store directly.

Hope this helps.  I'm putting up a youtube video as well, so if anything is unclear, maybe that will help.  Here's a link https://youtu.be/aTMSC3l_0hI

Most Recent Articles

First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

First bit::

Lesson(s) learned

First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

First bit::

4 rounds, lots of debugging

Videos

Categories: Network security, Videos
First bit::

Explains the workings of a DMZ, walks through setting up and testing of a DMZ in a virtual machine lab environment

Categories: Network security, Videos
First bit::

In this video I go through the process of setting up an SSH tunnel to hide an IP and also setting

Categories: Exploits, Videos
First bit::

Useful for someone who is interested in what a buffer overflow is. Does not go into the details of development, just explains generally and demonstrates the use of one.

Categories: Exploits, Videos
First bit::

a demonstration of a vulnerability discovered and published by Muts in 2004, exploited on a Windows XP SP3 machine using Python, Immunity Debugger, and Metasploit.

Categories: Network security, Videos
First bit::

In this video I demo some simple iptables rules and show them how to perform network traffic analysis to test them out.