From a8fa21279dfc8dc5d2d75a051f5514c5a8187b2c Mon Sep 17 00:00:00 2001 From: w4tsn Date: Sat, 11 Mar 2023 10:03:12 +0100 Subject: [PATCH 1/2] pages/yubikey: add a warning about resetting slot1 --- modules/ROOT/pages/using-yubikeys.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/ROOT/pages/using-yubikeys.adoc b/modules/ROOT/pages/using-yubikeys.adoc index 066c339..322f9e4 100644 --- a/modules/ROOT/pages/using-yubikeys.adoc +++ b/modules/ROOT/pages/using-yubikeys.adoc @@ -214,6 +214,11 @@ This writes a static key to the YubiKey based on the 32-byte AES key specified w === Writing a new AES key to the first slot of the key +[CAUTION] +==== +Slot 1 is special as it contains a factory credential already uploaded to YubiCloud. Deleting and recreating a Yubico OTP secret and uploading it to YubiCloud yourself will put a special mark on it which has consequences: service providers might not trust such a key and Yubico might delete those secrets at anytime for practically any reason. +==== + If we want to write a new configuration to the first slot of the key, we need to specify some more options. If you want to be able to upload you key to Yubico, in order to authenticate against their servers, remember what the values are that you use below. You will need them later on. [source, bash] From e81caf8a5e1ffd4610d884a9d7e078286458991a Mon Sep 17 00:00:00 2001 From: w4tsn Date: Sat, 11 Mar 2023 10:03:52 +0100 Subject: [PATCH 2/2] pages/yubikey: change yubicloud upload heading lvl This heading belongs to the topic of writing a new AES key to Slot 1. --- modules/ROOT/pages/using-yubikeys.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/using-yubikeys.adoc b/modules/ROOT/pages/using-yubikeys.adoc index 322f9e4..1bb06fa 100644 --- a/modules/ROOT/pages/using-yubikeys.adoc +++ b/modules/ROOT/pages/using-yubikeys.adoc @@ -253,7 +253,7 @@ After pressing 'y', I am able to generate OTPs with my new key! When plugged in, the operating system treats the YubiKey as a USB keyboard. USB keyboards send scancodes to the operating system, which the operating system then interprets as keystrokes. The YubiKey has to make sure no ambiguity arises: there are many different kinds of keyboard layouts and the scancodes have to be interpreted as the same character on machines using every random keyboard layout out there. To fix this, the people of Yubico have created 'modhex', which is a modified representation of hexadecimal characters that uses only 'safe' characters. 'Safe' characters are basically characters which have the same scancode on all keyboard layouts. -=== Uploading the generated AES key to Yubico +==== Uploading the generated AES key to Yubico If you want to customize your YubiKey's AES key but still want to use it to authenticate through Yubico's servers, you can upload the key through https://upgrade.yubico.com/getapikey/. You will need to enter your email address and YubiKey's OTP.