Configuring the YubiKey NEO auto-eject timeout through CCID

The YubiKey NEO is a great tool if you have to store your encryption credentials securely. The key can operate in several modes like OTP, CCID (smart card emulation), U2F (Universal Two-Factor), or any combination of these. The CCID mode offers an interesting feature called auto-eject where the YubiKey automatically ejects the emulated smart card after a specified timeout. According to their documentation, the key’s configuration tools ykneomgr and ykpersonalize can activate the feature like this:

• $ ykpersonalize -m81:15:10 (Set mode to 81, challenge-response timeout 15 seconds, auto-eject timeout 10 seconds)
• $ ykneomgr -d -M 81 (Set mode to 81)

However, it didn’t work for me. The key always ignored the timeout setting, no matter what. After much trial and error, I finally got it working by manually talking to the YubiKey through its smart card interface.

Changing modes through the CCID interface

For this method, the device has to be in CCID mode (or any combination with activated CCID). Here’s how to enable auto-eject after 10 seconds:

$ ykneomgr -M 1
# Re-plug the device
$ opensc-tool -s '00 a4 04 00 08 a0 00 00 05 27 20 01 01' \
  -s '00 01 11 00 04 81 0f 0a 00'
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
Sending: 00 A4 04 00 08 A0 00 00 05 27 20 01 01 
Received (SW1=0x90, SW2=0x00):
03 03 07 00 80 07 86 00 00 00 ..........
Sending: 00 01 11 00 04 81 0F 0A 00 
Received (SW1=0x90, SW2=0x00):
03 03 07 00 80 07 ......

Explanation

The first command activates the CCID interface by putting the key into CCID-only mode (1). Other modes should work as well. Don’t forget to re-plug the YubiKey afterwards.

The second command uses opensc-tool to first select an application on the card (the YubiKey configuration applet) and issue the “change mode” command afterwards. opensc-tool is a part of the OpenSC toolkit and communicates with the card through the procotol specified in ISO 7816-4, where a command APDU is answered with a response APDU.

Here’s a breakdown of the executed commands and their responsed:

• Request 00 a4 04 00 08 a0 00 00 05 27 20 01 01: Select applet with ID a0 00 00 05 27 20 01 01
  • 00: Class byte (CLA). 0x00 = Only send one command, no secure messaging.
  • a4: Instruction byte (INS). 0x84 = Select a file or an applet
  • 04: Parameter 1 (P1) for the instruction. 0x04 = Select master file (MF), something like the main application of the card
  • 00: Parameter 2 (P2). 0x00 = Select the first or only matching file.
  • 08: Command data length. 8 bytes will follow.
  • a0 00 00 05 27 20 01 01: Command data. The application ID of the YubiKey main applet
• Response 03 03 07 00 80 07 86 00 00 00 90 00: OK
  • 03 03 07: YubiKey version (major 3, minor 3, build 7)
  • 00: pgmSeq. Programming Sequence?
  • 80 07: Touch level. 0x8007 = 32775
  • 86: Current mode. 0x86 = OTP+CCID+U2F with eject flag
  • 00: Challenge-response timeout
  • 00: Auto-eject timeout
  • 00: Unknown
  • 90 00: OK
• Request 00 01 11 00 04 81 0f 0a 00: Set YubiKey mode to 81 (CCID only with MODE_FLAG_EJECT), challenge-response-timeout 15 seconds, auto-eject timeout 10 seconds
  • 00: Class byte (CLA). 0x00 = ??
  • 01: Instruction byte (INS). 0x01 = YubiKey API Request
  • 11: Parameter 1 (P1). 0x11 = Change YubiKey mode (?)
  • 00: Parameter 2 (P2). 0x00 = ?
  • 04: Command data length. 4 bytes will follow.
  • 81 0f 0a 00: Command data.
    • 81: Set YubiKey mode to 81
    • 0f: Set challenge-response timeout to 15 (= 0x0f) seconds
    • 0a: Set auto-eject timeout to 10 (= 0x0a) seconds
    • 00: ?
• Response 03 03 07 00 80 07 90 00: OK
  • 03 03 07: YubiKey version, see above
  • 00: pgmSeq, see above
  • 80 07: Touch level, see above
  • 90 00: OK

Afterwards you have to re-insert the YubiKey. From now on, after you plug the YubiKey into your PC, you will have to insert the virtual smart card by pressing the touch button first. The LED will light up, indicating that the card is ready for use. After an idle timeout of 10 seconds, the LED will go out, and the virtual smart card will be ejected.

Tips

• The device doesn’t lose any settings or keys if you deactivate a mode. In my example I could reactivate U2F at any time and use it as before.
• If you enable the auto-eject feature, remember that you have to press the touch button before you can use any of the above tools again. Otherwise the tools will complain about the missing card, e.g. error: ykneomgr_discover_match (-2): No device found.

Have fun!

Sources

• Yubico Forum: Explanation of applets on NEO
• ISO 7816-4
• driver_ccid.py from ykman