Miscellaneous topics

Resetting a YubiKey with yubico-piv-tool

The pbyk reset-yubikey feature performs the equivalent of the following yubico-piv-tool commands to lock then reset a YubiKey.

  yubico-piv-tool -a verify-pin -P 32165498
  yubico-piv-tool -a verify-pin -P 32165498
  yubico-piv-tool -a verify-pin -P 32165498
  yubico-piv-tool -a change-puk -P 12345679 -N 32165498
  yubico-piv-tool -a change-puk -P 12345679 -N 32165498
  yubico-piv-tool -a change-puk -P 12345679 -N 32165498
  yubico-piv-tool -a reset
  yubico-piv-tool -a set-chuid
  yubico-piv-tool -a set-ccc
  yubico-piv-tool -a set-mgm-key -n 020203040506070801020304050607080102030405060708
  yubico-piv-tool -a change-puk -P 12345678 -N 12345678
  yubico-piv-tool -a change-pin -P 123456 -N 77777777

The reset_yubikey function is intended to perform the equivalent steps.

The caller is assumed to have enforced PIN and PUK requirements. If either the PIN or PUK fails to satisfy requirements (as described here), then the attempt to set the PIN or PUK will fail.

Managing virtual smart cards with tpmvscmgr

Windows provides the tpmvscmgr utility to create and destroy virtual smarts. The commands below will destroy the first virtual smart card on a system, then create new one using the default PIN value and a random administrator key. The "/attestation AIK_AND_CERT" portion of this command is required when creating VSCs for use with Purebred where attestations are to be used. Where attestations are not available, pbyk will attempt to perform enrollment without attestations. Use of a non-default PIN value is recommended.

TpmVscMgr destroy /instance root\smartcardreader\0000
TpmVscMgr create /name MyVSC /pin default /adminkey random /generate /attestation AIK_AND_CERT

Sample logging configuration

The pbyk utility uses the log4rs crate for logging support. YAML is used to define a logging configuration. See https://docs.rs/log4rs/latest/log4rs/ for a description of the YAML format. The snip below provides a sample that outputs pbyk and pbyklib information at the debug level. Several dependencies are listed and configured at the error level. The volume of logging information can be controlled be adjusting the level for the various components used by pbyk.

refresh_rate: 30 seconds
appenders:
  stdout:
    kind: console
    encoder:
      pattern: "{d} {l} {t} - {m}{n}"
  pbyk:
    kind: rolling_file
    path: "./pbyk.log"
    encoder:
      pattern: "{d} {l} {t} - {m}{n}"
    # The policy which handles rotation of the log file. Required.
    policy:
      # Identifies which policy is to be used. If no kind is specified, it will
      # default to "compound".
      kind: compound

      # The remainder of the configuration is passed along to the policy's
      # deserializer, and will vary based on the kind of policy.
      trigger:
        kind: size
        limit: 100 mb

      roller:
        kind: delete      
root:
  appenders:
    - pbyk
    - stdout
loggers:
  # turn dependencies on at desired level to see additional log output
  reqwest:
    level: error
  rustls:
    level: error
  certval:
    level: error
  yubikey:
    level: error
  pbyklib:
    level: debug
  pbyk:
    level: debug

Source code

The pbyk utility is written in the Rust programming language. The source code for the application is available here.

Additional resources

Additional information on the Purebred process can be found on the DoD Cyber Exchange site. Contact information for various support resources can be found here.