YKMAN over RDP, CCID works, FIDO + OTP error

[wagner-robert]

• YubiKey Manager (ykman) version: GUI 1.2.3
• How was it installed?: Windows
• Operating system and version: Windows 2012 Server
• YubiKey model and version: V5 FIPS
• Bug description summary: RDP is setup to expose local USB devices. Running ykman on remote server I get: ykman list ... This runs fine ykmna info ... This runs fine ykman otp info Error: No YubiKey found with the given interface(s)

Steps to reproduce ---Set a Windows 2012 server and RDP into it with Local Resources, Local devices and resources all enabled.

Expected result ---It appears CCID is exposed, but not OTP or FIDO.

Any ideas on how to remotely access other USB interfaces?

[dainnilsson]

This matches with our own findings as well: RPD seems to support forwarding CCID only. I'm not aware of any way to forward the other USB interfaces.

However, with YubiKey 5.4 and later (so this should work with the V5 FIPS) you can program the OTP application over CCID. You will need to explicitly tell ykman to use the CCID interface, which can be done by using the --reader option, for example:

> ykman list --readers
Microsoft IFD 0
NXP NXP's Proximity based PCSC Reader 0
Yubico YubiKey OTP+FIDO+CCID 1

> ykman --reader "YubiKey" otp info
Slot 1: programmed
Slot 2: empty

Note that while you can program the OTP application like this, you cannot access a challenge-response credential.