yubikey-manager
yubikey-manager copied to clipboard
Published
20 hours ago •
Yubico
Yubico
yubikey 5c ykman opengpg commands fail
- YubiKey Manager (ykman) version: 4.0.0~a1-4 and 4.0.8
- How was it installed?: 4.0.0 with apt install on ubuntu 21.10 and then I tried pip install -U yubikey-manager
- Operating system and version: Ubuntu 21.10
- YubiKey model and version:5C nano firmware 5.1.2
- Bug description summary: When I run any ykman opengpg command I get this:
$ ykman openpgp info
Error: No YubiKey found with the given interface(s)
$ ykman openpgp keys set-touch aut on
Error: No YubiKey found with the given interface(s)
$ ykman info
Device type: YubiKey 5C Nano
Serial number: 10124802
Firmware version: 5.1.2
Form factor: Nano (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
Applications
FIDO2 Enabled
OTP Enabled
FIDO U2F Enabled
OATH Enabled
YubiHSM Auth Not available
OpenPGP Enabled
PIV Enabled
Steps to reproduce
I setup my 5C and moved keytocard using gpg - and key works fine - but I cannot enable touch which is a huge security problem :(
Can you (with the YubiKey inserted) run ykman --diagnose and paste the output here?
$ ykman --diagnose
ykman: 4.0.8
Python: 3.9.7 (default, Sep 10 2021, 14:59:43)
[GCC 11.2.0]
Platform: linux
Arch: x86_64
Running as admin: False
Detected PC/SC readers:
Detected YubiKeys over PC/SC:
Detected YubiKeys over HID OTP:
Detected YubiKeys over HID FIDO:
CtapYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw1')
CTAP device version: 5.1.2
CTAPHID protocol version: 2
Capabilities: 5
RawInfo: 230102023f0302023f0204009a7e0204010405030501020602000007010f0801000a0100
DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=10124802, version=Version(major=5, minor=1, patch=2), form_factor=<FORM_FACTOR.USB_C_NANO: 4>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>}, is_locked=False, is_fips=False, is_sky=False)
Device name: YubiKey 5C Nano
Ctap2Info: {<VERSIONS: 0x01>: ['U2F_V2', 'FIDO_2_0'], <EXTENSIONS: 0x02>: ['hmac-secret'], <AAGUID: 0x03>: b"\xcbiH\x1e\x8f\xf7@9\x93\xec\n')\xa1T\xa8", <OPTIONS: 0x04>: {'rk': True, 'up': True, 'plat': False, 'clientPin': False}, <MAX_MSG_SIZE: 0x05>: 1200, <PIN_UV_PROTOCOLS: 0x06>: [1]}
PIN: Not configured
End of diagnostics
Same issue. Used gpg --card-edit and that is working, but cannot set anything with ykman openpgp -> Error: No YubiKey found with the given interface(s)
info:
Device type: YubiKey 5 NFC
Serial number: XXX
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.
Applications USB NFC
FIDO2 Enabled Disabled
OTP Enabled Disabled
FIDO U2F Enabled Disabled
OATH Enabled Disabled
YubiHSM Auth Enabled Disabled
OpenPGP Enabled Disabled
PIV Enabled Disabled
Diagnostic:
ykman: 4.0.8
Python: 3.8.10 (default, Mar 15 2022, 12:22:08)
[GCC 9.4.0]
Platform: linux
Arch: x86_64
Running as admin: False
Detected PC/SC readers:
Detected YubiKeys over PC/SC:
Detected YubiKeys over HID OTP:
OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw0')
RawInfo: XXX
DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.4: 4>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=XXX, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
Device name: YubiKey 5 NFC
OTP: ConfigState(configured: (True, True), touch_triggered: (True, True), led_inverted: False)
Detected YubiKeys over HID FIDO:
CtapYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw1')
CTAP device version: 5.4.3
CTAPHID protocol version: 2
Capabilities: 5
RawInfo: XXX
DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.4: 4>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=XXX, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
Device name: YubiKey 5 NFC
Ctap2Info: {<VERSIONS: 0x01>: ['U2F_V2', 'FIDO_2_0', 'FIDO_2_1_PRE'], <EXTENSIONS: 0x02>: ['credProtect', 'hmac-secret'], <AAGUID: 0x03>: b'/\xc0W\x9f\x81\x13G\xea\xb1\x16\xbbZ\x8d\xb9 *', <OPTIONS: 0x04>: {'rk': True, 'up': True, 'plat': False, 'clientPin': False, 'credentialMgmtPreview': True}, <MAX_MSG_SIZE: 0x05>: 1200, <PIN_UV_PROTOCOLS: 0x06>: [2, 1], <MAX_CREDS_IN_LIST: 0x07>: 8, <MAX_CRED_ID_LENGTH: 0x08>: 128, <TRANSPORTS: 0x09>: ['nfc', 'usb'], <ALGORITHMS: 0x0A>: [{'alg': -7, 'type': 'public-key'}, {'alg': -8, 'type': 'public-key'}], <MIN_PIN_LENGTH: 0x0D>: 4, <FIRMWARE_VERSION: 0x0E>: 328707}
PIN: Not configured
End of diagnostics
I had similar issues until i removed a longer (3m) cable between key and usb-port. Some functionality still worked with the cable in place, but using ykman didn't. Could be my hub or that specific port, too - i didn't test, but can do if it helps.
I had the same issue on a raspberry pi 4. Changing the connection mode to ccid only (ykman config mode ccid) solved it.
