yubikey-manager
yubikey-manager copied to clipboard
Published
20 hours ago •
Yubico
Yubico
ERROR: Failed to write to the YubiKey. Make sure the device does not have restricted access
- YubiKey Manager (ykman) version:
ykman --version
YubiKey Manager (ykman) version: 5.1.1
- How was it installed?:
Added Yubico PPA Instructions, see: https://support.yubico.com/hc/en-us/articles/360016649039-Enabling-the-Yubico-PPA-on-Ubuntu
https://launchpad.net/~yubico/+archive/ubuntu/stable
sudo add-apt-repository ppa:yubico/stable
sudo apt update
apt search yubi
...
yubikey-manager/focal 5.1.1~ppa1~focal1 amd64
Command line tool for configuring a YubiKey
yubikey-personalization/focal 1.20.0-2 amd64
Personalization tool for Yubikey OTP tokens
yubikey-personalization-gui/focal 3.1.24-1build1 amd64
Graphical personalization tool for YubiKey tokens
...
yubioath-desktop/focal 5.0.3-1 amd64
Graphical interface for displaying OATH codes with a Yubikey
# Install Command Program
sudo apt install yubikey-manager # YubiKey Manager (CLI) == ykman
sudo apt install yubikey-personalization-gui # YubiKey Personalization Tool
sudo apt install libpam-yubico # libpam-yubico
sudo apt install libpam-u2f # libpam-u2f
- Operating system and version:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
uname --all
Linux mypc 5.4.0-148-generic #165-Ubuntu SMP Tue Apr 18 08:53:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
- YubiKey model and version:
ykman info
Device type: YubiKey 5 NFC
...
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.
Configured capabilities are protected by a lock code.
Applications USB NFC
OTP Enabled Enabled
FIDO U2F Enabled Enabled
FIDO2 Enabled Enabled
OATH Enabled Enabled
PIV Enabled Enabled
OpenPGP Enabled Enabled
YubiHSM Auth Enabled Enabled
- Bug description summary:
I cannot delete or reprogram otp slot 1. I cannot remove access code.
- Steps to reproduce
# Create new yubiotp. This runs OK. ####################
ykman otp yubiotp --force --public-id ldjhfkebukilcinj --private-id aff6c6808817 --key 38fbab04313c88a358e8cb4a6633e6bc 1
# Add access code. This runs OK. ####################
ykman otp settings --new-access-code 000000000000 1
Update the settings for slot 1? All existing settings will be overwritten. [y/N]: y
Updating settings for slot 1...
# I do not have debugging info from the 2 previous commands because I did not know that the rest would fail.
# All remaining commands fail.
# Try to reprogram yubiotp. ####################
ykman --log-level DEBUG otp yubiotp --force --public-id ldjhfkebukilcinj --private-id aff6c6808817 --key 38fbab04313c88a358e8cb4a6633e6bc 1
INFO 12:31:09.219 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:31:09.219 [ykman.logging.set_log_level:64]
#############################################################################
# #
# WARNING: Sensitive data may be logged! #
# Some personally identifying information may be logged, such as usernames! #
# #
#############################################################################
INFO 12:31:09.220 [ykman._cli.__main__.cli:238] System info:
ykman: 5.1.1
Python: 3.8.10 (default, Mar 13 2023, 10:26:41)
[GCC 9.4.0]
Platform: linux
Arch: x86_64
System date: 2023-05-10
Running as admin: False
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw0
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw4
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw3
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw2
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw1
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:31:09.341 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw0
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:31:09.342 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw4
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:31:09.342 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw3
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:31:09.342 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw2
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:31:09.342 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw1
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:31:09.405 [ykman.device.add:162] Add device for <class 'yubikit.core.otp.OtpConnection'>: OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw5')
DEBUG 12:31:09.463 [yubikit.support.read_info:261] Attempting to read device info, using HidrawConnection
DEBUG 12:31:09.465 [yubikit.management.__init__:443] Management session initialized for connection=HidrawConnection, version=5.4.3
DEBUG 12:31:09.531 [yubikit.support.read_info:289] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:31:09.531 [yubikit.support.read_info:348] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:31:09.532 [ykman.device.add:173] Resolved device 19762036
DEBUG 12:31:09.532 [ykman.device.add:162] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 01 00')
DEBUG 12:31:09.533 [yubikit.yubiotp.__init__:739] YubiOTP session initialized for connection=HidrawConnection, version=5.4.3, state=ConfigState(configured: (True, True), touch_triggered: (False, False), led_inverted: False)
DEBUG 12:31:09.533 [yubikit.yubiotp.put_configuration:780] Writing configuration of type YubiOtpSlotConfiguration to slot 1
DEBUG 12:31:09.533 [yubikit.yubiotp._write_config:762] Writing configuration to slot 1, access code: False
ERROR 12:31:09.579 [ykman._cli.__main__.main:380] Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 487, in yubiotp
session.put_configuration(
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 784, in put_configuration
self._write_config(
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 763, in _write_config
self._status = self.backend.write_update(
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 666, in write_update
return self.protocol.send_and_receive(slot, data)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/core/otp.py", line 167, in send_and_receive
response = self._read_frame(
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/core/otp.py", line 245, in _read_frame
raise CommandRejectedError("No data")
yubikit.core.otp.CommandRejectedError: No data
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/__main__.py", line 364, in main
cli(obj={})
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/decorators.py", line 26, in new_func
return f(get_current_context(), *args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 496, in yubiotp
raise CliFail(_WRITE_FAIL_MSG)
ykman._cli.util.CliFail: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
# Try to add new access code. ####################
ykman --log-level DEBUG otp settings --new-access-code 000000000000 1 -f
INFO 12:33:42.534 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:33:42.534 [ykman.logging.set_log_level:64]
#############################################################################
# #
# WARNING: Sensitive data may be logged! #
# Some personally identifying information may be logged, such as usernames! #
# #
#############################################################################
INFO 12:33:42.535 [ykman._cli.__main__.cli:238] System info:
ykman: 5.1.1
Python: 3.8.10 (default, Mar 13 2023, 10:26:41)
[GCC 9.4.0]
Platform: linux
Arch: x86_64
System date: 2023-05-10
Running as admin: False
DEBUG 12:33:42.601 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw0
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:33:42.601 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw4
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:33:42.601 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw3
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:33:42.601 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw2
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:33:42.602 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw1
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:33:42.661 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw0
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:33:42.661 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw4
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:33:42.661 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw3
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:33:42.662 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw2
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:33:42.662 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw1
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:33:42.725 [ykman.device.add:162] Add device for <class 'yubikit.core.otp.OtpConnection'>: OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw5')
DEBUG 12:33:42.725 [yubikit.support.read_info:261] Attempting to read device info, using HidrawConnection
DEBUG 12:33:42.725 [yubikit.management.__init__:443] Management session initialized for connection=HidrawConnection, version=5.4.3
DEBUG 12:33:42.769 [yubikit.support.read_info:289] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:33:42.770 [yubikit.support.read_info:348] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:33:42.770 [ykman.device.add:173] Resolved device 19762036
DEBUG 12:33:42.771 [ykman.device.add:162] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 01 00')
DEBUG 12:33:42.771 [yubikit.yubiotp.__init__:739] YubiOTP session initialized for connection=HidrawConnection, version=5.4.3, state=ConfigState(configured: (True, True), touch_triggered: (False, False), led_inverted: False)
Updating settings for slot 1...
DEBUG 12:33:42.772 [yubikit.yubiotp.update_configuration:807] Writing configuration update to slot 1
DEBUG 12:33:42.772 [yubikit.yubiotp._write_config:762] Writing configuration to slot 4, access code: False
ERROR 12:33:42.815 [ykman._cli.__main__.main:380] Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 923, in settings
session.update_configuration(
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 808, in update_configuration
self._write_config(
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 763, in _write_config
self._status = self.backend.write_update(
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 666, in write_update
return self.protocol.send_and_receive(slot, data)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/core/otp.py", line 167, in send_and_receive
response = self._read_frame(
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/core/otp.py", line 245, in _read_frame
raise CommandRejectedError("No data")
yubikit.core.otp.CommandRejectedError: No data
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/__main__.py", line 364, in main
cli(obj={})
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/decorators.py", line 26, in new_func
return f(get_current_context(), *args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 933, in settings
raise CliFail(_WRITE_FAIL_MSG)
ykman._cli.util.CliFail: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
# Try to remove access code. ####################
ykman --log-level DEBUG otp settings --delete-access-code 000000000000 1
INFO 12:34:45.917 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:34:45.917 [ykman.logging.set_log_level:64]
#############################################################################
# #
# WARNING: Sensitive data may be logged! #
# Some personally identifying information may be logged, such as usernames! #
# #
#############################################################################
INFO 12:34:45.917 [ykman._cli.__main__.cli:238] System info:
ykman: 5.1.1
Python: 3.8.10 (default, Mar 13 2023, 10:26:41)
[GCC 9.4.0]
Platform: linux
Arch: x86_64
System date: 2023-05-10
Running as admin: False
Usage: ykman otp settings [OPTIONS] {1|2}
Try 'ykman otp settings -h' for help.
Error: Invalid value for '{1|2}': '000000000000' is not one of '1', '2'.
# Try to remove access code without slot. ####################
ykman --log-level DEBUG otp settings --delete-access-code 000000000000
INFO 12:35:18.198 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:35:18.198 [ykman.logging.set_log_level:64]
#############################################################################
# #
# WARNING: Sensitive data may be logged! #
# Some personally identifying information may be logged, such as usernames! #
# #
#############################################################################
INFO 12:35:18.198 [ykman._cli.__main__.cli:238] System info:
ykman: 5.1.1
Python: 3.8.10 (default, Mar 13 2023, 10:26:41)
[GCC 9.4.0]
Platform: linux
Arch: x86_64
System date: 2023-05-10
Running as admin: False
Usage: ykman otp settings [OPTIONS] {1|2}
Try 'ykman otp settings -h' for help.
Error: Invalid value for '{1|2}': '000000000000' is not one of '1', '2'.
# Try to remove access code without access code. ####################
ykman --log-level DEBUG otp settings --delete-access-code 1
ykman --log-level DEBUG otp settings --delete-access-code 1
INFO 12:35:54.240 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:35:54.240 [ykman.logging.set_log_level:64]
#############################################################################
# #
# WARNING: Sensitive data may be logged! #
# Some personally identifying information may be logged, such as usernames! #
# #
#############################################################################
INFO 12:35:54.240 [ykman._cli.__main__.cli:238] System info:
ykman: 5.1.1
Python: 3.8.10 (default, Mar 13 2023, 10:26:41)
[GCC 9.4.0]
Platform: linux
Arch: x86_64
System date: 2023-05-10
Running as admin: False
DEBUG 12:35:54.305 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw0
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:35:54.305 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw4
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:35:54.305 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw3
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:35:54.306 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw2
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:35:54.306 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw1
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:35:54.365 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw0
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:35:54.365 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw4
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:35:54.365 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw3
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:35:54.366 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw2
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:35:54.366 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw1
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
devices.append(get_descriptor(hidraw))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:35:54.429 [ykman.device.add:162] Add device for <class 'yubikit.core.otp.OtpConnection'>: OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw5')
DEBUG 12:35:54.487 [yubikit.support.read_info:261] Attempting to read device info, using HidrawConnection
DEBUG 12:35:54.489 [yubikit.management.__init__:443] Management session initialized for connection=HidrawConnection, version=5.4.3
DEBUG 12:35:54.555 [yubikit.support.read_info:289] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:35:54.555 [yubikit.support.read_info:348] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:35:54.556 [ykman.device.add:173] Resolved device 19762036
DEBUG 12:35:54.556 [ykman.device.add:162] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 01 00')
DEBUG 12:35:54.557 [yubikit.yubiotp.__init__:739] YubiOTP session initialized for connection=HidrawConnection, version=5.4.3, state=ConfigState(configured: (True, True), touch_triggered: (False, False), led_inverted: False)
ERROR 12:35:54.557 [ykman._cli.__main__.main:380] --delete-access-code used without providing an access code (see "ykman otp --help" for more info).
Traceback (most recent call last):
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/__main__.py", line 364, in main
cli(obj={})
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/decorators.py", line 26, in new_func
return f(get_current_context(), *args, **kwargs)
File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 888, in settings
raise CliFail(
ykman._cli.util.CliFail: --delete-access-code used without providing an access code (see "ykman otp --help" for more info).
Expected result
[What did you expect to happen when you did the above?]
I expected this command to run without any error:
# Try to reprogram yubiotp
ykman --log-level DEBUG otp yubiotp --force --public-id ldjhfkebukilcinj --private-id aff6c6808817 --key 38fbab04313c88a358e8cb4a6633e6bc 1
Or if failed then could remove the access code with command:
# Try to remove access code
ykman --log-level DEBUG otp settings --delete-access-code 000000000000 1
and then reprogram slot again without any errors.
Actual results and logs
See above
Other info
Before this error I could run several times ykman otp yubiotp -command without any error.
ykman otp yubiotp --force --public-id ldjhfkebukilcinj --private-id aff6c6808817 --key 38fbab04313c88a358e8cb4a6633e6bc 1
Also the first time I added access code was successful
ykman otp settings --new-access-code 000000000000 1
but after that I could not reprogram otp or remove access code.
I also installed
Yubikey Manager GUI v1.2.5
Yubikey Personalization Tool v3.1.24 (lib v 1.20.0)
Reprogramming or clearing otp slot 1 will fail also with those tools.
Running Yubikey Manager GUI / Applications / OTP / Slot 1 / Delete
Result is error text: Failed to modify Slot 1. Make sure the Yubikey does not have restricted access.
It seems that there is no way to modify access using Yubikey Manager GUI.
Running Yubikey Personalization Tool / Yubikey OTP / Quick / Slot 1 / Write configuration
Result is error text: Yubikey could not be configured. Perhaps protected with configuration protection access code.
It seems that there is no way to modify access using Yubikey Personalization Tool either.
I have same issue and same error logs with both of my Yubikeys. Keys were purhchased at the same time and they have identical SW versions and enabled applications. So most likely the issue is not in the keys but a SW issue.
I have tested both keys in 2 different Linux Ubuntu 20.04 LTS environments with same results. Yubico SW installed into both environments with same commands so most likely this is not an environment related HW issue either.
How can I fix this issue?
My keys are partly useless until I can fix this issue.
Thank you for your help and support!
Because you've set an access code, all the changes are locked unless you can provide that access code when issuing the changing command. The way to provide the access code is by passing it to the otp subcommand via the --access-code option. NOTE THAT THIS MUST BE PASSED PRIOR TO ANY SUBCOMMAND TO otp. The command to remove an access code (as per ykman otp --help) is:
Remove a currently set access code from slot 2):
$ ykman otp --access-code 0123456789ab settings 2 --delete-access-code
Yes, it is confusing that you cannot pass the --access-code option to one of the subcommands to otp. Unfortunately this is due to a technical limitation of the underlying CLI framework used.
Thanks for this advice. It helped to clear the access code from one key but clearing the other key still fails.
ykman otp --access-code 000000000000 settings 1 --delete-access-code -f
Updating settings for slot 1...
ERROR: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
I also tried to reset the otp application with these instructions but failed during step 5. Error message was: Failed to modify Slot 1. Make sure the Yubikey does not have restricted access.
Is there any way to reset the whole key (all applications) to factory settings?
There is not, unfortunately. The behavior seems to indicate that you are using the incorrect access code, and if that is the case and the code is lost, then there is no way to recover it.
I found the used access-code and managed to remove it from the yubikey so that issue is cleared.
What is the reason that user cannot reset otp application (=remove PIN/access-code and all credentials) if he/she loses the access-code?
My understanding is that at least fido, oauth and opengpg applications you can reset without any PIN. So why does the otp application use a different logic?
It is also good to note that this irrecoverability is not properly documented, at least not mentioned at all in the ykman help texts or in the web documentation.
In my mind user should be able to reset the otp application without PIN or access-code or if that is not possible for some reason then at least the ykman documentation and help texts should clearly warn user that losing the access-code prevents any further programming of the otp application.
