yubikey-manager icon indicating copy to clipboard operation
yubikey-manager copied to clipboard

Published 20 hours ago verified publisher icon Yubico

ykman fido access change-pin - Does not return result

Open del-leehopper opened this issue 1 year ago • 3 comments

  • YubiKey Manager (ykman) version: YubiKey Manager (ykman) version: 5.2.1 (Also tried on 5.1.1)
  • How was it installed?: yubikey-manager-5.2.1-win64.msi
  • Operating system and version: Windows 10 22H2 (OS Build 19045.3693)
  • YubiKey model and version: YubiKey 5C NFC 5.4.3
  • Bug description summary: Command ykman fido access change-pin does not return result

Steps to reproduce

  1. Open CMD in Administrator mode
  2. Run the following command: ykman fido access change-pin
  3. Change/set the pin

Expected result

I expect a dialog that says something like "FIDO password updated" similar if you run the following command: ykman oath access change

Actual results and logs

There is no output for a confirmation that the change has worked. There is an output if there is an error. For example, if you enter the wrong confirmation password you get the following: Error: The two entered values do not match. Enter your new PIN: Therefore you are questioning if the command ran correctly or not, and can only know by testing FIDO with your new password.

Other info

None

del-leehopper avatar Nov 16 '23 10:11 del-leehopper

Not sure if I should create a new "Issue" but I also found the same for ykman config set-lock-code. No confirmation of if it has been set correctly, but I do get error messages.

del-leehopper avatar Nov 16 '23 11:11 del-leehopper

There are different schools of thought on this, each with pros and cons. Traditionally a UNIX command line tool does not output anything on success, which is generally useful when scripting. On the other hand, not giving the user any feedback here can be confusing.

That said, the tool currently isn't consistent in either approach (output info on success, or only on failure) which is clearly not desirable, and should be changed. We should evaluate which approach to take, and then implement it consistently across the different commands.

dainnilsson avatar Nov 16 '23 12:11 dainnilsson

@dainnilsson I agree. Inconsistency breads uncertainty.

Perhaps the use of the --force flag could be used to define if there is an output or not? e.g. if --force is used, then output nothing on success, however, if --force is not used, then output a feedback result. Best of both worlds in that case.

del-leehopper avatar Nov 16 '23 12:11 del-leehopper

After some additional though on this we determined that having output for all successful commands would be more helpful than not. We've now released 5.5.0, and as part of that release we have added output to commands which did not already produce output. The exception to this is when a command outputs a file and the user chooses to redirect that file to stdout.

Hopefully this resolves the issue. If you find any command which still do not produce any output, please let us know by opening a new issue.

dainnilsson avatar Jun 26 '24 11:06 dainnilsson