yubikey-manager
yubikey-manager copied to clipboard
Yubico
`ykman list -s` fails to display keys serial numbers
- YubiKey Manager (ykman) version:
masteras of e5a4f22f15b767ca6ae87e99bf5e9e6533b4cf14 - How was it installed?: cloned via git
- Operating system and version: 6.6.7-200.fc39.x86_64
- YubiKey model and version: Security Key by Yubico (5.0.2) [FIDO] / Security Key NFC (5.4.3) [FIDO]
- Bug description summary:
ykman list -sdoes not work.
Steps to reproduce
Run: ykman list -s
Expected result
Serial from the yubikey being displayed. There is no other documented way to list the serial numbers.
Other info
The devices are listed via https://github.com/Yubico/python-fido2. The HIDIOCGRAWUNIQ ioctl does not return anything.
Here is the diagnostics from the two keys on the system:
Detected YubiKeys over HID FIDO:
CtapYubiKeyDevice(pid=0120, fingerprint='/dev/hidraw5'):
CTAP device version: 5.0.2
CTAPHID protocol version: 2
Capabilities: 5
Management:
Raw Info: <hidden>
DeviceInfo:
config:
enabled_capabilities:
USB: U2F|FIDO2: 0x202
auto_eject_timeout: 0
challenge_response_timeout: 15
device_flags: 0
serial: None
version: 5.0.2
form_factor: Keychain (USB-A)
supported_capabilities:
USB: U2F|FIDO2: 0x202
is_locked: False
is_fips: False
is_sky: True
Name: Security Key by Yubico
Ctap2Info:
versions:
U2F_V2
FIDO_2_0
extensions:
hmac-secret
aaguid: <hidden>
options:
rk: True
up: True
plat: False
clientPin: False
max_msg_size: 1200
pin_uv_protocols:
1
max_creds_in_list: None
max_cred_id_length: None
transports:
algorithms: None
max_large_blob: None
force_pin_change: False
min_pin_length: 4
firmware_version: None
max_cred_blob_length: None
max_rpids_for_min_pin: 0
preferred_platform_uv_attempts: None
uv_modality: None
certifications: None
remaining_disc_creds: None
vendor_prototype_config_commands: None
PIN: Not configured
CtapYubiKeyDevice(pid=0402, fingerprint='/dev/hidraw1'):
CTAP device version: 5.4.3
CTAPHID protocol version: 2
Capabilities: 5
Management:
Raw Info: <hidden>
DeviceInfo:
config:
enabled_capabilities:
USB: U2F|FIDO2: 0x202
NFC: U2F|FIDO2: 0x206
auto_eject_timeout: 0
challenge_response_timeout: 15
device_flags: 0
serial: None
version: 5.4.3
form_factor: Keychain (USB-A)
supported_capabilities:
USB: U2F|FIDO2: 0x202
NFC: U2F|FIDO2: 0x206
is_locked: False
is_fips: False
is_sky: True
Name: Security Key NFC
Ctap2Info:
versions:
U2F_V2
FIDO_2_0
FIDO_2_1_PRE
extensions:
credProtect
hmac-secret
aaguid: <hidden>
options:
rk: True
up: True
plat: False
clientPin: False
credentialMgmtPreview: True
max_msg_size: 1200
pin_uv_protocols:
2
1
max_creds_in_list: 8
max_cred_id_length: 128
transports:
nfc
usb
algorithms:
alg: -7
type: public-key
alg: -8
type: public-key
max_large_blob: None
force_pin_change: False
min_pin_length: 4
firmware_version: 328707
max_cred_blob_length: None
max_rpids_for_min_pin: 0
preferred_platform_uv_attempts: None
uv_modality: None
certifications: None
remaining_disc_creds: None
vendor_prototype_config_commands: None
PIN: Not configured```
You can see in the output: serial: None. This is because the Security Key series does not have serial numbers.
how can ykman be used with multiple keys with no serial numbers ?
ERROR: Multiple YubiKeys detected. Use --device SERIAL to specify which one to use.
Also, currently ykman list -s does not output anything if the key has no serial number, at least, it should emit a message about a given key having no serial number.
~/% ykman list -s
~/%
ykman list will list all keys, including those without serial number. ykman list -s does what the --help output states: "output only serial numbers, one per line (devices without serial will be omitted)".
ykman commands that act on a single device use the serial number of the YubiKey to determine which device target, and cannot be used on devices without a serial number, if more than one is present. If you need to perform some action on multiple keys (batch programming, etc) then scripting can be used to iterate over connected devices.
-
Just because something behave as documented does not imply the behavior is providing a very good UX. In this case, it's rather poor to have no output at all.
-
Can serial number be programmed into a key ? [I'd assume not]
-
if not, how can I reasonably expect prior to purchasing whether a key will have a serial number or not ? So far, out of 3 keys, only 1 has a serial number.
-
even if using HID device node is not stable, why not at least provide this method to be able to use
ykmanas a backup identification with the key without having to resort to invoke the Python gods ?
- Just because something behave as documented does not imply the behavior is providing a very good UX. In this case, it's rather poor to have no output at all.
It looks like you're trying to use the command for something it was not intended to do, so I fully understand that you find the UX poor for that task.
- Can serial number be programmed into a key ? [I'd assume not]
No, devices which do not have serial numbers cannot have them programmed later.
- if not, how can I reasonably expect prior to purchasing whether a key will have a serial number or not ? So far, out of 3 keys, only 1 has a serial number.
The Security Key series, with the exception of the "Security Key Enterprise Edition" do not have serial numbers. All standard YubiKey models have serial numbers.
- even if using HID device node is not stable, why not at least provide this method to be able to use
ykmanas a backup identification with the key without having to resort to invoke the Python gods ?
It's something we may consider for future releases, if there is sufficient demand. However it would also need equivalent device paths for the OTP and CCID transports in addition to FIDO, as these typically show up as 3 different devices.