YubiKey-Guide icon indicating copy to clipboard operation
YubiKey-Guide copied to clipboard
verified publisher icon drduh

KeyError: Trying to change touch policies

Open maxkratz opened this issue 3 years ago • 5 comments

I found an inconsistency with the guide in this section. On my system (with ykman version 4.0.8) the keywords have changed.

One has to type: $ ykman openpgp keys set-touch AUT ON instead of $ ykman openpgp keys set-touch aut on (from the guide).

If I copy-paste the command from the guide, I get the following error:

 maxkratz@maxs-ws  ~  ykman openpgp keys set-touch aut on 
Traceback (most recent call last):
  File "/usr/local/bin/ykman", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/dist-packages/ykman/cli/__main__.py", line 378, in main
    cli(obj={})
  File "/usr/lib/python3/dist-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3/dist-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3/dist-packages/click/core.py", line 1135, in invoke
    sub_ctx = cmd.make_context(cmd_name, args, parent=ctx)
  File "/usr/lib/python3/dist-packages/click/core.py", line 641, in make_context
    self.parse_args(ctx, args)
  File "/usr/lib/python3/dist-packages/click/core.py", line 940, in parse_args
    value, args = param.handle_parse_result(ctx, opts, args)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1469, in handle_parse_result
    value = self.full_process_value(ctx, value)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1438, in full_process_value
    value = self.process_value(ctx, value)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1428, in process_value
    return self.type_cast_value(ctx, value)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1417, in type_cast_value
    return _convert(value, (self.nargs != 1) + bool(self.multiple))
  File "/usr/lib/python3/dist-packages/click/core.py", line 1415, in _convert
    return self.type(value, self, ctx)
  File "/usr/lib/python3/dist-packages/click/types.py", line 39, in __call__
    return self.convert(value, param, ctx)
  File "/usr/local/lib/python3.8/dist-packages/ykman/cli/util.py", line 61, in convert
    return self.choices_enum[name]
  File "/usr/lib/python3.8/enum.py", line 387, in __getitem__
    return cls._member_map_[name]
KeyError: 'aut'

The same error appears after changing it to ... AUT on -> Both keys have to be typed in CAPSLOCK.

Interestingly, the help output of ykman shows the same flags as this guide:

 maxkratz@maxs-ws  ~  ykman openpgp keys set-touch -h    
Usage: ykman openpgp keys set-touch [OPTIONS] KEY POLICY

  Set touch policy for OpenPGP keys.

  KEY     Key slot to set (sig, enc, aut or att).
  POLICY  Touch policy to set (on, off, fixed, cached or cached-fixed).

If someone could confirm this issue to me on their system, I'm happy to provide a PR for this guide :).

maxkratz avatar Apr 03 '22 15:04 maxkratz

Guide is correct.

With ykman v 4.0.8 this runs fine for me with both Yubikey 4 and Yubikey 5NFC keys in lALL COMBINATIONS of lowercase OR uppercase AUT or ON/OFF

iandstanley avatar Jun 02 '22 23:06 iandstanley

Here's my results with ykman 4.0.8 and a Yubikey 4:

% ykman openpgp info WARNING: No OTP HID backend available. OTP protocols will not function. OpenPGP version: 2.1 Application version: 4.3.1

PIN tries remaining: 3 Reset code tries remaining: 0 Admin PIN tries remaining: 3

Touch policies Signature key Off Encryption key Off Authentication key Off % ykman openpgp keys set-touch aut on WARNING: No OTP HID backend available. OTP protocols will not function. Enter Admin PIN: Set touch policy of authentication key to on? [y/N]: y % ykman openpgp info WARNING: No OTP HID backend available. OTP protocols will not function. OpenPGP version: 2.1 Application version: 4.3.1

PIN tries remaining: 3 Reset code tries remaining: 0 Admin PIN tries remaining: 3

Touch policies Signature key Off Encryption key Off Authentication key On % ykman openpgp keys set-touch aut off WARNING: No OTP HID backend available. OTP protocols will not function. Enter Admin PIN: Set touch policy of authentication key to off? [y/N]: y % ykman -v YubiKey Manager (ykman) version: 4.0.8

iandstanley avatar Jun 03 '22 00:06 iandstanley

PS it also works copy/pasting from the https://github.com/drduh/YubiKey-Guide#require-touch

iandstanley avatar Jun 03 '22 00:06 iandstanley

Might be worth raising an support call with Yubikey

iandstanley avatar Jun 03 '22 00:06 iandstanley

Weird! On my main workstation, I still get the error. Version:

 ✘ maxkratz@maxs-ws  ~  ykman -v                           
YubiKey Manager (ykman) version: 4.0.8

However, on my laptop, everything is fine and all possible combinations do work. The version is also 4.0.8 and both systems run Linux Mint 20.3

maxkratz avatar Jun 04 '22 10:06 maxkratz

Seems like a platform issue, if you figure it out, please document it in the guide.

drduh avatar Dec 26 '22 19:12 drduh