You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I encountered the following error when trying to use yubikey-agent for the first time on a key that I had already set a FIDO2 PIN and credential:
> yubikey-agent -setup
No YubiKeys detected!
After troubleshooting (detailed below), I reset the FIDO2 PIN and credential on the key from the yubikey-manager-qt-1.2.3b-linux.AppImage gui application. I think that would have been equivalent to ykman fido reset -h.
After doing this, I was able to run yubikey-agent -setup (although it noted that the default Managment Key didn't work, which makes sense since I had set that manually before) and then successfully ran yubikey-agent -setup --really-delete-all-piv-keys.
I had previously set up an SSH key with ssh-keygen -t ed25519-sk -O resident -O verify-required and added some GPG keys with gpg --edit-card and then keytocard.
I'm not sure why resetting FIDO2 fixed this. Maybe it had more to do with unplugging / replugging after resetting FIDO2?
System info
Yubikey 5Ci
Firmware 5.4.3
connected via USB-C
OS:
Ubuntu 21.04
Linux 5.11.0
> apt info libpcsclite-dev
Package: libpcsclite-dev
Version: 1.9.1-1
Priority: extra
Section: libdevel
Source: pcsc-lite
Origin: Ubuntu
Troubleshooting
I tried this using the version of yubikey-agent packed with Nix and got the above error. I then cloned the repo and built from head, but this binary also gave the same error.
I also ran pcsc_scan but weirdly didn't seem to find the Yubikey despite ykman and the graphical yubikey QT app recognizing it. Running pcsc_scan after wiping FIDO2 on the key and unplugging/replugging, it did recognize the security key. Not sure if related to this issue, but kind of weird to note.
> pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico YubiKey OTP+FIDO+CCID 00 00
I wondered if an existing ssh-agent or gpg-agent was running amok and ran:
Issue
I encountered the following error when trying to use
yubikey-agent
for the first time on a key that I had already set a FIDO2 PIN and credential:After troubleshooting (detailed below), I reset the FIDO2 PIN and credential on the key from the
yubikey-manager-qt-1.2.3b-linux.AppImage
gui application. I think that would have been equivalent toykman fido reset -h
.After doing this, I was able to run
yubikey-agent -setup
(although it noted that the default Managment Key didn't work, which makes sense since I had set that manually before) and then successfully ranyubikey-agent -setup --really-delete-all-piv-keys
.I had previously set up an SSH key with
ssh-keygen -t ed25519-sk -O resident -O verify-required
and added some GPG keys withgpg --edit-card
and thenkeytocard
.I'm not sure why resetting FIDO2 fixed this. Maybe it had more to do with unplugging / replugging after resetting FIDO2?
System info
Troubleshooting
I tried this using the version of
yubikey-agent
packed with Nix and got the above error. I then cloned the repo and built from head, but this binary also gave the same error.I checked that the key was recognized with:
I also ran
pcsc_scan
but weirdly didn't seem to find the Yubikey despite ykman and the graphical yubikey QT app recognizing it. Runningpcsc_scan
after wiping FIDO2 on the key and unplugging/replugging, it did recognize the security key. Not sure if related to this issue, but kind of weird to note.I wondered if an existing ssh-agent or gpg-agent was running amok and ran:
I then tried with
sudo
and got the same error. Then I tried in bash (had been using fish previously) and got the same error.Then it occurred to me to reset the credential as mentioned in the topmost section of the bug, which seemed to fix things.
Additional comments
Thanks for making nice security tools!
Please let me know if you need any additional info to help debug this issue.
The text was updated successfully, but these errors were encountered: