Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure to detect Yubikey when FIDO2 pin & key already set #101

Open
catleeball opened this issue Sep 4, 2021 · 0 comments
Open

Failure to detect Yubikey when FIDO2 pin & key already set #101

catleeball opened this issue Sep 4, 2021 · 0 comments

Comments

@catleeball
Copy link

Issue

I encountered the following error when trying to use yubikey-agent for the first time on a key that I had already set a FIDO2 PIN and credential:

> yubikey-agent -setup
No YubiKeys detected!

After troubleshooting (detailed below), I reset the FIDO2 PIN and credential on the key from the yubikey-manager-qt-1.2.3b-linux.AppImage gui application. I think that would have been equivalent to ykman fido reset -h.

After doing this, I was able to run yubikey-agent -setup (although it noted that the default Managment Key didn't work, which makes sense since I had set that manually before) and then successfully ran yubikey-agent -setup --really-delete-all-piv-keys.

I had previously set up an SSH key with ssh-keygen -t ed25519-sk -O resident -O verify-required and added some GPG keys with gpg --edit-card and then keytocard.

I'm not sure why resetting FIDO2 fixed this. Maybe it had more to do with unplugging / replugging after resetting FIDO2?

System info

  • Yubikey 5Ci
    • Firmware 5.4.3
    • connected via USB-C
  • OS:
    • Ubuntu 21.04
    • Linux 5.11.0
> apt info libpcsclite-dev
Package: libpcsclite-dev
Version: 1.9.1-1
Priority: extra
Section: libdevel
Source: pcsc-lite
Origin: Ubuntu

Troubleshooting

I tried this using the version of yubikey-agent packed with Nix and got the above error. I then cloned the repo and built from head, but this binary also gave the same error.

I checked that the key was recognized with:

> ykman info
Device type: YubiKey 5Ci
Serial number: ***
Firmware version: 5.4.3
Form factor: Keychain (USB-C, Lightning)
Enabled USB interfaces: OTP, FIDO, CCID

Applications
FIDO2       	Enabled
OTP         	Enabled
FIDO U2F    	Enabled
OATH        	Enabled
YubiHSM Auth	Enabled
OpenPGP     	Enabled
PIV         	Enabled

I also ran pcsc_scan but weirdly didn't seem to find the Yubikey despite ykman and the graphical yubikey QT app recognizing it. Running pcsc_scan after wiping FIDO2 on the key and unplugging/replugging, it did recognize the security key. Not sure if related to this issue, but kind of weird to note.

> pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico YubiKey OTP+FIDO+CCID 00 00

I wondered if an existing ssh-agent or gpg-agent was running amok and ran:

> pkill ssh-agent
> pkill gpg-agent
> yubikey-agent -setup
No YubiKeys detected!

I then tried with sudo and got the same error. Then I tried in bash (had been using fish previously) and got the same error.

Then it occurred to me to reset the credential as mentioned in the topmost section of the bug, which seemed to fix things.

Additional comments

Thanks for making nice security tools!

Please let me know if you need any additional info to help debug this issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@catleeball