-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ykman oath returns 'Failed connecting to the YubiKey' #35
Comments
Thanks for the report! When it fails, could you try
Unfortunately not, since scdaemon opens the smart card in exclusive mode. |
|
I'm getting the same error, except for openpgp:
In general them key works. I just can't setup touch policy. |
If I specifice device serial, then I get a bit different error:
|
I've managed to set touch policy with https://github.com/a-dma/yubitouch |
I'm also having this same issue on Alpine Linux. Happy to assist with the troubleshooting:
FWIW I do not have this problem when I attempt the same on my Mac |
I was having the same error when trying to use both OATH and CCID at the same time In short after plugging the key:
> gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
> ykman oath list
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.
Error: No YubiKey detected! I've managed to "fix" it (for now?) by following the advice from https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device- of putting "reader-port Yubico YubiKey" (for Yubikey 5) in Now "I can use both OATH and CCID" |
see Yubico/yubikey-manager#35 (comment) needed to switch between OATH and CCID usage in ykman without having to unplug and plug the key again
I'm hit by the same bug. I noticed that it happens only if I use
And all of the
When the first command I use is for example |
I noticed the same problem for |
Faced the same issue with ykman info |
FWIW, I experienced the same problem today when first installing yubikey-manager on my Gentoo system. One important clue was:
Another was this install-time warning from yubikey-manager:
Indeed, the |
Same issue here with Ubuntu 19.10, trying to use any of the |
Same issue here. Brand new yubikey 5 nfc, on kubuntu 20.04. Can't even list the serials, with or without sudo.
Help would be appreciated. |
@aspyct make sure you have the (Quick note: I know nothing about Ubuntu. Package names may be different, just search for matches). Good luck. |
Well, after a lot of trial and error, I've noticed that the yubikey sometimes works, sometimes doesn't. Also, it's a lot more likely to fail if you use it through a usb hub (although again, it's a bit erratic). Whenever I have two other gpg card readers from competitor brands which are working consistently, even through the usb hub. Except sometimes when plugged in after the yubikey, as if something was left in an inconsistent state. I'm not sure what is to blame, if it's the yubikey or scdaemon. Unfortunately so far I can't get any logs from the scdaemon when I use gpg commands. Any suggestion on that is welcome. It should be noted though, that when My two theories so far:
Edit: Upon further examination, it appears that both of my other devices run gpg version 3.3, and the yubikey version 3.4 (as indicated by |
same for fedora 30. Error: Failed connecting to YubiKey 5 [OTP+FIDO+CCID]. Make sure the application have the required permissions. |
I have a similar message. I noticed in the help it says % ykman list -s
YubiKey 5 [OTP+FIDO+CCID] I ran % ykman info
Device type: YubiKey 5C Nano
Serial number: 10338381
Firmware version: 5.1.2
.... My thought was that the system was failing to get the serial number for some reason when trying to open the device so perhaps if I specified the serial number. This time it worked: ykman -d 10338381 openpgp set-touch SIG on
Enter admin PIN:
Set touch policy of signature key to on? [y/N]: y After successfully doing this I notice now the % ykman list -s
10338381 I suspect the yubikey got put in some sort of odd state. |
I wanted to share my personal solution, which may be of some help to other users here. I was having trouble listing any credentials stored on my Yubikey 5 NFC (I used to use the GUI so there were definitely stored creds). I ran So I ran:
|
I experienced the same "Failed to connect" issue on Windows, and turns out that if there was a touch policy set on the usb config you can get this error as well. Touching the gold disk and waiting 2 seconds corrected, then I could disable the touch policy with ykman config. |
I have the same "Failed to connect" issue on macOS Catalina, ykman 3.1.1 and a Yubikey 4. The Yubikey Authentication GUI app has the same issue, but i have never had any problems with using it for U2F or OTP. |
Running into this on linux as well. Messages like these:
This issue has been around for three years - people are paying for these keys and expect this to work, why is there zero official presence here? (Not to mention there's already a fix you could easily translate into the application: https://github.com/a-dma/yubitouch ) |
There seems to be several different issues present in this issue, so it's difficult to know which ones are already "solved" and which aren't. Some reoccurring ones I see are: CCID based commands (such as CCID based commands don't work in general (without scdaemon running). This indicates that ykman isn't able to communicate with the smart card system, which on Linux is the pcscd service. This commonly means that the service is either missing, or not running. Instructions for how to set it up will vary between Linux distributions, and unfortunately we aren't able to provide these. Instead we refer you to the documentation for your particular distribution. Other commands don't work. Different commands need to use different USB interfaces on the YubiKey, which use different communication mechanisms. These issues will need to be resolved on a case-by-case basis, but one common problem is not having the proper permissions to access one or more of these USB interfaces. This can usually be tested for by running the command as root (eg. by using sudo), and might be resolved by configuring permissions using Udev rules, or granting specific permissions to the user account. I see that several people in this thread have found answers already, and it's difficult to know where that is and isn't the case, so I am closing this issue now. If you do still have problems and the already provided solutions and workarounds don't help you, please open a new issue to deal with your specific problem, or contact our support team for help: https://support.yubico.com/hc/en-us |
running the manager with sudo fixed the problem for me on Ubuntu: |
@edsantiago, I'm running into a similar problem on my PostmarketOS Pinephone (which is a version of Alpine Linux). I got pcscd running with The end-result is that I can use U2F in Mozilla, and I can use ykman to get information on the device. It also has keyboard access. However, running Any further thoughts on something I'm missing? Something I missed on the "checklist"? |
@dainnilsson, as noted in my post just above, I'm having trouble with a version of Alpine Linux. You mentioned that conflicts with GPG can cause this problem. I don't believe I have GPG running (at any rate, the command |
@zpeterg Check for a process running named |
@dainnilsson , thanks for the tips. I see that scdaemon is running, so that probably is the issue. |
Hi, Do we have any solution to this issue yet? I am on Linux, I have a Yubico Key NFC 5, my key has PIN set. When I execute
I got the following debug log.
I also got similar error with
Anything else should I check? Thanks |
@zpeterg any success on using |
@Utopiah, I mostly use Mobian now. But here are my notes on setting up Yubikey on PostmarketOS:
I'm not certain that those are the full steps, but hopefully it helps! |
@zpeterg thanks. FWIW I was missing either udev rules for my user or libu2f-host but now it is working. I installed via pip after adding via apk pcscd and all necessary build dependencies (all the way to Rust and Cargo for crypo). Now I "just" have to figure out when I use this over the CLI util 2fa and my "normal" Sxmo usage. |
@Utopiah , I also am on SXMO these days and very much enjoying it, but would love to have access to Yubikey in case it's needed. Question: How did you get yubikey authentication working? These are my steps so far:
But it errors-out with "command 'gcc' failed: No such file or directory". Any pointers? |
@zpeterg can't recall exactly but from your specific error message I'd start with |
I made it further with these steps:
That got it installed, but it said that no Yubikey was present. So then I edited /etc/udev/rules.d/70-u2f.rules to add:
That made |
I suspect the CCID reader isn't working - I'm getting nothing for |
Unfortunately @zpeterg I can't recall running into that problem but to be honest I'm not sure I tried
at some point. |
Fresh-up everything basically? Good idea. I tried it, but no dice. Thanks anyway! |
Indeed @zpeterg I get Details :
Glad you opened #471 . |
I was also had problems with "Error: No YubiKey found with the given interface(s)" on my laptop running Linux Mint. I resolved it by plugging my Yubikey into the port I originally used when setting up AWS MFA. |
Same here, I got it working by plugging + unplugging.. odd |
I also saw "No YubiKey found with the given interface" and found that the problem was that my kernel didn't have To check if you have that kernel config, here's what it should look like:
|
Killing gpg's scdaemon seems to restore functionality:
I'm not sure exactly what triggers the failure, but often after signing something using gpg and an OpenPGP key stored in the yubikey, ykman begins to fail again.
This is on a Ubuntu Xenial system (gpg2 2.1.11) with a YubiKey 4 (FW 4.3.7)
When things are working running 'oath list' causes scdaemon to exit with SIGKILL:
When things are not working strace says scdaemon is looping doing this:
Even when things are working it is kind of useless because requesting a TOPT value causes scdaemon to exit and then requires pin re-entry on the gpg2 side..
Can't ykman access the yubikey without disrupting scdaemon?
The text was updated successfully, but these errors were encountered: