Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yubikey 4 stuck in CCID mode #600

Closed
mi6e4ka opened this issue Feb 26, 2024 · 6 comments
Closed

Yubikey 4 stuck in CCID mode #600

mi6e4ka opened this issue Feb 26, 2024 · 6 comments

Comments

@mi6e4ka
Copy link

mi6e4ka commented Feb 26, 2024

  • YubiKey Manager (ykman) version: manager ver 1.2.5, ykman ver 5.3.0
  • How was it installed?: brew (ykman) and pkg
  • Operating system and version: MacOS 14.3
  • YubiKey model and version: YubiKey 4 firmware ver 4.3.1
  • Bug description summary: does not work in CCID mode and cannot exit it

Steps to reproduce

set yubikey mode using ykman to CCID

Expected result

Work PIV, OpenPGP, etc

Actual results and logs

it is impossible to use the key and change the operating mode
the buttons in yubikey manager are gray
screenshot

mi6e4ka@Air-Mihail ~ % ykman info         
Device type: YubiKey 4
Serial number: 699 (redacted)
Firmware version: 4.3.7
Enabled USB interfaces: CCID

Applications
Yubico OTP  	Disabled
FIDO U2F    	Not available
FIDO2       	Not available
OATH        	Not available
PIV         	Not available
OpenPGP     	Not available
YubiHSM Auth	Not available
mi6e4ka@Air-Mihail ~ % ykman config mode FIDO
ERROR: Invalid mode!
mi6e4ka@Air-Mihail ~ % ykman config mode 0   
ERROR: Invalid mode!
mi6e4ka@Air-Mihail ~ % ykman --diagnose
ykman:            5.3.0
Python:           3.12.2 (main, Feb  6 2024, 20:19:44) [Clang 15.0.0 (clang-1500.1.0.2.5)]
Platform:         darwin
Arch:             x86_64
System date:      2024-02-27
Running as admin: False
Detected PC/SC readers:
  Yubico Yubikey 4 CCID: Success

Detected YubiKeys over PC/SC:
  ScardYubiKeyDevice(pid=0404, fingerprint='Yubico Yubikey 4 CCID'):
    Management:  
      Raw Info: 0c0101050204006ab455030104
      DeviceInfo:
        config:     
          enabled_capabilities:      
            USB: : 0x4

          auto_eject_timeout:         0
          challenge_response_timeout: 0
          device_flags:               0

        serial:      6992981
        version:     4.3.7
        form_factor: Unknown
        supported_capabilities:
          USB: OTP: 0x5

        is_locked:   False
        is_fips:     False
        is_sky:      False

      Name: YubiKey 4

    PIV:          PIV not accessible ApplicationNotAvailableError()
    OATH:         OATH not accessible ApplicationNotAvailableError()
    OpenPGP:      OpenPGP not accessible ApplicationNotAvailableError()
    YubiHSM Auth: YubiHSM Auth not accessible ApplicationNotAvailableError()

Detected YubiKeys over HID OTP:

Detected YubiKeys over HID FIDO:

End of diagnostics

Other info

also does not work on windows

@dainnilsson
Copy link
Member

Can you try running ykman -l debug config mode otp+ccid+fido --force and provide the output?

@mi6e4ka
Copy link
Author

mi6e4ka commented Feb 27, 2024

Can you try running ykman -l debug config mode otp+ccid+fido --force and provide the output?

Here is the output:

INFO 17:59:18.465 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 17:59:18.466 [ykman.logging.set_log_level:64] 
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 17:59:18.466 [ykman._cli.__main__.cli:276] System info:
  ykman:            5.3.0
  Python:           3.12.2 (main, Feb  6 2024, 20:19:44) [Clang 15.0.0 (clang-1500.1.0.2.5)]
  Platform:         darwin
  Arch:             x86_64
  System date:      2024-02-27
  Running as admin: False

DEBUG 17:59:18.508 [ykman.device.add:165] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0404, fingerprint='Yubico Yubikey 4 CCID')
DEBUG 17:59:18.514 [yubikit.support.read_info:264] Attempting to read device info, using ScardSmartCardConnection
DEBUG 17:59:18.517 [yubikit.management.__init__:452] Management session initialized for connection=ScardSmartCardConnection, version=4.3.7
DEBUG 17:59:18.519 [yubikit.support.read_info:292] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>), serial=6992981, version=Version(major=4, minor=3, patch=7), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|4: 5>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 17:59:18.521 [yubikit.support.read_info:351] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY: 4>}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>), serial=6992981, version=Version(major=4, minor=3, patch=7), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|4: 5>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 17:59:18.535 [ykman.device.add:176] Resolved device 6992981
DEBUG 17:59:18.548 [yubikit.management.__init__:452] Management session initialized for connection=ScardSmartCardConnection, version=4.3.7
ERROR 17:59:18.563 [ykman._cli.__main__.main:437] Invalid mode!
Traceback (most recent call last):
  File "/usr/local/Cellar/ykman/5.3.0/libexec/lib/python3.12/site-packages/yubikit/management.py", line 289, in __init__
    self.code = _MODES.index(interfaces)
                ^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: <USB_INTERFACE: 0> is not in list

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/ykman/5.3.0/libexec/lib/python3.12/site-packages/ykman/_cli/__main__.py", line 421, in main
    cli(obj={})
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/ykman/5.3.0/libexec/lib/python3.12/site-packages/ykman/_cli/config.py", line 608, in mode
    my_mode = Mode(usb_enabled.usb_interfaces)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/ykman/5.3.0/libexec/lib/python3.12/site-packages/yubikit/management.py", line 292, in __init__
    raise ValueError("Invalid mode!")
ValueError: Invalid mode!

@dainnilsson
Copy link
Member

Where does this YubiKey come from? Based on the diagnostics output, it doesn't look like a standard (sold to end-users) device, but it could be a custom configuration, which is something that can be done for large batches of devices for specific deployments.

Did any of the applications you expect to work (PIV, OpenPGP, etc) work previously on this key?

You should still be able to get it "un-stuck", but there is a problem in ykman where it is now failing to read the current mode. We'll fix this for the next version, but in the meantime the following command should put it back into OTP mode:

ykman apdu -a management 161100:00000000

@mi6e4ka
Copy link
Author

mi6e4ka commented Feb 27, 2024

Where does this YubiKey come from? Based on the diagnostics output, it doesn't look like a standard (sold to end-users) device, but it could be a custom configuration, which is something that can be done for large batches of devices for specific deployments.

Did any of the applications you expect to work (PIV, OpenPGP, etc) work previously on this key?

You should still be able to get it "un-stuck", but there is a problem in ykman where it is now failing to read the current mode. We'll fix this for the next version, but in the meantime the following command should put it back into OTP mode:

ykman apdu -a management 161100:00000000

Yes, it used to work with AUTO mode and this happened only after I turned on the CCID interface
If you can configure the configuration, is it possible to return it to its normal state, or does this Yubikey remain in OTP-only mode forever?

P.S. thanks for the command, I'll try to return to OTP mode later

@dainnilsson
Copy link
Member

I'm not sure what you mean by "AUTO mode", but I have done some more investigation and can conclude that this is indeed a non-standard YubiKey which only supports the (Yubico) OTP application.

@mi6e4ka
Copy link
Author

mi6e4ka commented Feb 27, 2024

I'm not sure what you mean by "AUTO mode"

Sorry, autocorrect, i mean "OTP mode"

@mi6e4ka mi6e4ka closed this as completed Feb 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants