Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERROR: Failed to write to the YubiKey. Make sure the device does not have restricted access #553

Open
jk-1 opened this issue May 10, 2023 · 6 comments

Comments

@jk-1
Copy link

jk-1 commented May 10, 2023

  • YubiKey Manager (ykman) version:
ykman --version
YubiKey Manager (ykman) version: 5.1.1

  • How was it installed?:

Added Yubico PPA
Instructions, see: https://support.yubico.com/hc/en-us/articles/360016649039-Enabling-the-Yubico-PPA-on-Ubuntu

https://launchpad.net/~yubico/+archive/ubuntu/stable

sudo add-apt-repository ppa:yubico/stable
sudo apt update

apt search yubi
...
yubikey-manager/focal 5.1.1~ppa1~focal1 amd64
  Command line tool for configuring a YubiKey

yubikey-personalization/focal 1.20.0-2 amd64
  Personalization tool for Yubikey OTP tokens

yubikey-personalization-gui/focal 3.1.24-1build1 amd64
  Graphical personalization tool for YubiKey tokens

...
yubioath-desktop/focal 5.0.3-1 amd64
  Graphical interface for displaying OATH codes with a Yubikey

# Install Command                               Program	                        
sudo apt install yubikey-manager                # YubiKey Manager (CLI) == ykman	        
sudo apt install yubikey-personalization-gui    # YubiKey Personalization Tool	
sudo apt install libpam-yubico                  # libpam-yubico	                
sudo apt install libpam-u2f                     # libpam-u2f	                    
  • Operating system and version:
lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.6 LTS
Release:	20.04
Codename:	focal
    
uname --all
Linux mypc 5.4.0-148-generic #165-Ubuntu SMP Tue Apr 18 08:53:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

  • YubiKey model and version:
ykman info
Device type: YubiKey 5 NFC
...
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.
Configured capabilities are protected by a lock code.
    
Applications	USB    	NFC    
OTP         	Enabled	Enabled
FIDO U2F    	Enabled	Enabled
FIDO2       	Enabled	Enabled
OATH        	Enabled	Enabled
PIV         	Enabled	Enabled
OpenPGP     	Enabled	Enabled
YubiHSM Auth	Enabled	Enabled

  • Bug description summary:

I cannot delete or reprogram otp slot 1. I cannot remove access code.

  • Steps to reproduce
# Create new yubiotp. This runs OK. ####################
ykman otp yubiotp --force --public-id ldjhfkebukilcinj --private-id aff6c6808817 --key 38fbab04313c88a358e8cb4a6633e6bc 1 

# Add access code. This runs OK. ####################
ykman otp settings --new-access-code 000000000000 1
Update the settings for slot 1? All existing settings will be overwritten. [y/N]: y
Updating settings for slot 1...

# I do not have debugging info from the 2 previous commands because I did not know that the rest would fail.

# All remaining commands fail.
# Try to reprogram yubiotp. ####################
ykman --log-level DEBUG otp yubiotp --force --public-id ldjhfkebukilcinj --private-id aff6c6808817 --key 38fbab04313c88a358e8cb4a6633e6bc 1 
INFO 12:31:09.219 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:31:09.219 [ykman.logging.set_log_level:64] 
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 12:31:09.220 [ykman._cli.__main__.cli:238] System info:
  ykman:            5.1.1
  Python:           3.8.10 (default, Mar 13 2023, 10:26:41) 
[GCC 9.4.0]
  Platform:         linux
  Arch:             x86_64
  System date:      2023-05-10
  Running as admin: False

DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw0
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw4
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw3
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw2
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:31:09.281 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw1
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:31:09.341 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw0
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:31:09.342 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw4
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:31:09.342 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw3
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:31:09.342 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw2
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:31:09.342 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw1
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:31:09.405 [ykman.device.add:162] Add device for <class 'yubikit.core.otp.OtpConnection'>: OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw5')
DEBUG 12:31:09.463 [yubikit.support.read_info:261] Attempting to read device info, using HidrawConnection
DEBUG 12:31:09.465 [yubikit.management.__init__:443] Management session initialized for connection=HidrawConnection, version=5.4.3
DEBUG 12:31:09.531 [yubikit.support.read_info:289] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:31:09.531 [yubikit.support.read_info:348] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:31:09.532 [ykman.device.add:173] Resolved device 19762036
DEBUG 12:31:09.532 [ykman.device.add:162] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 01 00')
DEBUG 12:31:09.533 [yubikit.yubiotp.__init__:739] YubiOTP session initialized for connection=HidrawConnection, version=5.4.3, state=ConfigState(configured: (True, True), touch_triggered: (False, False), led_inverted: False)
DEBUG 12:31:09.533 [yubikit.yubiotp.put_configuration:780] Writing configuration of type YubiOtpSlotConfiguration to slot 1
DEBUG 12:31:09.533 [yubikit.yubiotp._write_config:762] Writing configuration to slot 1, access code: False
ERROR 12:31:09.579 [ykman._cli.__main__.main:380] Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 487, in yubiotp
    session.put_configuration(
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 784, in put_configuration
    self._write_config(
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 763, in _write_config
    self._status = self.backend.write_update(
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 666, in write_update
    return self.protocol.send_and_receive(slot, data)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/core/otp.py", line 167, in send_and_receive
    response = self._read_frame(
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/core/otp.py", line 245, in _read_frame
    raise CommandRejectedError("No data")
yubikit.core.otp.CommandRejectedError: No data

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/__main__.py", line 364, in main
    cli(obj={})
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 496, in yubiotp
    raise CliFail(_WRITE_FAIL_MSG)
ykman._cli.util.CliFail: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).

# Try to add new access code. ####################
ykman --log-level DEBUG otp settings --new-access-code 000000000000 1 -f 
INFO 12:33:42.534 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:33:42.534 [ykman.logging.set_log_level:64] 
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 12:33:42.535 [ykman._cli.__main__.cli:238] System info:
  ykman:            5.1.1
  Python:           3.8.10 (default, Mar 13 2023, 10:26:41) 
[GCC 9.4.0]
  Platform:         linux
  Arch:             x86_64
  System date:      2023-05-10
  Running as admin: False

DEBUG 12:33:42.601 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw0
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:33:42.601 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw4
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:33:42.601 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw3
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:33:42.601 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw2
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:33:42.602 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw1
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:33:42.661 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw0
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:33:42.661 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw4
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:33:42.661 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw3
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:33:42.662 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw2
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:33:42.662 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw1
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:33:42.725 [ykman.device.add:162] Add device for <class 'yubikit.core.otp.OtpConnection'>: OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw5')
DEBUG 12:33:42.725 [yubikit.support.read_info:261] Attempting to read device info, using HidrawConnection
DEBUG 12:33:42.725 [yubikit.management.__init__:443] Management session initialized for connection=HidrawConnection, version=5.4.3
DEBUG 12:33:42.769 [yubikit.support.read_info:289] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:33:42.770 [yubikit.support.read_info:348] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:33:42.770 [ykman.device.add:173] Resolved device 19762036
DEBUG 12:33:42.771 [ykman.device.add:162] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 01 00')
DEBUG 12:33:42.771 [yubikit.yubiotp.__init__:739] YubiOTP session initialized for connection=HidrawConnection, version=5.4.3, state=ConfigState(configured: (True, True), touch_triggered: (False, False), led_inverted: False)
Updating settings for slot 1...
DEBUG 12:33:42.772 [yubikit.yubiotp.update_configuration:807] Writing configuration update to slot 1
DEBUG 12:33:42.772 [yubikit.yubiotp._write_config:762] Writing configuration to slot 4, access code: False
ERROR 12:33:42.815 [ykman._cli.__main__.main:380] Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 923, in settings
    session.update_configuration(
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 808, in update_configuration
    self._write_config(
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 763, in _write_config
    self._status = self.backend.write_update(
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/yubiotp.py", line 666, in write_update
    return self.protocol.send_and_receive(slot, data)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/core/otp.py", line 167, in send_and_receive
    response = self._read_frame(
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/yubikit/core/otp.py", line 245, in _read_frame
    raise CommandRejectedError("No data")
yubikit.core.otp.CommandRejectedError: No data

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/__main__.py", line 364, in main
    cli(obj={})
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 933, in settings
    raise CliFail(_WRITE_FAIL_MSG)
ykman._cli.util.CliFail: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).

# Try to remove access code. ####################
ykman --log-level DEBUG otp settings --delete-access-code 000000000000 1 
INFO 12:34:45.917 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:34:45.917 [ykman.logging.set_log_level:64] 
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 12:34:45.917 [ykman._cli.__main__.cli:238] System info:
  ykman:            5.1.1
  Python:           3.8.10 (default, Mar 13 2023, 10:26:41) 
[GCC 9.4.0]
  Platform:         linux
  Arch:             x86_64
  System date:      2023-05-10
  Running as admin: False

Usage: ykman otp settings [OPTIONS] {1|2}
Try 'ykman otp settings -h' for help.

Error: Invalid value for '{1|2}': '000000000000' is not one of '1', '2'.

# Try to remove access code without slot. ####################
ykman --log-level DEBUG otp settings --delete-access-code 000000000000 
INFO 12:35:18.198 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:35:18.198 [ykman.logging.set_log_level:64] 
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 12:35:18.198 [ykman._cli.__main__.cli:238] System info:
  ykman:            5.1.1
  Python:           3.8.10 (default, Mar 13 2023, 10:26:41) 
[GCC 9.4.0]
  Platform:         linux
  Arch:             x86_64
  System date:      2023-05-10
  Running as admin: False

Usage: ykman otp settings [OPTIONS] {1|2}
Try 'ykman otp settings -h' for help.

Error: Invalid value for '{1|2}': '000000000000' is not one of '1', '2'.

# Try to remove access code without access code. ####################
ykman  --log-level DEBUG otp settings --delete-access-code 1
ykman  --log-level DEBUG otp settings --delete-access-code 1
INFO 12:35:54.240 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 12:35:54.240 [ykman.logging.set_log_level:64] 
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 12:35:54.240 [ykman._cli.__main__.cli:238] System info:
  ykman:            5.1.1
  Python:           3.8.10 (default, Mar 13 2023, 10:26:41) 
[GCC 9.4.0]
  Platform:         linux
  Arch:             x86_64
  System date:      2023-05-10
  Running as admin: False

DEBUG 12:35:54.305 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw0
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:35:54.305 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw4
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:35:54.305 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw3
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:35:54.306 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw2
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:35:54.306 [ykman.hid.linux.list_devices:123] Couldn't read HID descriptor for /dev/hidraw1
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/hid/linux.py", line 117, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:35:54.365 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw0
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
DEBUG 12:35:54.365 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw4
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
DEBUG 12:35:54.365 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw3
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
DEBUG 12:35:54.366 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw2
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
DEBUG 12:35:54.366 [fido2.hid.linux.list_descriptors:103] Failed opening device /dev/hidraw1
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
DEBUG 12:35:54.429 [ykman.device.add:162] Add device for <class 'yubikit.core.otp.OtpConnection'>: OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw5')
DEBUG 12:35:54.487 [yubikit.support.read_info:261] Attempting to read device info, using HidrawConnection
DEBUG 12:35:54.489 [yubikit.management.__init__:443] Management session initialized for connection=HidrawConnection, version=5.4.3
DEBUG 12:35:54.555 [yubikit.support.read_info:289] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:35:54.555 [yubikit.support.read_info:348] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=19762036, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 12:35:54.556 [ykman.device.add:173] Resolved device 19762036
DEBUG 12:35:54.556 [ykman.device.add:162] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 01 00')
DEBUG 12:35:54.557 [yubikit.yubiotp.__init__:739] YubiOTP session initialized for connection=HidrawConnection, version=5.4.3, state=ConfigState(configured: (True, True), touch_triggered: (False, False), led_inverted: False)
ERROR 12:35:54.557 [ykman._cli.__main__.main:380] --delete-access-code used without providing an access code (see "ykman otp --help" for more info).
Traceback (most recent call last):
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/__main__.py", line 364, in main
    cli(obj={})
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/opt/venvs/yubikey-manager/lib/python3.8/site-packages/ykman/_cli/otp.py", line 888, in settings
    raise CliFail(
ykman._cli.util.CliFail: --delete-access-code used without providing an access code (see "ykman otp --help" for more info).

Expected result

[What did you expect to happen when you did the above?]

I expected this command to run without any error:

# Try to reprogram yubiotp
ykman --log-level DEBUG otp yubiotp --force --public-id ldjhfkebukilcinj --private-id aff6c6808817 --key 38fbab04313c88a358e8cb4a6633e6bc 1 

Or if failed then could remove the access code with command:

# Try to remove access code
ykman --log-level DEBUG otp settings --delete-access-code 000000000000 1 

and then reprogram slot again without any errors.

Actual results and logs

See above

Other info

Before this error I could run several times ykman otp yubiotp -command without any error.

ykman otp yubiotp --force --public-id ldjhfkebukilcinj --private-id aff6c6808817 --key 38fbab04313c88a358e8cb4a6633e6bc 1

Also the first time I added access code was successful

ykman otp settings --new-access-code 000000000000 1

but after that I could not reprogram otp or remove access code.

I also installed

Yubikey Manager GUI v1.2.5

Yubikey Personalization Tool v3.1.24 (lib v 1.20.0)

Reprogramming or clearing otp slot 1 will fail also with those tools.

Running Yubikey Manager GUI / Applications / OTP / Slot 1 / Delete

Result is error text: Failed to modify Slot 1. Make sure the Yubikey does not have restricted access.

It seems that there is no way to modify access using Yubikey Manager GUI.

Running Yubikey Personalization Tool / Yubikey OTP / Quick / Slot 1 / Write configuration

Result is error text: Yubikey could not be configured. Perhaps protected with configuration protection access code.

It seems that there is no way to modify access using Yubikey Personalization Tool either.

I have same issue and same error logs with both of my Yubikeys. Keys were purhchased at the same time and they have identical SW versions and enabled applications. So most likely the issue is not in the keys but a SW issue.

I have tested both keys in 2 different Linux Ubuntu 20.04 LTS environments with same results. Yubico SW installed into both environments with same commands so most likely this is not an environment related HW issue either.

How can I fix this issue?

My keys are partly useless until I can fix this issue.

Thank you for your help and support!

@dainnilsson
Copy link
Member

Because you've set an access code, all the changes are locked unless you can provide that access code when issuing the changing command. The way to provide the access code is by passing it to the otp subcommand via the --access-code option. NOTE THAT THIS MUST BE PASSED PRIOR TO ANY SUBCOMMAND TO otp. The command to remove an access code (as per ykman otp --help) is:

Remove a currently set access code from slot 2):
$ ykman otp --access-code 0123456789ab settings 2 --delete-access-code

Yes, it is confusing that you cannot pass the --access-code option to one of the subcommands to otp. Unfortunately this is due to a technical limitation of the underlying CLI framework used.

@jk-1
Copy link
Author

jk-1 commented May 10, 2023

Thanks for this advice. It helped to clear the access code from one key but clearing the other key still fails.

ykman otp --access-code 000000000000 settings 1 --delete-access-code -f
Updating settings for slot 1...
ERROR: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).

I also tried to reset the otp application with these instructions but failed during step 5. Error message was: Failed to modify Slot 1. Make sure the Yubikey does not have restricted access.

Is there any way to reset the whole key (all applications) to factory settings?

@dainnilsson
Copy link
Member

There is not, unfortunately. The behavior seems to indicate that you are using the incorrect access code, and if that is the case and the code is lost, then there is no way to recover it.

@jk-1
Copy link
Author

jk-1 commented May 17, 2023

I found the used access-code and managed to remove it from the yubikey so that issue is cleared.

What is the reason that user cannot reset otp application (=remove PIN/access-code and all credentials) if he/she loses the access-code?

My understanding is that at least fido, oauth and opengpg applications you can reset without any PIN. So why does the otp application use a different logic?

It is also good to note that this irrecoverability is not properly documented, at least not mentioned at all in the ykman help texts or in the web documentation.

In my mind user should be able to reset the otp application without PIN or access-code or if that is not possible for some reason then at least the ykman documentation and help texts should clearly warn user that losing the access-code prevents any further programming of the otp application.

@yuriw
Copy link

yuriw commented May 18, 2023

I am experiencing the same issue

Any final suggestion?

@messy521
Copy link

I also encountered the same problem, have you guys solved it? Is there any solution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants