yubico / yubikey-manager Goto Github PK

View Code? Open in Web Editor NEW

846.0 61.0 122.0 5.21 MB

Python library and command line tool for configuring any YubiKey over all USB interfaces.

Home Page: https://developers.yubico.com/yubikey-manager/

License: BSD 2-Clause "Simplified" License

Python 99.09% Shell 0.73% PowerShell 0.18%

yubikey python oath piv otp openpgp fido2 u2f webauthn

yubikey-manager's Introduction

YubiKey Manager CLI

Python 3.8 (or later) library and command line tool for configuring a YubiKey. If you’re looking for the graphical application, it’s here.

Usage

For more usage information and examples, see the YubiKey Manager CLI User Manual.

Usage: ykman [OPTIONS] COMMAND [ARGS]...

  Configure your YubiKey via the command line.

  Examples:

    List connected YubiKeys, only output serial number:
    $ ykman list --serials

    Show information about YubiKey with serial number 0123456:
    $ ykman --device 0123456 info

Options:
  -d, --device SERIAL             specify which YubiKey to interact with by serial number
  -r, --reader NAME               specify a YubiKey by smart card reader name (can't be used with --device or list)
  -l, --log-level [ERROR|WARNING|INFO|DEBUG|TRAFFIC]
                                  enable logging at given verbosity level
  --log-file FILE                 write log to FILE instead of printing to stderr (requires --log-level)
  --diagnose                      show diagnostics information useful for troubleshooting
  -v, --version                   show version information about the app
  --full-help                     show --help output, including hidden commands
  -h, --help                      show this message and exit

Commands:
  info     show general information
  list     list connected YubiKeys
  config   enable or disable applications
  fido     manage the FIDO applications
  oath     manage the OATH application
  openpgp  manage the OpenPGP application
  otp      manage the YubiOTP application
  piv      manage the PIV application

The --help argument can also be used to get detailed information about specific subcommands:

ykman oath --help

Versioning/Compatibility

This project follows Semantic Versioning. Any project depending on yubikey-manager should take care when specifying version ranges to not include any untested major version, as it is likely to have backwards incompatible changes. For example, you should NOT depend on ">=5", as it has no upper bound. Instead, depend on ">=5, <6", as any release before 6 will be compatible.

Note that any private variables (names starting with '_') are not part of the public API, and may be changed between versions at any time.

Installation

YubiKey Manager can be installed independently of platform by using pip (or equivalent):

pip install --user yubikey-manager

On Linux platforms you will need pcscd installed and running to be able to communicate with a YubiKey over the SmartCard interface. Additionally, you may need to set permissions for your user to access YubiKeys via the HID interfaces. More information available here.

Some of the libraries used by yubikey-manager have C-extensions, and may require additional dependencies to build, such as swig and potentially PCSC lite.

Pre-built packages

Pre-built packages specific to your platform may be available from Yubico or third parties. Please refer to your platforms native package manager for detailed instructions on how to install, if available.

Windows

A Windows installer is available to download from the Releases page.

MacOS

A MacOS installer is available to download from the Releases page.

Additionally, packages are available from Homebrew and MacPorts.

Input Monitoring access on MacOS

When running one of the ykman otp commands you may run into an error such as: Failed to open device for communication: -536870174. This indicates a problem with the permission to access the OTP (keyboard) USB interface.

To access a YubiKey over this interface the application needs the Input Monitoring permission. If you are not automatically prompted to grant this permission, you may have to do so manually. Note that it is the terminal you are using that needs the permission, not the ykman executable.

To add your terminal application to the Input Monitoring permission list, go to System Preferences → Security & Privacy → Privacy → Input Monitoring to resolve this.

Linux

Packages are available for several Linux distributions by third party package maintainers. Yubico also provides packages for Ubuntu in the yubico/stable PPA:

$ sudo apt-add-repository ppa:yubico/stable
$ sudo apt update
$ sudo apt install yubikey-manager

FreeBSD

Although not being officially supported on this platform, YubiKey Manager can be installed on FreeBSD. It’s available via its ports tree or as pre-built package. Should you opt to install and use YubiKey Manager on this platform, please be aware that it’s NOT maintained by Yubico.

To install the binary package, use pkg install pyXY-yubikey-manager, with pyXY specifying the version of Python the package was built for, so in order to install YubiKey Manager for Python 3.8, use:

# pkg install py38-yubikey-manager

For more information about how to install packages or ports on FreeBSD, please refer to its official documentation: FreeBSD Handbook.

In order to use ykman otp commands, you need to make sure the uhid(4) driver attaches to the USB device:

# usbconfig ugenX.Y add_quirk UQ_KBD_IGNORE
# usbconfig ugenX.Y reset

The correct device to operate on (ugenX.Y) can be determined using usbconfig list.

When using FreeBSD 13 or higher, you can switch to the more modern hidraw(4) driver. This allows YubiKey Manager to access OTP HID in a non-exclusive way, so that the key will still function as a USB keyboard:

# sysrc kld_list+="hidraw hkbd"
# cat >>/boot/loader.conf<<EOF
hw.usb.usbhid.enable="1"
hw.usb.quirk.0="0x1050 0x0010 0 0xffff UQ_KBD_IGNORE"  # YKS_OTP
hw.usb.quirk.1="0x1050 0x0110 0 0xffff UQ_KBD_IGNORE"  # NEO_OTP
hw.usb.quirk.2="0x1050 0x0111 0 0xffff UQ_KBD_IGNORE"  # NEO_OTP_CCID
hw.usb.quirk.3="0x1050 0x0114 0 0xffff UQ_KBD_IGNORE"  # NEO_OTP_FIDO
hw.usb.quirk.4="0x1050 0x0116 0 0xffff UQ_KBD_IGNORE"  # NEO_OTP_FIDO_CCID
hw.usb.quirk.5="0x1050 0x0401 0 0xffff UQ_KBD_IGNORE"  # YK4_OTP
hw.usb.quirk.6="0x1050 0x0403 0 0xffff UQ_KBD_IGNORE"  # YK4_OTP_FIDO
hw.usb.quirk.7="0x1050 0x0405 0 0xffff UQ_KBD_IGNORE"  # YK4_OTP_CCID
hw.usb.quirk.8="0x1050 0x0407 0 0xffff UQ_KBD_IGNORE"  # YK4_OTP_FIDO_CCID
hw.usb.quirk.9="0x1050 0x0410 0 0xffff UQ_KBD_IGNORE"  # YKP_OTP_FIDO
EOF
# reboot

From source (for development)

To install from source, see the development instructions.

Shell completion

Experimental shell completion for the command line tool is available, provided by the underlying CLI library (click) but it is not enabled by default. To enable it, run this command once (for Bash):

$ source <(_YKMAN_COMPLETE=bash_source ykman | sudo tee /etc/bash_completion.d/ykman)

More information on shell completion (including instructions for zch) is available here: https://click.palletsprojects.com/en/8.0.x/shell-completion

yubikey-manager's People

Contributors

Stargazers

Watchers

Forkers

kbabioch seciot cdeanegit rickard-von-essen vannut chrisemoulton ericchiang blaisep golang-alex-alex2006hw hypostase dalavancloud elukewalker nguyendat jsoref sj solidgoldbomb timo-quinn izouxv rgerganov hakuyume keestux tycho jonnycrunch xqin morristech worr 1m15m3 danixeee emlun joostd jmyreen xfalcox altoplano str4d privacytoolkit chrismaul tl-adrian-bridgett fahadsul emilazy sbrichardson dcepelik claui reddmist pavelsyntronic nevun benbelov bwhaley elizucker ajs256 amith211 amake davidspurlock maxthomas gbdlin skyscrapers lduncandroid brownjohnf jamesob egypcio pavel-petrenko molllyn1 digitalarche meeuw aaronjsutton mr-craps colonelpanic8 loai-kanou robertdigital classicvalues echox hesstobi azurecloudmonk ekmixon yubi-david canokeys cfwhisperer kilimnik zhenhu9 alex cyberflamego createyourpersonalaccount mastermind88 timhilliard frankfanslc jleander85 sprpanda valderman saki4510t ok-jp grembo stolenlan stargate01 tweekism isabella232 extra2000 eporama openssl-sg-insights schmitmd ccnano bhasvic-itdepartment

yubikey-manager's Issues

Support multiple yubikeys

Currently it just writes:
Error: Multiple YubiKeys detected. Only a single YubiKey at a time is supported.

multi-key support is important as we have different security levels..

And it's really hard in my nails :) to drag an yubikey nano out of it's slot because I've temporary inserted a more trusted yubikey in another slot.

ykman.driver_ccid.CCIDError: Failed to transmit with protocol T1. Card was reset. (or unpowered)

when I use pip2 or brew:

Traceback (most recent call last):
  File "/usr/local/bin/ykman", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/site-packages/ykman/cli/__main__.py", line 212, in main
    cli(obj={})
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 1063, in invoke
    Command.invoke(self, ctx)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/ykman/cli/util.py", line 77, in inner
    f(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/ykman/cli/__main__.py", line 154, in cli
    dev = _run_cmd_for_single(ctx, subcmd.name, transports)
  File "/usr/local/lib/python2.7/site-packages/ykman/cli/__main__.py", line 115, in _run_cmd_for_single
    return descriptor.open_device(transports)
  File "/usr/local/lib/python2.7/site-packages/ykman/descriptor.py", line 87, in open_device
    dev = YubiKey(self, drv)
  File "/usr/local/lib/python2.7/site-packages/ykman/device.py", line 228, in __init__
    usb_supported = driver.probe_capabilities()
  File "/usr/local/lib/python2.7/site-packages/ykman/driver_ccid.py", line 161, in probe_capabilities
    self.select(aid)
  File "/usr/local/lib/python2.7/site-packages/ykman/driver_ccid.py", line 189, in select
    return self.send_apdu(0, GP_INS_SELECT, 0x04, 0, aid)
  File "/usr/local/lib/python2.7/site-packages/ykman/driver_ccid.py", line 178, in send_apdu
    raise CCIDError(e)
ykman.driver_ccid.CCIDError: Failed to transmit with protocol T1. Card was reset.

When I use pip3:

sjuuls-mbp:~ sjuul$ ykman info
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/ykman/device.py", line 197, in __init__
    config = DeviceConfig(driver.read_config())
  File "/usr/local/lib/python3.7/site-packages/ykman/driver_ccid.py", line 147, in read_config
    raise NotSupportedError()
ykman.driver.NotSupportedError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/ykman/driver_ccid.py", line 175, in send_apdu
    resp, sw1, sw2 = self._conn.transmit(header + body)
  File "/usr/local/lib/python3.7/site-packages/smartcard/CardConnectionDecorator.py", line 82, in transmit
    return self.component.transmit(bytes, protocol)
  File "/usr/local/lib/python3.7/site-packages/smartcard/CardConnection.py", line 146, in transmit
    data, sw1, sw2 = self.doTransmit(bytes, protocol)
  File "/usr/local/lib/python3.7/site-packages/smartcard/pcsc/PCSCCardConnection.py", line 205, in doTransmit
    SCardGetErrorMessage(hresult))
smartcard.Exceptions.CardConnectionException: Failed to transmit with protocol T1. Card is unpowered.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/ykman", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/__main__.py", line 212, in main
    cli(obj={})
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1063, in invoke
    Command.invoke(self, ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/util.py", line 77, in inner
    f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/__main__.py", line 154, in cli
    dev = _run_cmd_for_single(ctx, subcmd.name, transports)
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/__main__.py", line 115, in _run_cmd_for_single
    return descriptor.open_device(transports)
  File "/usr/local/lib/python3.7/site-packages/ykman/descriptor.py", line 87, in open_device
    dev = YubiKey(self, drv)
  File "/usr/local/lib/python3.7/site-packages/ykman/device.py", line 228, in __init__
    usb_supported = driver.probe_capabilities()
  File "/usr/local/lib/python3.7/site-packages/ykman/driver_ccid.py", line 161, in probe_capabilities
    self.select(aid)
  File "/usr/local/lib/python3.7/site-packages/ykman/driver_ccid.py", line 189, in select
    return self.send_apdu(0, GP_INS_SELECT, 0x04, 0, aid)
  File "/usr/local/lib/python3.7/site-packages/ykman/driver_ccid.py", line 178, in send_apdu
    raise CCIDError(e)
ykman.driver_ccid.CCIDError: Failed to transmit with protocol T1. Card is unpowered.

yubikey-manager and yubikey-manager-qt packages not available via Ubuntu PPA for Trusty release

I'm running Ubuntu 14.04 Trusty on my desktops and have the Yubico stable PPA installed. I've looked for the yubikey-manager and yubikey-manager-qt packages within the repo and cannot locate them (I can see all of the other packages just fine and verified their repo location via 'apt-cache policy '). I checked out the ppa via the web @ launchpad.net and notice the build has failed for those two packages.

Any ideas that can help me resolve this issue?

Error: Failed connecting to the YubiKey [0.4.1/Arch Linux]

Seems related to #13, but neither reinserting nor rebooting resolve the issue.

 ; ykman --version
YubiKey Manager (ykman) version: 0.4.1
Libraries:
    libykpers 1.18.0
    libu2f-host 1.1.3
    libusb 1.0.21

 ; ykman info
Device name: YubiKey 4
Serial number: XX21078
Firmware version: 4.3.3
Enabled connection(s): OTP+U2F+CCID

Device capabilities:
    OTP:	Enabled
    U2F:	Enabled
    CCID:	Enabled
    OPGP:	Enabled
    PIV:	Enabled
    OATH:	Enabled

 ; ykman oath
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: Failed connecting to the YubiKey.

gpg-agent is enabled, but stopping the systemd service doesn't resolve the issue either.

USB Interface Configuration button is greyed out

Trying to get Security Key working with Windows login.
It states that you have to enable CCID mode, the guide says you should hit Configuration under USB Interface in the Manager.
But it's greyed out.

pip install yubikey-manager failing

pip 9.0.1, python 3.6 on Linux:

$ pip install yubikey-manager
Collecting yubikey-manager
  Using cached yubikey-manager-0.5.0.tar.gz
Requirement already satisfied: six in /usr/lib/python3.6/site-packages (from yubikey-manager)
Collecting pyscard (from yubikey-manager)
  Using cached pyscard-1.9.6.tar.gz
Collecting pyusb (from yubikey-manager)
  Using cached pyusb-1.0.2.tar.gz
Collecting click (from yubikey-manager)
  Using cached click-6.7-py2.py3-none-any.whl
Requirement already satisfied: cryptography in /usr/lib/python3.6/site-packages (from yubikey-manager)
Collecting pyopenssl (from yubikey-manager)
  Using cached pyOpenSSL-17.5.0-py2.py3-none-any.whl
Requirement already satisfied: idna>=2.0 in /usr/lib/python3.6/site-packages (from cryptography->yubikey-manager)
Requirement already satisfied: pyasn1>=0.1.8 in /usr/lib/python3.6/site-packages (from cryptography->yubikey-manager)
Requirement already satisfied: setuptools>=11.3 in /usr/lib/python3.6/site-packages (from cryptography->yubikey-manager)
Requirement already satisfied: cffi>=1.4.1 in /usr/lib/python3.6/site-packages (from cryptography->yubikey-manager)
Requirement already satisfied: pycparser in /usr/lib/python3.6/site-packages (from cffi>=1.4.1->cryptography->yubikey-manager)
Installing collected packages: pyscard, pyusb, click, pyopenssl, yubikey-manager
  Running setup.py install for pyscard ... error
    Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-ipcmpveg/pyscard/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-njt8jum4-record/install-record.txt --single-version-externally-managed --compile:
    running install
    running build
    running build_py
    running build_ext
    building 'smartcard.scard._scard' extension
    swigging smartcard/scard/scard.i to smartcard/scard/scard_wrap.c
    swig -python -outdir smartcard/scard -DPCSCLITE -o smartcard/scard/scard_wrap.c smartcard/scard/scard.i
    unable to execute 'swig': No such file or directory
    error: command 'swig' failed with exit status 1
    
    ----------------------------------------
Command "/usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-ipcmpveg/pyscard/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-njt8jum4-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-ipcmpveg/pyscard/

This appears because swig is also a dependency.
Installing swig fixes that error, but then I see the following gcc (version: 7.2.1 20180116) error:

Installing collected packages: pyscard, pyusb, click, pyopenssl, yubikey-manager
  Running setup.py install for pyscard ... error
    Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-x56ben10/pyscard/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-h5s8hpb3-record/install-record.txt --single-version-externally-managed --compile:
    running install
    running build
    running build_py
    running build_ext
    building 'smartcard.scard._scard' extension
    swigging smartcard/scard/scard.i to smartcard/scard/scard_wrap.c
    swig -python -outdir smartcard/scard -DPCSCLITE -o smartcard/scard/scard_wrap.c smartcard/scard/scard.i
    creating build
    creating build/temp.linux-x86_64-3.6
    creating build/temp.linux-x86_64-3.6/smartcard
    creating build/temp.linux-x86_64-3.6/smartcard/scard
    gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -fPIC -DVER_PRODUCTVERSION=1,9,6,0000 -DVER_PRODUCTVERSION_STR=1.9.6 -DPCSCLITE=1 -Ismartcard/scard/ -I/usr/include/PCSC -I/usr/include/python3.6m -c smartcard/scard/helpers.c -o build/temp.linux-x86_64-3.6/smartcard/scard/helpers.o
    smartcard/scard/helpers.c:28:10: fatal error: winscard.h: No such file or directory
     #include <winscard.h>
              ^~~~~~~~~~~~
    compilation terminated.
    error: command 'gcc' failed with exit status 1
    
    ----------------------------------------
Command "/usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-x56ben10/pyscard/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-h5s8hpb3-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-x56ben10/pyscard/

macOS: doesn't start - get stack trace instead

❯ uname -a
Darwin xxx 16.4.0 Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64 x86_64

Return value of PyObject call is NULL: Traceback (most recent call last):

  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/ykman/descriptor.py", line 116, in open_device
    dev = open_ccid()

  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/ykman/driver_ccid.py", line 214, in open_device
    conn.connect()

  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/smartcard/CardConnectionDecorator.py", line 54, in connect
    self.component.connect(protocol, mode, disposition)

  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/smartcard/pcsc/PCSCCardConnection.py", line 128, in connect
    SCardGetErrorMessage(hresult))

smartcard.Exceptions.CardConnectionException: Unable to connect with protocol: T0 or T1. Sharing violation.


During handling of the above exception, another exception occurred:


Traceback (most recent call last):

  File "qrc:///py/yubikey.py", line 21, in wrapped
    return json.dumps(f(*args, **kwargs))

  File "qrc:///py/yubikey.py", line 51, in refresh
    dev = desc.open_device()

  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/ykman/descriptor.py", line 122, in open_device
    raise FailedOpeningDeviceException(e)

ykman.descriptor.FailedOpeningDeviceException: Unable to connect with protocol: T0 or T1. Sharing violation.

Error: Failed connecting to the YubiKey

Hi,

I just installed yubikey-manager from ppa:yubico/stable

archf@laptop ~ 2> ykman -v
YubiKey Manager (ykman) version: 0.3.3
Libraries:
    libykpers 1.18.0
    libu2f-host 1.1.3
    libusb 1.0.20

archf@laptop ~ 1> aptitude show yubikey-manager
Package: yubikey-manager                 
New: yes
State: installed
Automatically installed: no
Version: 0.3.3-1~ppa1~xenial1
Priority: optional
Section: utils
Maintainer: Debian Authentication Maintainers <[email protected]>
Architecture: all
Uncompressed Size: 74.8 k
Depends: python3:any (>= 3.4~), python3-yubikey-manager,
         python3-click, pcscd
Description: Python library and command line tool for configuring a YubiKey
 YubiKey Manager (ykman) is a command line tool for
 configuring a YubiKey over all transports. It is
 capable of reading out device information as well as
 configuring several aspects of a YubiKey, including
 enabling or disabling connection transports an
 programming various types of credentials.

I can do this:

archf@laptop ~ > ykman info 
Device name: YubiKey 4
Serial number: 5216053
Firmware version: 4.3.3
Enabled connection(s): OTP+U2F+CCID

Device capabilities:
    OTP:	Enabled
    U2F:	Enabled
    CCID:	Enabled
    OPGP:	Enabled
    PIV:	Enabled
    OATH:	Enabled

But when i run this:

archf@laptop ~ > ykman openpgp info
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: Failed connecting to the YubiKey.

And just to show it is seen by gpg2

archf@laptop /home > gpg --card-status 
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006052160530000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 05216053
Name of cardholder: Felix Archambault archf
Language prefs ...: en
Sex ..............: male
URL of public key : [not set]
Login data .......: archf
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 2 0 3
Signature counter : 0
[...snip...]

My goal was to increase the set-pin-retries a little bit. Also what happens when PIN retry counter reaches 0? Keys are lost? I can't find any sure sources about the behavior...

Thanks for any help!

Expose --enter / --no-enter as a 'update' option

ykman slot update 1 --no-enter
ykman slot update 1 --enter

Should allow updating the enter/no-enter setting without altering the secret in the slot. All other settings should be written with default values. Don't allow if slot is empty. Should be usable with access-code as well.
'update' with no option should not do anything.
Errors to handle: accesscode, dormant, empty slot, allow update is false.

UnboundLocalError: local variable 'res' referenced before assignment

I get an sporadically error/stacktrace after multiple use of the command "ykman slot calculate -T 2". Have you any ideas why?

Python Version: 3.6.0
OS: macOS 10.12.3

➜  ~ ykman -v      
YubiKey Manager (ykman) version: 0.3.1
Libraries:
    libykpers 1.17.3
    libu2f-host 1.1.3
    libusb 1.0.21
➜  ~ ykman slot calculate -T 2
Touch your YubiKey...
722158
➜  ~ ykman slot calculate -T 2
Touch your YubiKey...
722158
➜  ~ ykman slot calculate -T 2
Touch your YubiKey...
Traceback (most recent call last):
  File "/usr/local/bin/ykman", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/site-packages/ykman/cli/__main__.py", line 116, in main
    cli(obj={})
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/ykman/cli/slot.py", line 359, in calculate
    click.echo(res)
UnboundLocalError: local variable 'res' referenced before assignment

Allow Deleting/Listing Windows Hello credentials

Under certain cases, it might be necessary to delete oath credentials for windows hello.
Currently there seems to be no way of deleting it other than resetting the entire applet. (or using older version of Yubikey authenticator.)
ykman oath list does not list stored credentials either. At the lease user should be able to delete the set of credentials.

[v0.4.1] ykman info: Error: Failed connecting to the YubiKey.

On archlinux:
Linux horizon 4.12.8-2-ARCH #1 SMP PREEMPT Fri Aug 18 14:08:02 UTC 2017 x86_64 GNU/Linux

YubiKey Manager (ykman) version: 0.4.1
Libraries:
libykpers 1.18.0
libu2f-host 1.1.3
libusb 1.0.21

I am trying "ykman info" on two YukiKey version 4 (yk4 and yk4c) and get for both:
Error: Failed connecting to the YubiKey.

But heading to https://demo.yubico.com and trying the single-factor authentication works fine.

What am I missing ? ... Maybe because ykman is wip ? Or this is a bug ?

Btw "ykman slot info" seems to work fine:
YubiKey 4
Slot 1: programmed
Slot 2: empty

Also yubikey-personalization-gui recognizes the yubikey correctly:
Firmware Version 4.2.8

package missing on ubuntu ppa

Hey folks! I'm trying to install yubioath-desktop

 ~  sudo -H apt install yubioath-desktop
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 yubioath-desktop : Depends: python3-yubikey-manager (>= 0.5.0) but it is not installable
                    Depends: python3-yubikey-manager (<= 0.6) but it is not installable
E: Unable to correct problems, you have held broken packages.

but there's no install candidate under that name:

 ~  apt policy python3-yubikey-manager
python3-yubikey-manager:
  Installed: (none)
  Candidate: (none)
  Version table:
 ~

Need building instructions

As an open source project, it'd be helpful to provide instructions to build from source, so that users can package it themselves, or so that downstream package maintainers can package it for their platform. (For example, I'd like to see yubikey-manager as an RPM in Fedora, but it's less likely to be provided by the Fedora community if there's no upstream build-from-source instructions).

AttributeError: 'NoneType' object has no attribute 'close'

Hey,
can't get rid of this error when trying to setup an otp slot in a YubiKey 4C.

OSX 10.13.3, ykman 0.7.0 installed from brew

ykman -d XYZ info
Device type: YubiKey 4
Serial number: XYZ
Firmware version: 4.3.7
Enabled USB interfaces: OTP+FIDO+CCID

Applications
OTP     	Enabled
FIDO U2F	Enabled
OpenPGP 	Enabled
PIV     	Enabled
OATH    	Enabled
FIDO2   	Not available

$ ykman -d XYZ otp static --generate 1
Traceback (most recent call last):
  File "/usr/local/bin/ykman", line 11, in <module>
    load_entry_point('yubikey-manager==0.7.0', 'console_scripts', 'ykman')()
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/ykman/cli/__main__.py", line 211, in main
    cli(obj={})
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/click/core.py", line 1063, in invoke
    Command.invoke(self, ctx)
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/ykman/cli/util.py", line 77, in inner
    f(*args, **kwargs)
  File "/usr/local/Cellar/ykman/0.7.0/libexec/lib/python2.7/site-packages/ykman/cli/__main__.py", line 157, in cli
    ctx.call_on_close(dev.close)
AttributeError: 'NoneType' object has no attribute 'close'

[Question] Detecting that Yubikey is waiting for a touch via an external script

I have YubiKey 4 Nano and the blinking light is not always visible, so I often find myself missing a time window to touch Yubikey when there is a prompt "Please touch the device". This happens for example when I begin some long-running task that will finish with a sudo command (e.g. build and install an app).

I'm writing a script that could detect when YubiKey is waiting for a touch. I have some partial success, and it looks like this:

Detection for gpg and sudo operations is very different, both methods are very hacky and have their downsides, so I want to describe how I made it and ask you for suggestions, maybe you can come up with some improvement ideas.

GPG:

I noticed that command gpg --card-status normally returns instantly, but if YubiKey is waiting for a touch for another gpg operation (like gpg --sign), then gpg --card-status will hang until I touch the device. So I implement detection in a following way:

Every second or even less, try to call gpg --card-status.
If the command returns instantly, YubiKey is not waiting for a touch - repeat step 1
Otherwise, mark that YubiKey is waiting for a touch and wait until the command returns.
When it returns, mark that YubiKey is no longer waiting for a touch.

The problems with this approach:

Lots of wasted CPU cycles (I want the detection to happen as fast as possible)
The fact that YubiKey is always active, it has to respond to gpg --card-status a lot of times and thus the light indicator is always constantly on.

UPDATE: I came up with a yet another hack to drastically reduce the number of CPU cycles. Instead of always constantly running gpg --card-status, I first use inotifywait to monitor access to ~/.gnupg/pubring.kbx (for sign and encrypt) and ~/.ssh/known_hosts (for auth), and only if any of these two files were opened, then I try gpg --card-status in a loop within 5 seconds. The rest of the algorithm remains the same.

Any suggestions on how to better do this?

sudo (pam-u2f):

I opened a separate question about this topic on pam-u2f repo, but I'll describe it here as well, as here it is a different audience and most of links on ArchWiki point to this repo anyway.

Since to configure pam-u2f it is needed to create ~/.config/Yubico/u2f_keys file, it is obvious to assume that this file will be read every time Yubikey will be used. Good news, this does happen, so setting up a simple inotifywait for OPEN event for this file will instantly let me know when sudo access is being requested. No wasted CPU cycles in this approach, I like it.

However, the problem that I was unable to solve so far is how to detect that YubiKey is stopped waiting for a touch (user touched the device, or timeout happened). With gpg it was easy, but here I cannot find a way to detect this.

UPDATE: I made a fork of pam-u2f that allows to watch the event of completed authorization. It was not merged in the upstream, because that project is being rewritten, but hopefully this functionality will be present in the new project. But using the fork allows to monitor when ~/.config/Yubico/u2f_keys was opened to indicate that authorization was completed.

Any better suggestions here?

Of course it would be awesome if one of the yubikey CLI tools provided such information out of the box, it is a really useful feature in my mind and I've seen other people requesting this. But I understand that it might be simply impossible to implement in a proper way.

Tests fail under sbuild

This is an issue I ran into while packaging yubikey-manager in Debian: the tests fail when run under sbuild:

[...]
running build_ext
Run tests sequentially
0:00:00 load avg: 6.90 [1/1] test
test test crashed -- Traceback (most recent call last):
  File "/usr/lib/python3.6/test/libregrtest/runtest.py", line 157, in runtest_inner
    clear_caches()
  File "/usr/lib/python3.6/test/libregrtest/refleak.py", line 200, in clear_caches
    stream.flush()
ValueError: underlying buffer has been detached

test failed

1 test failed:
    test

Total duration: 39 ms
Tests result: FAILURE
E: pybuild pybuild:336: test: plugin distutils failed with: exit code=2: python3.6 setup.py test 
dh_auto_test: pybuild --test -i python{version} -p 3.6 returned exit code 13
make: *** [debian/rules:3: build] Error 25
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2

I worked around it for now by disabling the tests during the package build, but this is less than ideal.

fido2 module not found

I'm using ubuntu 18.04 and followed the ppa installation instructions. however, the ykman command does not work, only throws the exception that fido2 module is not found.

$ ykman --version
Traceback (most recent call last):
  File "/usr/bin/ykman", line 11, in <module>
    load_entry_point('yubikey-manager==0.7.1', 'console_scripts', 'ykman')()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 480, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2693, in load_entry_point
    return ep.load()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2324, in load
    return self.resolve()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2330, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python3/dist-packages/ykman/cli/__main__.py", line 35, in <module>
    from ..descriptor import (get_descriptors, list_devices, open_device,
  File "/usr/lib/python3/dist-packages/ykman/descriptor.py", line 33, in <module>
    from .driver_fido import open_devices as open_fido
  File "/usr/lib/python3/dist-packages/ykman/driver_fido.py", line 32, in <module>
    from fido2.hid import CtapHidDevice, CTAPHID
ModuleNotFoundError: No module named 'fido2'

$ python --version
Python 2.7.15rc1
$ sudo apt install python-fido2
Reading package lists... Done
Building dependency tree       
Reading state information... Done
python-fido2 is already the newest version (0.3.0~ppa1~bionic1).
0 upgraded, 0 newly installed, 0 to remove and 46 not upgraded.

yubikey-manager-0.7.0: tests fail due to missing test/util.py

The source tarball (https://github.com/Yubico/yubikey-manager/releases/download/yubikey-manager-0.7.0/yubikey-manager-0.7.0.tar.gz) is missing test/util.py which leads to the following test failure:

$ touch test/__init__.py

$ python setup.py test
running test
running egg_info
writing top-level names to yubikey_manager.egg-info/top_level.txt
writing yubikey_manager.egg-info/PKG-INFO
writing entry points to yubikey_manager.egg-info/entry_points.txt
writing requirements to yubikey_manager.egg-info/requires.txt
writing dependency_links to yubikey_manager.egg-info/dependency_links.txt
reading manifest file 'yubikey_manager.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching 'ChangeLog'
warning: no files found matching 'resources/*'
writing manifest file 'yubikey_manager.egg-info/SOURCES.txt'
running build_ext
test_credential_data_make_key (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_issuer_and_name (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_only_name (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_period_and_issuer_and_name (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_period_and_name (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_wierd_issuer_and_name (test.test_oath.TestOathFunctions) ... ok
test_derive_key (test.test_oath.TestOathFunctions) ... ok
test_parse_uri (test.test_oath.TestOathFunctions) ... ok
test_parse_uri_issuer (test.test_oath.TestOathFunctions) ... ok
test_with_as_closes_driver (test.test_device.TestDevice) ... ok
test_with_as_reraises_exception (test.test_device.TestDevice) ... ok
test_with_closes_driver (test.test_device.TestDevice) ... ok
test_with_reraises_exception (test.test_device.TestDevice) ... ok
test_cli_config (unittest.loader._FailedTest) ... ERROR
test_cli_misc (unittest.loader._FailedTest) ... ERROR
test_piv (unittest.loader._FailedTest) ... ERROR
util (unittest.loader._FailedTest) ... ERROR
test_cli_oath (unittest.loader._FailedTest) ... ERROR
test_cli_openpgp (unittest.loader._FailedTest) ... ERROR
test_cli_otp (unittest.loader._FailedTest) ... ERROR
test_de_layout (test.test_scancodes.TestScanMap) ... ok
test_us_layout (test.test_scancodes.TestScanMap) ... ok
test_util (unittest.loader._FailedTest) ... ERROR
test_generate_random_management_key (test.test_piv.TestPivFunctions) ... ok
test_external_libs (unittest.loader._FailedTest) ... ERROR

======================================================================
ERROR: test_cli_config (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: test_cli_config
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/test_cli_config.py", line 2, in <module>
    from .util import (DestructiveYubikeyTestCase, ykman_cli, can_write_config)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/util.py", line 9, in <module>
    import test.util
ImportError: No module named 'test.util'


======================================================================
ERROR: test_cli_misc (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: test_cli_misc
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/test_cli_misc.py", line 1, in <module>
    from .util import (DestructiveYubikeyTestCase, ykman_cli)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/util.py", line 9, in <module>
    import test.util
ImportError: No module named 'test.util'


======================================================================
ERROR: test_piv (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: test_piv
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/test_piv.py", line 11, in <module>
    from .util import (
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/util.py", line 9, in <module>
    import test.util
ImportError: No module named 'test.util'


======================================================================
ERROR: util (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: util
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/util.py", line 9, in <module>
    import test.util
ImportError: No module named 'test.util'


======================================================================
ERROR: test_cli_oath (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: test_cli_oath
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/test_cli_oath.py", line 3, in <module>
    from .util import (DestructiveYubikeyTestCase, missing_mode, ykman_cli)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/util.py", line 9, in <module>
    import test.util
ImportError: No module named 'test.util'


======================================================================
ERROR: test_cli_openpgp (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: test_cli_openpgp
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/test_cli_openpgp.py", line 3, in <module>
    from .util import (DestructiveYubikeyTestCase, missing_mode, ykman_cli)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/util.py", line 9, in <module>
    import test.util
ImportError: No module named 'test.util'


======================================================================
ERROR: test_cli_otp (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: test_cli_otp
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/test_cli_otp.py", line 32, in <module>
    from .util import (DestructiveYubikeyTestCase, missing_mode, ykman_cli)
  File "/tmp/yubikey-manager-0.7.0/test/on_yubikey/util.py", line 9, in <module>
    import test.util
ImportError: No module named 'test.util'


======================================================================
ERROR: test_util (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: test_util
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/test_util.py", line 7, in <module>
    from .util import open_file
ImportError: No module named 'test.util'


======================================================================
ERROR: test_external_libs (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: test_external_libs
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/loader.py", line 153, in loadTestsFromName
    module = __import__(module_name)
  File "/tmp/yubikey-manager-0.7.0/test/test_external_libs.py", line 3, in <module>
    from test.util import ykman_cli
ImportError: No module named 'test.util'


----------------------------------------------------------------------
Ran 25 tests in 0.018s

FAILED (errors=9)
Test failed: <unittest.runner.TextTestResult run=25 errors=9 failures=0>
error: Test failed: <unittest.runner.TextTestResult run=25 errors=9 failures=0>

Adding the file from the git repo fixes the issue:

$ cat yubikey-manager-0.7.0-fix-tests.patch 
diff --git b/test/util.py a/test/util.py
new file mode 100644
index 0000000..0551d06
--- /dev/null
+++ a/test/util.py
@@ -0,0 +1,18 @@
+from click.testing import CliRunner
+from ykman.cli.__main__ import cli
+import os
+
+
+PKG_DIR = os.path.dirname(os.path.abspath(__file__))
+
+
+def open_file(*relative_path):
+    return open(os.path.join(PKG_DIR, 'files', *relative_path), 'rb')
+
+
+def ykman_cli(*argv, **kwargs):
+    runner = CliRunner()
+    result = runner.invoke(cli, list(argv), obj={}, **kwargs)
+    if result.exit_code != 0:
+        raise result.exception
+    return result.output

$ patch -p1 < yubikey-manager-0.7.0-fix-tests.patch 
patching file test/util.py

$ python setup.py test
running test
running egg_info
writing yubikey_manager.egg-info/PKG-INFO
writing dependency_links to yubikey_manager.egg-info/dependency_links.txt
writing entry points to yubikey_manager.egg-info/entry_points.txt
writing requirements to yubikey_manager.egg-info/requires.txt
writing top-level names to yubikey_manager.egg-info/top_level.txt
reading manifest file 'yubikey_manager.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching 'ChangeLog'
warning: no files found matching 'resources/*'
writing manifest file 'yubikey_manager.egg-info/SOURCES.txt'
running build_ext
test_credential_data_make_key (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_issuer_and_name (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_only_name (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_period_and_issuer_and_name (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_period_and_name (test.test_oath.TestOathFunctions) ... ok
test_credential_parse_wierd_issuer_and_name (test.test_oath.TestOathFunctions) ... ok
test_derive_key (test.test_oath.TestOathFunctions) ... ok
test_parse_uri (test.test_oath.TestOathFunctions) ... ok
test_parse_uri_issuer (test.test_oath.TestOathFunctions) ... ok
test_with_as_closes_driver (test.test_device.TestDevice) ... ok
test_with_as_reraises_exception (test.test_device.TestDevice) ... ok
test_with_closes_driver (test.test_device.TestDevice) ... ok
test_with_reraises_exception (test.test_device.TestDevice) ... ok
test_set_lock_code (test.on_yubikey.test_cli_config.TestConfigLockCode) ... skipped 'Device can not write config'
test_disable_all (test.on_yubikey.test_cli_config.TestConfigNFC) ... skipped 'Device can not write config'
test_disable_and_enable (test.on_yubikey.test_cli_config.TestConfigNFC) ... skipped 'Device can not write config'
test_disable_fido2 (test.on_yubikey.test_cli_config.TestConfigNFC) ... skipped 'Device can not write config'
test_disable_oath (test.on_yubikey.test_cli_config.TestConfigNFC) ... skipped 'Device can not write config'
test_disable_openpgp (test.on_yubikey.test_cli_config.TestConfigNFC) ... skipped 'Device can not write config'
test_disable_otp (test.on_yubikey.test_cli_config.TestConfigNFC) ... skipped 'Device can not write config'
test_disable_piv (test.on_yubikey.test_cli_config.TestConfigNFC) ... skipped 'Device can not write config'
test_disable_u2f (test.on_yubikey.test_cli_config.TestConfigNFC) ... skipped 'Device can not write config'
test_disable_all (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_disable_and_enable (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_disable_fido2 (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_disable_oath (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_disable_openpgp (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_disable_otp (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_disable_piv (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_disable_u2f (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_mode_command (test.on_yubikey.test_cli_config.TestConfigUSB) ... skipped 'Device can not write config'
test_ykman_info (test.on_yubikey.test_cli_misc.TestYkmanInfo) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_delete_certificate_requires_authentication (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_csr_works (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_key_requires_authentication (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_self_signed_certificate_requires_authentication (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_self_signed_certificate_slot_9a_works (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_self_signed_certificate_slot_9c_works (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_import_certificate_requires_authentication (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_import_key_requires_authentication (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_read_certificate_does_not_require_authentication (test.on_yubikey.test_piv.KeyManagement) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_authenticate_twice_does_not_throw (test.on_yubikey.test_piv.ManagementKeyReadOnly) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_reset_resets_has_stored_key_flag (test.on_yubikey.test_piv.ManagementKeyReadOnly) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_reset_while_verified_throws_nice_ValueError (test.on_yubikey.test_piv.ManagementKeyReadOnly) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_set_mgm_key_does_not_change_key_if_not_authenticated (test.on_yubikey.test_piv.ManagementKeyReadOnly) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_set_stored_mgm_key_does_not_destroy_key_if_pin_not_verified (test.on_yubikey.test_piv.ManagementKeyReadOnly) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_set_mgm_key_changes_mgm_key (test.on_yubikey.test_piv.ManagementKeyReadWrite) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_set_stored_mgm_key_succeeds_if_pin_is_verified (test.on_yubikey.test_piv.ManagementKeyReadWrite) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_set_stored_random_mgm_key_succeeds_if_pin_is_verified (test.on_yubikey.test_piv.ManagementKeyReadWrite) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_sign_with_pin_policy_always_requires_pin_every_time (test.on_yubikey.test_piv.Operations) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_sign_with_pin_policy_never_does_not_require_pin (test.on_yubikey.test_piv.Operations) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_sign_with_pin_policy_once_requires_pin_once_per_session (test.on_yubikey.test_piv.Operations) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_set_pin_retries_requires_pin_and_mgm_key (test.on_yubikey.test_piv.UnblockPin) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_set_pin_retries_sets_pin_and_puk_tries (test.on_yubikey.test_piv.UnblockPin) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_unblock_pin_requires_no_previous_authentication (test.on_yubikey.test_piv.UnblockPin) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_unblock_pin_resets_pin_and_retries (test.on_yubikey.test_piv.UnblockPin) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_unblock_pin_with_wrong_puk_throws_ValueError (test.on_yubikey.test_piv.UnblockPin) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_add_credential (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_add_credential_prompt (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_add_credential_with_space (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_add_uri_hotp (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_add_uri_totp (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_add_uri_totp_prompt (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_code (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_code_query (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_delete (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_hidden_cred (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_hotp_code (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_hotp_steam_code (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_info (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_oath_reset (test.on_yubikey.test_cli_oath.TestOATH) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_openpgp_info (test.on_yubikey.test_cli_openpgp.TestOpenPGP) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_openpgp_reset (test.on_yubikey.test_cli_openpgp.TestOpenPGP) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_calculate_hex (test.on_yubikey.test_cli_otp.TestSlotCalculate) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_calculate_totp (test.on_yubikey.test_cli_otp.TestSlotCalculate) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_access_code_slot_2 (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_delete_slot_2 (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_invalid_public_id (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_update_settings_enter_slot_2 (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_chalresp_slot_2 (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_chalresp_slot_2_force_fails_without_key (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_chalresp_slot_2_generated (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_chalresp_slot_2_generated_fails_if_also_given (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_chalresp_slot_2_prompt (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_hotp_slot_2 (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_hotp_slot_2_prompt (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2 (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_generate_id_conflicts_private_id (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_generate_key_conflicts_key (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_generated_all (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_generated_private_id (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_generated_secret_key (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_options (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_prompt (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_serial_id_conflicts_public_id (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_program_otp_slot_2_serial_public_id (test.on_yubikey.test_cli_otp.TestSlotProgramming) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_de_scancodes (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_pw (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_pw_no_length (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_pw_too_long (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_generate_zero_length (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_overwrite_prompt (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_provide_valid_pw (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_provide_valid_pw_prompt (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_too_long (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_unsupported_chars (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_us_scancodes (test.on_yubikey.test_cli_otp.TestSlotStaticPassword) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_otp_info (test.on_yubikey.test_cli_otp.TestSlotStatus) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_swap_slots (test.on_yubikey.test_cli_otp.TestSlotStatus) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_de_layout (test.test_scancodes.TestScanMap) ... ok
test_us_layout (test.test_scancodes.TestScanMap) ... ok
test_bytes2int (test.test_util.TestUtilityFunctions) ... ok
test_form_factor_from_code (test.test_util.TestUtilityFunctions) ... ok
test_format_code (test.test_util.TestUtilityFunctions) ... ok
test_generate_static_pw (test.test_util.TestUtilityFunctions) ... ok
test_hmac_shorten_key (test.test_util.TestUtilityFunctions) ... ok
test_is_pkcs12 (test.test_util.TestUtilityFunctions) ... ok
test_modhex_decode (test.test_util.TestUtilityFunctions) ... ok
test_modhex_encode (test.test_util.TestUtilityFunctions) ... ok
test_parse_tlvs (test.test_util.TestUtilityFunctions) ... ok
test_parse_truncated (test.test_util.TestUtilityFunctions) ... ok
test_time_challenge (test.test_util.TestUtilityFunctions) ... ok
test_tlv (test.test_util.TestUtilityFunctions) ... ok
test_generate_random_management_key (test.test_piv.TestPivFunctions) ... ok
test_ykman_version (test.test_external_libs.TestExternalLibraries) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'
test_ykman_version_not_found (test.test_external_libs.TestExternalLibraries) ... skipped 'DESTRUCTIVE_TEST_YUBIKEY_SERIAL == None'

----------------------------------------------------------------------
Ran 126 tests in 0.037s

OK (skipped=98)

Updating yubikey-manager affects yubioath-desktop

Under Arch (4.15.14-1-ARCH), I run yubikey-manager 0.4.6 and yubioath-desktop without problems.

When I update yubikey-manager to 0.5.0 or 0.6.0, yubioath-desktop shows "No YubiKey detected". Console output is:

Got library name:  "/usr/lib/qt/qml/io/thp/pyotherside/libpyothersideplugin.so"
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"qrc:///py/yubikey.py\", line 11, in <module>\n    from ykman.util import (\n\nImportError: cannot import name 'derive_key'\n"
qml: Cannot import module: yubikey (Traceback (most recent call last):

  File "qrc:///py/yubikey.py", line 11, in <module>
    from ykman.util import (

ImportError: cannot import name 'derive_key'
)

Can't paste into static password configuration

I was trying to sync my static password while moving from an older yubikey to a new one, and it's very annoying that I cannot paste a password in the 'Configure static password' dialog.

I also can't just use my old Yubikey to type it in, because Yubikey Manager won't work with multiple connected keys.

It sucks having to retype a 48 character password.

Various Debian packaging fixes

I packaged yubikey-manager for Debian, based on your initial packaging.

This includes a number of fixes you might want to pull in:

ship NEWS as the upstream changelog;
add missing build dependency on dh-python;
use the dependencies inferred by dh-python.

No handlers could be found for logger "ykman.driver_otp"

It looks like there's a logging config step missing for:

❯ ykman -v
No handlers could be found for logger "ykman.driver_otp"
YubiKey Manager (ykman) version: 0.6.0
Libraries:
    libykpers not found!
    libu2f-host 1.1.4
    libusb 1.0.21

~
❯ ykman oath list
No handlers could be found for logger "ykman.driver_otp"
github
google

Support --json output

A simple option like --json or --yaml would be nice for many of the outputs.

Examples include ykman oath list --json and ykman oath code --json

I would also support ykman oath code 'name of token' --raw to just output the raw code.

Debian installation dependencies documentation

it should be noted, what packages are needed e.g. on Debian for the pip3 installation.
I found, pcscd and libpcsclite-dev are needed in order to be able to continue.

macOS: kill scdaemon with socket to allow sandboxing

Killing scdaemon with shell commands doesn't work well with macOS sandbox. See Yubico/yubioath-flutter#89. Might be possible to kill the scdaemon socket with the KILLSCD command and use a File Access Temporary Exceptions to allow it in a sandbox?

Support for remembering OATH passwords

yubioath supports -R to remember a password so you don't have to enter it every time.

$ yubioath -h
[...]
  -R, --remember     Remember any entered access key for later use.

It would be great to have such functionality here too.

FYI: Homebrew formula

I added a formula for Homebrew. When it is merged it would be great change the readme for macOS install to use that.

See Homebrew/homebrew-core#18524

cached touch policy

Is there a way to set the touch policy to cached when using a yubikey for pgp and ssh ?

Found a way to do it for PIV (https://developers.yubico.com/PIV/Introduction/Yubico_extensions.html) but ykman doesn't seem to provide that option.

CCIDDriver.read_serial() raises struct.error if a YubiKey has its read-serial# API call disabled

Steps to reproduce (I used a YubiKey NEO):

Start the YubiKey Personalization Tool.
Plug YubiKey in.
Go to Settings and disable the Serial # Visibility API call.
Go to Update Settings and Update Config Slot 1.
Verify that the Serial Number is no longer displayed on the right side of the Personalization Tool.
Start a tool which uses the most recent version of the ykman library, such as YubiKey Authenticator 4.3.4 or YubiKey Manager 0.5.1. The tool fails to get past the Connecting to YubiKey... message.

With debug logging enabled, this traceback is produced:

Traceback (most recent call last):
  File "qrc:///py/yubikey.py", line 124, in refresh
    else TRANSPORT.CCID)
  File "C:\Program Files (x86)\Yubico\Yubico Authenticator\pymodules\ykman\descriptor.py", line 90, in open_device
    dev = YubiKey(self, drv)
  File "C:\Program Files (x86)\Yubico\Yubico Authenticator\pymodules\ykman\device.py", line 217, in __init__
    serial = driver.read_serial()
  File "C:\Program Files (x86)\Yubico\Yubico Authenticator\pymodules\ykman\driver_ccid.py", line 125, in read_serial
    return struct.unpack('>I', serial)[0]
struct.error: unpack requires a buffer of 4 bytes

It looks like this commit removed the highlighted line here which probably should have remained in... placing it back fixes both the Authenticator and Manager tools for me.

Can't program YubiKey as CHAL_YUBICO with ykman

It looks like 'ykman slot chalresp 2' will only ever program the YubiKey as HMAC instead. We'd like to use the CHAL_YUBICO mode instead.

`ykman piv generate-csr` seems to generate certificate signing requests with wrong signatures

I generated a key on my Yubikey using ykman as follows:

ykman piv generate-key 9a client.key

Then, I generated a certificate signing request in order to obtain a valid certificate from a CA:

ykman piv generate-csr 9a client.key client.csr -s "my-subject"

When I try to sign the certificate signing request, I obtain the following error from OpenSSL:
Signature did not match the certificate request

I use the following command for OpenSSL:

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out client.crt

The tool yubico-piv-tool seems to work just fine:

yubico-piv-tool -a generate -s 9a -o client.key
yubico-piv-tool -a verify -a request -S "/CN=my-subject" -s 9a -o client.csr -i client.key

Now OpenSSL is able to correctly sign the certificate request.

ykman doesn't install on OpenBSD (6.3)

I would like to gather all issues with getting Yubikey Manager to run on OpenBSD with the goal of providing a port (package) for ykman .

~~pyscard doesn't compile on OpenBSD~~ Resolved by installing port pcsc-lite and the rest of deps from native OpenBSD packages resolves all issues.
~~ykman crashes when a YubiKey is plugged in (but yubikey-personalization works).~~ pscsdmust be running.
FIDO: pyu2f doesn't support OpenBSD, see https://github.com/google/pyu2f/blob/master/pyu2f/hid/__init__.py#L46
CCID (oath, piv, ...): Fails to connect to device. open_reader doesn't return any device.
OTP: Works! 🎉

feat: a little more documentation please

G'day guys,

This is great btw! I'm thinking about writing a browser extension that utilises this to fill TOTP's. I could just use ykman oath code, retrieve codes for all services and then filter, but I'd rather just ask for one. The CLI usage implies I should be able to do this but I can't for the life of me work out how and I can't find any examples:

Usage: ykman oath code [OPTIONS] [QUERY]

If the following is produced:

› ykman oath code
Amazon Web Services:johnsmith@acme       123456
Amazon Web Services:johnsmith@emca       654321

What's the appropriate [QUERY] to just return one?

Can't set slot access codes

Hey :)

I've got a script that I use to nuke/rebuild my yubikey whenever the need arises. I'm trying to port it over to using ykman, but I don't seem to be able to find a way to set the access code for a slot (i.e. the equivalent of adding -oaccess=foo when programming a slot with ykpersonalize.

Is this something that could be added?

Thanks!
Chris

ykman piv generate-csr signature errors

On a whim I thought I would see if I could use my yubikey to store a cert with a valid signature, and am using Let's Encrypt for certificate issuance. However, I ran into an issue with verification of the CSR signature when generating with ykman; this issue is not present on yubico-piv-tool:
certbot --csr csr.pem certonly

...
An unexpected error occurred:
The request message was malformed :: Error creating new cert :: invalid signature on CSR
...

While I cannot reproduce this signature failure with openssl, the certificates did look different between the tools, so I thought I would follow up here, before reaching out to the Let's Encrypt folks.

Analysis:
yubico-piv-tool -a verify -a request-certificate -s 9e -S /CN=example.com; openssl req -text -in csr.pem:

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:54:80:dc:e7:b5:eb:a8:a3:bb:f8:2e:12:b9:cf:
                    73:06:db:bb:a5:44:4d:46:f7:d0:6d:d1:c2:e2:5c:
                    52:01:f9:b0:1c:23:1e:07:f2:d9:34:e1:e4:c5:f0:
                    b2:e2:ac:f0:21:34:b3:2d:86:47:15:d3:81:65:14:
                    cd:75:fc:af:ab
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:1e:70:74:e9:ec:05:54:44:7c:fa:85:2f:cd:c6:
         03:e6:ee:21:a7:3c:dc:83:e0:95:51:09:61:8f:f9:37:d6:2d:
         02:20:68:a6:9b:72:18:2c:54:14:80:89:a9:ae:d7:5d:7e:94:
         79:e3:6e:9c:7f:0c:54:b3:7c:59:2f:39:af:a1:90:40
-----BEGIN CERTIFICATE REQUEST-----
MIHPMHgCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAARUgNznteuoo7v4LhK5z3MG27ulRE1G99Bt0cLiXFIB+bAcIx4H
8tk04eTF8LLirPAhNLMthkcV04FlFM11/K+roAAwCgYIKoZIzj0EAwIDRwAwRAIg
HnB06ewFVER8+oUvzcYD5u4hpzzcg+CVUQlhj/k31i0CIGimm3IYLFQUgImprtdd
fpR5426cfwxUs3xZLzmvoZBA
-----END CERTIFICATE REQUEST-----

ykman piv generate-csr 9a pub.pem - -P $PIN -s example.com | openssl req -text -in /dev/stdin:

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:54:80:dc:e7:b5:eb:a8:a3:bb:f8:2e:12:b9:cf:
                    73:06:db:bb:a5:44:4d:46:f7:d0:6d:d1:c2:e2:5c:
                    52:01:f9:b0:1c:23:1e:07:f2:d9:34:e1:e4:c5:f0:
                    b2:e2:ac:f0:21:34:b3:2d:86:47:15:d3:81:65:14:
                    cd:75:fc:af:ab
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:86:98:a9:15:74:24:05:d9:e7:13:a1:02:2c:
         46:a5:16:aa:83:7c:f9:47:8d:f6:67:bf:4b:c5:e8:ad:38:ad:
         f9:02:21:00:da:bd:76:d4:b0:20:19:63:51:26:b2:11:3d:7a:
         39:0a:f0:50:46:9a:c8:1a:7f:90:c4:d8:b8:17:39:5b:4e:bd
-----BEGIN CERTIFICATE REQUEST-----
MIHjMIGJAgEAMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEVIDc57XrqKO7+C4Suc9zBtu7pURNRvfQbdHC4lxSAfmwHCMe
B/LZNOHkxfCy4qzwITSzLYZHFdOBZRTNdfyvq6ARMA8GCSqGSIb3DQEJDjECMAAw
CgYIKoZIzj0EAwIDSQAwRgIhAIaYqRV0JAXZ5xOhAixGpRaqg3z5R432Z79Lxeit
OK35AiEA2r121LAgGWNRJrIRPXo5CvBQRprIGn+QxNi4FzlbTr0=
-----END CERTIFICATE REQUEST-----

YubiKey stuck in "busy" when using gpg

From @TomAtYubico:

When using other features such as OpenPGP there is a message stating that the YubiKey is busy which is correct. In this example below, I quit gpg and removed the YubiKey. Upon re-insert
the YubiKey Manager still reports that the YubiKey is busy.

To be sure that GPG is not running I opened the task manager, killed all GPG processes. Removed and re-inserted the YubiKey. The interface is still locked with the message YubiKey busy.

The only way to "unlock it" it is to restart the YubiKey Manager.

(Windows)

Add a manpage for ykman

It would be convenient to have a manpage for ykman :)

Copying between slots

Is there a way to program an OTP credential in one slot and then copy it to the other slot?

I'd like to have the same credential in both slots so that both short press and long press work.

yubikey-manager-0.7.1.tar.gz is missing some files

The fix in 7584219 which should've fixed #111 apparently didn't work. test/util.py is still missing and in addition the files from test/files which were part of 0.7.0 are also missing.

REPL mode

Currently using this on a low-resource system (Raspberry Pi), where each ykman invocation takes double-digit seconds to run, as it loads up all the relevant libraries and such. Would rock if I could launch a REPL and run the commands in sequence instead of paying the load price w/ each invocation

Set U2F mode only, now can't see device

After reading instructions in #20 about how to set the yubikey modes to disable OTP, I set mine to only be in u2f mode. That command succeeded, but I soon realized my key was no longer visible for logging into macOS. I have tried to use ykman to restore ccid mode, but I always get the following error:

[] ~ $ ykman mode u+c
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: Failed connecting to the YubiKey.

This occurs even if I wake the key first by touching it.

I am using the nano C version of Yubikey on a 2016 MacBook Pro running latest macOS.

Help!

ykman fails to connect to YubiKey when OATH code is being generated with the yubico-authenticator

Version information

macOS Sierra 10.12.6

$ ykman --version
YubiKey Manager (ykman) version: 0.4.5
Libraries:
    libykpers 1.18.0
    libu2f-host 1.1.4
    libusb 1.0.21

$ ykman info
Device name: YubiKey 4
Serial number: 4039699
Firmware version: 4.2.7
Enabled connection(s): OTP+U2F+CCID

Device capabilities:
    OTP:	Enabled
    U2F:	Enabled
    CCID:	Enabled
    OPGP:	Enabled
    PIV:	Enabled
    OATH:	Enabled

Steps to reproduce

In yubico-authenticator, right-click on one of the slots and select "Generate code".
Verify that yubico-authenticator prompts "Touch your YubiKey to generate the code.".
In a terminal, run ykman oath code (or ykman oath list).
Verify that ykman is waiting. (doesn't return instantly)
Touch your YubiKey in response to the original yubico-authenticator request.
Verify that yubico-authenticator successfully generates an OATH code.
Observe that ykman fails with the following:

$ ykman oath code
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: Failed connecting to the YubiKey.

Interestingly, if you use ykman itself to generate the OATH codes, (by running ykman oath code <slot name>) both operations succeed.

Could not find device while inserted

Hi ，

I'm using yubikey neo and after error click a USB something selection in gnubbyd(a chrome plugin), the key is no more recognized as HID,and keeping searching yubikey driver ,and is recognized as an unknown device named “Yubico WinUSB gnubby(gnubby1)”

yubikey-manager do not recognize it too.
Is these an solution for this situation ? How can I make it to HID again？

`ykman list` breaks OATH driver for seconds after program exits

ykman version: 0.5.0
Operating system and version: Arch Linux, kernel 4.14.8
YubiKey model and version: NEO 3.4.9

Steps to reproduce

Run ykman list && ykman oath info - see end of post for output

Expected result

The program prints some information such as the OATH applet version of the YubiKey.

Actual results

The program crashes while trying to connect to the YubiKey.

Other info

The issue appears with:
- One YubiKey NEO plugged in
- Two YubiKey NEO plugged in
- One YubiKey NEO and one YubiKey 4 plugged in - but not if I swap the ports they're plugged into...
The issue does not appear with one YubiKey 4 plugged in.
The issue does not appear from repeated ykman oath info commands.
The issue remains for 2-3 seconds after ykman list exits:
- Fails: ykman list && sleep 1 && ykman --device 4549848 oath info
- Fails: ykman list && sleep 2 && ykman --device 4549848 oath info
- Succeeds: ykman list && sleep 3 && ykman --device 4549848 oath info
Use case: In a script, in a loop over the serial numbers returned by ykman list.

Program output

With one YubiKey NEO plugged in:

$ ykman --log-level DEBUG list && ykman --log-level DEBUG oath info
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.Descriptor.open_device:86] transports: 0x4, self.mode.transports: 0x7
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.open_driver:141] Opening driver for serial: None, pid: PID.NEO_OTP_U2F_CCID
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.open_driver:143] Attempt 1 of 3
2017-12-27T22:06:55+0100 DEBUG [ykman.driver_ccid.open_devices:243] Failed to connect to reader Yubico Yubikey NEO OTP+U2F+CCID 00 00
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ykman/driver_ccid.py", line 236, in open_devices
    conn.connect()
  File "/usr/lib/python3.6/site-packages/smartcard/CardConnectionDecorator.py", line 54, in connect
    self.component.connect(protocol, mode, disposition)
  File "/usr/lib/python3.6/site-packages/smartcard/pcsc/PCSCCardConnection.py", line 123, in connect
    SCardGetErrorMessage(hresult))
smartcard.Exceptions.NoCardException: ('Unable to connect to card or no card in reader', 'Unable to connect: No smart card inserted.')
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.100000 s
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.open_driver:143] Attempt 2 of 3
2017-12-27T22:06:55+0100 DEBUG [ykman.driver_ccid.open_devices:243] Failed to connect to reader Yubico Yubikey NEO OTP+U2F+CCID 00 00
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ykman/driver_ccid.py", line 236, in open_devices
    conn.connect()
  File "/usr/lib/python3.6/site-packages/smartcard/CardConnectionDecorator.py", line 54, in connect
    self.component.connect(protocol, mode, disposition)
  File "/usr/lib/python3.6/site-packages/smartcard/pcsc/PCSCCardConnection.py", line 123, in connect
    SCardGetErrorMessage(hresult))
smartcard.Exceptions.NoCardException: ('Unable to connect to card or no card in reader', 'Unable to connect: No smart card inserted.')
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.200000 s
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.open_driver:143] Attempt 3 of 3
2017-12-27T22:06:55+0100 DEBUG [ykman.driver_ccid.open_devices:243] Failed to connect to reader Yubico Yubikey NEO OTP+U2F+CCID 00 00
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ykman/driver_ccid.py", line 236, in open_devices
    conn.connect()
  File "/usr/lib/python3.6/site-packages/smartcard/CardConnectionDecorator.py", line 54, in connect
    self.component.connect(protocol, mode, disposition)
  File "/usr/lib/python3.6/site-packages/smartcard/pcsc/PCSCCardConnection.py", line 123, in connect
    SCardGetErrorMessage(hresult))
smartcard.Exceptions.NoCardException: ('Unable to connect to card or no card in reader', 'Unable to connect: No smart card inserted.')
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.300000 s
2017-12-27T22:06:55+0100 DEBUG [ykman.descriptor.open_driver:163] No driver found for serial: None, pid: PID.NEO_OTP_U2F_CCID
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: Failed connecting to the YubiKey.

ykman oath returns 'Failed connecting to the YubiKey'

Killing gpg's scdaemon seems to restore functionality:

$ ykman oath list
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: Failed connecting to the YubiKey.
$ killall scdaemon
$ ykman oath  ist
test

I'm not sure exactly what triggers the failure, but often after signing something using gpg and an OpenPGP key stored in the yubikey, ykman begins to fail again.

This is on a Ubuntu Xenial system (gpg2 2.1.11) with a YubiKey 4 (FW 4.3.7)

When things are working running 'oath list' causes scdaemon to exit with SIGKILL:

read(6, "Yubico Yubikey 4 OTP+U2F+CCID 00"..., 2944) = 2944
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
select(7, NULL, [6], NULL, NULL)        = 1 (out [6])
sendto(6, "\0\0\0\0\22\0\0\0", 8, MSG_NOSIGNAL, NULL, 0) = 8
select(7, [6], NULL, NULL, NULL)        = 1 (in [6])
read(6, "Yubico Yubikey 4 OTP+U2F+CCID 00"..., 2944) = 2944
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8} <unfinished ...>
+++ killed by SIGKILL +++

When things are not working strace says scdaemon is looping doing this:

pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = 0
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = 0
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = -1 EAGAIN (Resource temporarily unavailable)
select(7, NULL, [6], NULL, {0, 1000})   = 1 (out [6], left {0, 999})
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = -1 EAGAIN (Resource temporarily unavailable)
select(7, NULL, [6], NULL, {0, 1000})   = 1 (out [6], left {0, 999})

Even when things are working it is kind of useless because requesting a TOPT value causes scdaemon to exit and then requires pin re-entry on the gpg2 side..

Can't ykman access the yubikey without disrupting scdaemon?

Not able to set initial PIN with PIV?

I plugged in a new Yubikey 4C and attempted to use it for PIV. I didn’t see an option for creating a new pin, so I tried using change-pin, and pressing return without entering any numbers for the current pin, then using an 8-digit number for the new pin. Here’s the interaction:

$ ykman piv change-pin
Enter your current PIN: 
Enter your new PIN: 
Repeat for confirmation: 
Usage: ykman piv change-pin [OPTIONS]

Error: Changing the PIN failed.
$

test/util.py is not shipped

Trying to run py.test on release tarball gives me:

==================================== ERRORS ====================================
____________ ERROR collecting test/test_cli_commands_on_yubikey.py _____________
test/test_cli_commands_on_yubikey.py:6: in <module>
    from ykman.util import (
E   ImportError: cannot import name 'is_cve201715361_vulnerable_firmware_version'
_________________ ERROR collecting test/test_external_libs.py __________________
test/test_external_libs.py:3: in <module>
    from test.util import ykman_cli
E   ImportError: No module named 'test.util'

Prompt decrypt certifcate import when cert not encrypted

Try to import a certificate which is not encrypted and I can read out using openssl.

openssl x590 -in mycert.pem -text -noout

What happens next is I get prompted for a password to decrypt the certificate. When I give it no password is fails and asks for a correct password. Since I don't have a valid password it calls out the error and ask for the password.

I don't think the code below will ever pass you to parse_certificate if your cert is not encrypted and doesn't require a password?

while True:
    if password is not None:
        password = password.encode()
    try:
        cert = parse_certificate(data, password)
    except (ValueError, TypeError):
        if password is None:
            password = click.prompt(
                'Enter password to decrypt certificate',
                default='', hide_input=True,
                show_default=False)
            continue
        else:
            password = None
            click.echo('Wrong password.')
        continue

break

YubiKey 4 has disabled CCID under Win7 Pro but under Win10 Pro, it's still showing CCID enabled

With YubiKey 4, under Win 7 Pro, disable CCID and verified CCID is disabled.
Unplug and re-plug YubiKey 4 under Win 10 Pro, but YubiKey Manager is still showing CCID enabled.

yubico / yubikey-manager Goto Github PK

yubikey-manager's Introduction

YubiKey Manager CLI

Usage

Versioning/Compatibility

Installation

Pre-built packages

Windows

MacOS

Input Monitoring access on MacOS

Linux

FreeBSD

From source (for development)

Shell completion

yubikey-manager's People

Contributors

Stargazers

Watchers

Forkers

yubikey-manager's Issues

GPG:

sudo (pam-u2f):

Version information

Steps to reproduce

Steps to reproduce

Expected result

Actual results

Other info

Program output

Recommend Projects

Recommend Topics

Recommend Org