Comments (4)
Thanks for the report!
Most of this is by design, but I can understand that it can appear confusing.
The way YubiKey Manager and YubiKey PIV Manager implements "Use PIN as Management Key" is slightly different.
PIV Manager derives the management key from the PIN (this is described here). In this scheme the PUK is blocked, because if it was allowed to reset the PIN, the management key would be lost.
YubiKey Manager, and ykman, on the other hand instead generates a random management key and stores it on the device in a slot protected by the PIN. This offers some security benefits, as well as allowing us to keep the PUK functionality enabled. Unlocking the PIN with the PUK does not effect the management key, it's still stored on the device protected by the PIN.
YubiKey Manager is backwards compatible with devices initialized with the older YubiKey PIV Manager tool, and can recognize that the PUK is blocked in those cases. However, it is not possible to know if the PUK is blocked in the general case (the only way to know is to try to use it), which is why it's not normally shown in the GUI.
It is strongly recommended to always change the default PUK, regardless if you are using the "Use PIN as Management Key" or not. Maybe this could be emphasized more in the GUI and documentation.
from yubikey-manager-qt.
Thank you for the quick reply and the detailed explanation.
Unfortunately, the new approach does not fit into our previous processes, as we deliberately did not want to set a PUK. If the PIN was entered wrong three times, the Yubikey had to be reinitialized. Therefore, we must now set a random PUK so that it is not possible to try the PIN any number of times with the default PUK. Maybe there is a way to implement the feature of a not usable PUK in any way.
One more question. You say that you can't check if the PUK is blocked or not. If you enter the PUK incorrectly three times, the GUI will not indicate that the PUK is blocked. If you then enter the PIN incorrectly three times, it will immediately indicate that both the PIN and the PUK are blocked. Therefore there should be a mechanism to check the status of the PUK. Otherwise the GUI might not show this, right?
from yubikey-manager-qt.
It is still possible to block the PUK, just enter the wrong one 3 times. The GUI will tell you after the last attempt that the PUK is now blocked. However, there is no way to tell that the PUK is blocked without trying to use it, which means that we can't show that information directly when entering the PIV view in the GUI, since it would require us to try to use the PUK in the background.
from yubikey-manager-qt.
Closing this. Feel free to contact Yubico Support, since they might have more bandwith to walk you through some of this if needed.
from yubikey-manager-qt.
Related Issues (20)
- Cannot run ykman cli under another user context HOT 2
- ykman piv import keys not importing HOT 2
- Unknown error: APDU error: SW = 0x6f00 HOT 1
- Malformed certificates in version 1.2.5 HOT 2
- missing Symbol: Py_AddObject
- Applications>PIV tab throws `qml: Unmapped error: null __enter__` if pcscd service not running. HOT 5
- Canβt access Manager PIV Application on MacOS intel but on Apple Silicon always returns unable to connect HOT 3
- [Linux] Yubikey manager doesn't detect Yubikey
- 1
- Still no Apple Silicon support?? (M1/M2 ARM) HOT 1
- [Feature Request] Export Certificate Public Key to OpenSSH AuthorizedKeys Format
- Country name must be a 2 character country code HOT 2
- Invalid password or PKCS12 data
- "ERROR: Unable to list devices for connection" and "PC/SC" warning in ykman HOT 3
- Static Password, impossible symbol notice
- The GUI application does not work when built from release tarball with python 3.12 HOT 14
- Distribute the macOS .app directly
- OpenSSL dependency need bump - contains active vulnrability. HOT 1
- cli can find Yubikey but not GUI HOT 7
- Hints are showing random characters
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubikey-manager-qt.