search

Yubico / yubikey-manager-qt

Cross-platform application for configuring any YubiKey over all USB interfaces.
https://developers.yubico.com/yubikey-manager-qt/
BSD 2-Clause "Simplified" License
237 stars 29 forks source link

FIDO2 reset "not allowed" #300

Closed brianjcohen closed 3 years ago

brianjcohen commented 3 years ago

I am finding I am unable to reset the FIDO2 application on my Yubikey 5 NFC (firmware 5.4.3).

Steps to reproduce:

  1. On Manjaro Linux.
  2. Run yubikey-manager-qt
  3. Click Applications > FIDO2
  4. Click "Reset FIDO"
  5. Follow steps to confirm, remove / reinsert key, touch key

Expected:

FIDO application should be reset.

Actual:

Error "not allowed" appears in the application window. FIDO application is not reset.

I can see in the source the error is coming from here: https://github.com/Yubico/yubikey-manager-qt/blob/e5468fe1b5863028b7a8387ebcad92b868e38b70/ykman-gui/py/yubikey.py#L453

According to the FIDO CTAP documentation, this NOT_ALLOWED error would be thrown if the request comes "after 10 seconds of powering up" (unsure what that means):

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorReset

Any help would be greatly appreciated.

brianjcohen commented 3 years ago

Okay, I found the solution to my own problem. By running ykman-gui --log-level DEBUG, I could see python stack traces related to the application being unable to connect to pcscd.

I started the service:

sudo systemctl start pcscd

And now I was able to reset FIDO.

fdennis commented 3 years ago

Yes, pcscd needs to be running. Glad you solved it!