search

Yubico / yubikey-manager

Python library and command line tool for configuring any YubiKey over all USB interfaces.
https://developers.yubico.com/yubikey-manager/
BSD 2-Clause "Simplified" License
861 stars 125 forks source link

`ykman list -s` fails to display keys serial numbers #594

Open lacombar opened 7 months ago

lacombar commented 7 months ago

Steps to reproduce

Run: ykman list -s

Expected result

Serial from the yubikey being displayed. There is no other documented way to list the serial numbers.

Other info

The devices are listed via https://github.com/Yubico/python-fido2. The HIDIOCGRAWUNIQ ioctl does not return anything.

Here is the diagnostics from the two keys on the system:


Detected YubiKeys over HID FIDO:
  CtapYubiKeyDevice(pid=0120, fingerprint='/dev/hidraw5'):
    CTAP device version:      5.0.2
    CTAPHID protocol version: 2
    Capabilities:             5
    Management:              
      Raw Info: <hidden>
      DeviceInfo:
        config:     
          enabled_capabilities:      
            USB: U2F|FIDO2: 0x202

          auto_eject_timeout:         0
          challenge_response_timeout: 15
          device_flags:               0

        serial:      None
        version:     5.0.2
        form_factor: Keychain (USB-A)
        supported_capabilities:
          USB: U2F|FIDO2: 0x202

        is_locked:   False
        is_fips:     False
        is_sky:      True

      Name: Security Key by Yubico

    Ctap2Info:
      versions:                        
        U2F_V2
        FIDO_2_0

      extensions:                      
        hmac-secret

      aaguid:                           <hidden>
      options:                         
        rk:        True
        up:        True
        plat:      False
        clientPin: False

      max_msg_size:                     1200
      pin_uv_protocols:                
        1

      max_creds_in_list:                None
      max_cred_id_length:               None
      transports:                      

      algorithms:                       None
      max_large_blob:                   None
      force_pin_change:                 False
      min_pin_length:                   4
      firmware_version:                 None
      max_cred_blob_length:             None
      max_rpids_for_min_pin:            0
      preferred_platform_uv_attempts:   None
      uv_modality:                      None
      certifications:                   None
      remaining_disc_creds:             None
      vendor_prototype_config_commands: None

    PIN: Not configured

  CtapYubiKeyDevice(pid=0402, fingerprint='/dev/hidraw1'):
    CTAP device version:      5.4.3
    CTAPHID protocol version: 2
    Capabilities:             5
    Management:
      Raw Info: <hidden>
      DeviceInfo:
        config:
          enabled_capabilities:
            USB: U2F|FIDO2: 0x202
            NFC: U2F|FIDO2: 0x206

          auto_eject_timeout:         0
          challenge_response_timeout: 15
          device_flags:               0

        serial:      None
        version:     5.4.3
        form_factor: Keychain (USB-A)
        supported_capabilities:
          USB: U2F|FIDO2: 0x202
          NFC: U2F|FIDO2: 0x206

        is_locked:   False
        is_fips:     False
        is_sky:      True

      Name: Security Key NFC

    Ctap2Info:
      versions:                        
        U2F_V2
        FIDO_2_0
        FIDO_2_1_PRE

      extensions:                      
        credProtect
        hmac-secret

      aaguid:                           <hidden>
      options:                         
        rk:                    True
        up:                    True
        plat:                  False
        clientPin:             False
        credentialMgmtPreview: True

      max_msg_size:                     1200
      pin_uv_protocols:                
        2
        1

      max_creds_in_list:                8
      max_cred_id_length:               128
      transports:                      
        nfc
        usb

      algorithms:                      
        alg:  -7
        type: public-key
        alg:  -8
        type: public-key

      max_large_blob:                   None
      force_pin_change:                 False
      min_pin_length:                   4
      firmware_version:                 328707
      max_cred_blob_length:             None
      max_rpids_for_min_pin:            0
      preferred_platform_uv_attempts:   None
      uv_modality:                      None
      certifications:                   None
      remaining_disc_creds:             None
      vendor_prototype_config_commands: None

    PIN: Not configured```
emlun commented 7 months ago

You can see in the output: serial: None. This is because the Security Key series does not have serial numbers.

lacombar commented 7 months ago

how can ykman be used with multiple keys with no serial numbers ?

ERROR: Multiple YubiKeys detected. Use --device SERIAL to specify which one to use.
lacombar commented 7 months ago

Also, currently ykman list -s does not output anything if the key has no serial number, at least, it should emit a message about a given key having no serial number.

~/% ykman list -s
~/%
dainnilsson commented 7 months ago

ykman list will list all keys, including those without serial number. ykman list -s does what the --help output states: "output only serial numbers, one per line (devices without serial will be omitted)".

ykman commands that act on a single device use the serial number of the YubiKey to determine which device target, and cannot be used on devices without a serial number, if more than one is present. If you need to perform some action on multiple keys (batch programming, etc) then scripting can be used to iterate over connected devices.

lacombar commented 7 months ago

1) Just because something behave as documented does not imply the behavior is providing a very good UX. In this case, it's rather poor to have no output at all.

2) Can serial number be programmed into a key ? [I'd assume not]

3) if not, how can I reasonably expect prior to purchasing whether a key will have a serial number or not ? So far, out of 3 keys, only 1 has a serial number.

4) even if using HID device node is not stable, why not at least provide this method to be able to use ykman as a backup identification with the key without having to resort to invoke the Python gods ?

dainnilsson commented 7 months ago
  1. Just because something behave as documented does not imply the behavior is providing a very good UX. In this case, it's rather poor to have no output at all.

It looks like you're trying to use the command for something it was not intended to do, so I fully understand that you find the UX poor for that task.

  1. Can serial number be programmed into a key ? [I'd assume not]

No, devices which do not have serial numbers cannot have them programmed later.

  1. if not, how can I reasonably expect prior to purchasing whether a key will have a serial number or not ? So far, out of 3 keys, only 1 has a serial number.

The Security Key series, with the exception of the "Security Key Enterprise Edition" do not have serial numbers. All standard YubiKey models have serial numbers.

  1. even if using HID device node is not stable, why not at least provide this method to be able to use ykman as a backup identification with the key without having to resort to invoke the Python gods ?

It's something we may consider for future releases, if there is sufficient demand. However it would also need equivalent device paths for the OTP and CCID transports in addition to FIDO, as these typically show up as 3 different devices.