search

Yubico / yubikey-manager

Python library and command line tool for configuring any YubiKey over all USB interfaces.
https://developers.yubico.com/yubikey-manager/
BSD 2-Clause "Simplified" License
879 stars 126 forks source link

Yubikey 4 stuck in CCID mode #600

Closed mi6e4ka closed 8 months ago

mi6e4ka commented 8 months ago

Steps to reproduce

set yubikey mode using ykman to CCID

Expected result

Work PIV, OpenPGP, etc

Actual results and logs

it is impossible to use the key and change the operating mode the buttons in yubikey manager are gray screenshot

mi6e4ka@Air-Mihail ~ % ykman info         
Device type: YubiKey 4
Serial number: 699 (redacted)
Firmware version: 4.3.7
Enabled USB interfaces: CCID

Applications
Yubico OTP      Disabled
FIDO U2F        Not available
FIDO2           Not available
OATH            Not available
PIV             Not available
OpenPGP         Not available
YubiHSM Auth    Not available
mi6e4ka@Air-Mihail ~ % ykman config mode FIDO
ERROR: Invalid mode!
mi6e4ka@Air-Mihail ~ % ykman config mode 0   
ERROR: Invalid mode!
mi6e4ka@Air-Mihail ~ % ykman --diagnose
ykman:            5.3.0
Python:           3.12.2 (main, Feb  6 2024, 20:19:44) [Clang 15.0.0 (clang-1500.1.0.2.5)]
Platform:         darwin
Arch:             x86_64
System date:      2024-02-27
Running as admin: False
Detected PC/SC readers:
  Yubico Yubikey 4 CCID: Success

Detected YubiKeys over PC/SC:
  ScardYubiKeyDevice(pid=0404, fingerprint='Yubico Yubikey 4 CCID'):
    Management:  
      Raw Info: 0c0101050204006ab455030104
      DeviceInfo:
        config:     
          enabled_capabilities:      
            USB: : 0x4

          auto_eject_timeout:         0
          challenge_response_timeout: 0
          device_flags:               0

        serial:      6992981
        version:     4.3.7
        form_factor: Unknown
        supported_capabilities:
          USB: OTP: 0x5

        is_locked:   False
        is_fips:     False
        is_sky:      False

      Name: YubiKey 4

    PIV:          PIV not accessible ApplicationNotAvailableError()
    OATH:         OATH not accessible ApplicationNotAvailableError()
    OpenPGP:      OpenPGP not accessible ApplicationNotAvailableError()
    YubiHSM Auth: YubiHSM Auth not accessible ApplicationNotAvailableError()

Detected YubiKeys over HID OTP:

Detected YubiKeys over HID FIDO:

End of diagnostics

Other info

also does not work on windows

dainnilsson commented 8 months ago

Can you try running ykman -l debug config mode otp+ccid+fido --force and provide the output?

mi6e4ka commented 8 months ago

Can you try running ykman -l debug config mode otp+ccid+fido --force and provide the output?

Here is the output:

INFO 17:59:18.465 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 17:59:18.466 [ykman.logging.set_log_level:64] 
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 17:59:18.466 [ykman._cli.__main__.cli:276] System info:
  ykman:            5.3.0
  Python:           3.12.2 (main, Feb  6 2024, 20:19:44) [Clang 15.0.0 (clang-1500.1.0.2.5)]
  Platform:         darwin
  Arch:             x86_64
  System date:      2024-02-27
  Running as admin: False

DEBUG 17:59:18.508 [ykman.device.add:165] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0404, fingerprint='Yubico Yubikey 4 CCID')
DEBUG 17:59:18.514 [yubikit.support.read_info:264] Attempting to read device info, using ScardSmartCardConnection
DEBUG 17:59:18.517 [yubikit.management.__init__:452] Management session initialized for connection=ScardSmartCardConnection, version=4.3.7
DEBUG 17:59:18.519 [yubikit.support.read_info:292] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>), serial=6992981, version=Version(major=4, minor=3, patch=7), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|4: 5>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 17:59:18.521 [yubikit.support.read_info:351] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY: 4>}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>), serial=6992981, version=Version(major=4, minor=3, patch=7), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|4: 5>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 17:59:18.535 [ykman.device.add:176] Resolved device 6992981
DEBUG 17:59:18.548 [yubikit.management.__init__:452] Management session initialized for connection=ScardSmartCardConnection, version=4.3.7
ERROR 17:59:18.563 [ykman._cli.__main__.main:437] Invalid mode!
Traceback (most recent call last):
  File "/usr/local/Cellar/ykman/5.3.0/libexec/lib/python3.12/site-packages/yubikit/management.py", line 289, in __init__
    self.code = _MODES.index(interfaces)
                ^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: <USB_INTERFACE: 0> is not in list

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/ykman/5.3.0/libexec/lib/python3.12/site-packages/ykman/_cli/__main__.py", line 421, in main
    cli(obj={})
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opt/python-click/lib/python3.12/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/ykman/5.3.0/libexec/lib/python3.12/site-packages/ykman/_cli/config.py", line 608, in mode
    my_mode = Mode(usb_enabled.usb_interfaces)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/ykman/5.3.0/libexec/lib/python3.12/site-packages/yubikit/management.py", line 292, in __init__
    raise ValueError("Invalid mode!")
ValueError: Invalid mode!
dainnilsson commented 8 months ago

Where does this YubiKey come from? Based on the diagnostics output, it doesn't look like a standard (sold to end-users) device, but it could be a custom configuration, which is something that can be done for large batches of devices for specific deployments.

Did any of the applications you expect to work (PIV, OpenPGP, etc) work previously on this key?

You should still be able to get it "un-stuck", but there is a problem in ykman where it is now failing to read the current mode. We'll fix this for the next version, but in the meantime the following command should put it back into OTP mode:

ykman apdu -a management 161100:00000000

mi6e4ka commented 8 months ago

Where does this YubiKey come from? Based on the diagnostics output, it doesn't look like a standard (sold to end-users) device, but it could be a custom configuration, which is something that can be done for large batches of devices for specific deployments.

Did any of the applications you expect to work (PIV, OpenPGP, etc) work previously on this key?

You should still be able to get it "un-stuck", but there is a problem in ykman where it is now failing to read the current mode. We'll fix this for the next version, but in the meantime the following command should put it back into OTP mode:

ykman apdu -a management 161100:00000000

Yes, it used to work with AUTO mode and this happened only after I turned on the CCID interface If you can configure the configuration, is it possible to return it to its normal state, or does this Yubikey remain in OTP-only mode forever?

P.S. thanks for the command, I'll try to return to OTP mode later

dainnilsson commented 8 months ago

I'm not sure what you mean by "AUTO mode", but I have done some more investigation and can conclude that this is indeed a non-standard YubiKey which only supports the (Yubico) OTP application.

mi6e4ka commented 8 months ago

I'm not sure what you mean by "AUTO mode"

Sorry, autocorrect, i mean "OTP mode"