Closed jtyr closed 8 years ago
This is intended behavior. As long as the default management key is being used, the yubikey-piv-manager will consider the device "uninitialized", and prompt for initialization, which includes setting a PIN.
I stumbled into a simular issue however I want to use the "PIN as PIV management key" feature. I can not seem to figure out, how I need to initialize the PIV module with yubico-piv-tool
in order to be able to start yubikey-piv-manager
without wanting to reinitialize.
Thus far I execute the following.
yubico-piv-tool -a verify -P 00000000
yubico-piv-tool -a verify -P 00000000
yubico-piv-tool -a verify -P 00000000
yubico-piv-tool -a unblock-pin -P 00000000 -N 00000000
yubico-piv-tool -a unblock-pin -P 00000000 -N 00000000
yubico-piv-tool -a unblock-pin -P 00000000 -N 00000000
yubico-piv-tool -a reset
yubico-piv-tool -a change-pin -P 123456 -N $NEWPIN
What is the command that I need to issue using yubico-piv-tool
to initialize the Management Key as stated in the docs?
When choosing to use a Management Key derived from the PIN, the following takes place:
1. A random 8-byte SALT value is generated and stored on the YubiKey. 2. The derived Management Key is calculated as PBKDF2(PIN, SALT, 24, 10000).
The PBKDF2 function (described in RFC 2898) is run using the PIN (encoded using UTF-8) as the password, for 10000 rounds, to produce a 24 byte key, which is used as the management key. Whenever the user changes the PIN this process is repeated, using a new SALT and the new PIN.
@skuep You need to not only change the PIN from the default, but also change the management key from the default. You can do that with YubiKey Manager like so:
$ ykman piv change-pin
$ ykman piv change-management-key -p
I have initialized the PIV module via
yubico-piv-tool
:When I start
yubikey-piv-manager
, it's asking me to enter new PIN even though the PIN was already successfully initialized.