search

Yubico / yubikey-piv-manager

Tool for configuring your PIV-enabled YubiKey
https://developers.yubico.com/yubikey-piv-manager/
GNU General Public License v3.0
42 stars 7 forks source link

Requires new PIN when initialized with yubico-piv-tool #4

Closed jtyr closed 8 years ago

jtyr commented 8 years ago

I have initialized the PIV module via yubico-piv-tool:

# Lock the PIN/PUK:
$ for N in $(seq 3); do yubico-piv-tool -a verify-pin -P xxx; yubico-piv-tool -a change-puk -P xxx -N xxx; done
Pin verification failed, 2 tries left before pin is blocked.
Failed verifying puk code, now 2 tries left before blocked.
Pin verification failed, 1 tries left before pin is blocked.
Failed verifying puk code, now 1 tries left before blocked.
Pin code blocked, use unblock-pin action to unblock.
The puk code is blocked, you will have to reinitialize the applet.
# Reset the PIV application:
$ yubico-piv-tool -a reset
Successfully reset the applet.
# Set PIN and PUK:
$ yubico-piv-tool -a change-pin -P 123456 -N $PIN
Successfully changed the pin code.
$ yubico-piv-tool -a change-puk -P 12345678 -N $PUK
Successfully changed the puk code.
# Verify the PIN:
$ yubico-piv-tool -a verify-pin -P $PIN
Successfully verified PIN.

When I start yubikey-piv-manager, it's asking me to enter new PIN even though the PIN was already successfully initialized.

dainnilsson commented 8 years ago

This is intended behavior. As long as the default management key is being used, the yubikey-piv-manager will consider the device "uninitialized", and prompt for initialization, which includes setting a PIN.

skuep commented 6 years ago

I stumbled into a simular issue however I want to use the "PIN as PIV management key" feature. I can not seem to figure out, how I need to initialize the PIV module with yubico-piv-tool in order to be able to start yubikey-piv-manager without wanting to reinitialize. Thus far I execute the following.

 yubico-piv-tool -a verify -P 00000000
 yubico-piv-tool -a verify -P 00000000
 yubico-piv-tool -a verify -P 00000000
 yubico-piv-tool -a unblock-pin -P 00000000 -N 00000000
 yubico-piv-tool -a unblock-pin -P 00000000 -N 00000000
 yubico-piv-tool -a unblock-pin -P 00000000 -N 00000000
 yubico-piv-tool -a reset
 yubico-piv-tool -a change-pin -P 123456 -N $NEWPIN

What is the command that I need to issue using yubico-piv-tool to initialize the Management Key as stated in the docs?

When choosing to use a Management Key derived from the PIN, the following takes place:

1. A random 8-byte SALT value is generated and stored on the YubiKey.

2.  The derived Management Key is calculated as PBKDF2(PIN, SALT, 24, 10000).

The PBKDF2 function (described in RFC 2898) is run using the PIN (encoded using UTF-8) as the password, for 10000 rounds, to produce a 24 byte key, which is used as the management key. Whenever the user changes the PIN this process is repeated, using a new SALT and the new PIN.

emlun commented 6 years ago

@skuep You need to not only change the PIN from the default, but also change the management key from the default. You can do that with YubiKey Manager like so:

$ ykman piv change-pin
$ ykman piv change-management-key -p