Closed sylvainpelissier closed 10 months ago
It is fixed but ykman
sets the SHORT_TICKET
flag, which implies only the half of the password is sent. Is this happening with a Yubikey too? To me is quite strange.
For the static password mode, the full programmed password is returned. I think this option is used only for Yubico OTP: https://developers.yubico.com/yubikey-personalization/Manuals/ykpersonalize.1.html
From the ykpersonalize webpage:
short-ticket | Limit the length of the static string to max 16 digits. This flag only makes sense with the -ostatic-ticket option. When -oshort-ticket is used without -ostatic-ticket it will program the YubiKey in "scan-code mode", in this mode the key sends the contents of fixed, uid and key as raw keyboard scancodes. For example, by using the fixed string h:8b080f0f122c9a12150f079e in this mode it will send Hello World! on a qwerty keyboard. This mode sends raw scan codes, so output will differ between keyboard layouts.
and YKMAN sets by default SHORT_TICKET flag: https://github.com/Yubico/yubikey-manager/blob/51a7ae438c923189788a1e31d3de18d452131942/yubikit/yubiotp.py#L474
self._update_flags(CFGFLAG.SHORT_TICKET, True)
It does not set STATIC_TICKET, so I guess it is used as raw scancode mode.
When you do $ ykman otp static --length 24 --generate 1
, does it return 24 chars or 12 in a Yubikey?
It returns a 24 characters password when pressing the Yubikey. Tested on my YubiKey 5C NFC.
Fixed in Release 5.8
It seems for static password the length is limited to 8 characters:
Then pressing the button gives only
bbbbbbbb
The same happens with password generation: