Getting error message "Please unplug your YubiKey"

[adrienlacombe]

Hi, Thank you for your work first of all. I have succesfully setup KeePassXC on Windows with YubiKey Challenge-Response and then use the same db on a Pixel 4 running Android stock, this is working fine with Keepass2Android. However, with the same db, this time on a Pixel 4 running GrapheneOS (build RQ1A.210205.004), I am getting the error "Please unplug your YubiKey" while trying to open the db using Keepass2Android. Please let me know if you need any other info. Thank you vm Adrien

[pp3345]

Hi Adrien,

are you familiar with the adb tool? If yes, please run adb logcat and then try to unlock your database. A more elaborate error description should show up in the log. Please attach the log here then.

[adrienlacombe]

Hi @pp3345, thank you for the quick reply. Yes I am, but, both the USB cable to run adb and the YubiKey use the USB-C port of my phone. Should I then first get the error then logcat? Thank you vm

[pp3345]

Ah, sorry, I didn't think about that. I guess your approach should work, if not, you could alternatively run adb via the network (attach the phone via USB, run adb tcpip 5555, unplug your phone, then adb connect <ip address>:5555).

[adrienlacombe]

Thank you, actually, we can debug over wifi now it seems! Here are the logs @pp3345 log.log

[adrienlacombe]

Just found this, not sure it applies 100% though.

https://github.com/GrapheneOS/os_issue_tracker/issues/465

[pp3345]

I think the issue you linked is unrelated as it refers to FIDO authentication (not the thing ykDroid implements). It's still possible that this is an issue with your ROM, I am not entirely sure what's going on though. Please try the following build and see if it works: https://dev.pp3345.net/ykdroid-eddea6a8-debug+-19.apk

Please attach a new log here in any case, working or not. Note that you will need to uninstall ykDroid before Android will allow you to install a debug build.

[adrienlacombe]

Hi, really sorry for the late reply. So, interesting, the version of the app you gave me works fine :) I uninstall and tried again with version from F-Droid and back with the same error again... what should I do? Thank you!

[pp3345]

Can you create a new log with the working build and attach it here?

[adrienlacombe]

adblogs.log Here you go, thank you! There are a lot of failed attempts before the succesful one which is line 3236 I believe.

[adrienlacombe]

Hi @pp3345, should I use the working build then? Thank you

[mottech20]

I had a similar issue.
First make sure that Yubikey Authenticator app is not handling the device when it is connected and ykDroid handles the challenge-response. Initially it would show a dialog asking if you want Yubikey Authenticator to handle OTP+FIDO+CCID. If you answered yes and marked the checkbox to always open it with that app, you have to reset it (I don't know how...).
Also, make sure the correct slot is chosen for Challenge-Response. For this, insert/ touch your Yubikey after you choose the OTP file. This shows a dialog which allows you to pick the slot.

[mottech20]

Also, it's best to OTP auxiliary file right beside the DB file. And make sure you clear the app's data so there are no previously cached / local copies of the DB or aux file with the same name.

[mottech20]

The above comments were for the Keepass2Android app. Sorry I thought I was commenting on that repo.

[mdonoughe]

Maybe this helps somebody out. I was getting the same error because my challenge response is on slot 2. I always forget to change it when I get a new device.