Open antifuchs opened 1 year ago
antifuchs
commented
1 year ago I'm pretty sure this has happened to me at least once before, on a 4c nano - and I managed to recover from it? But I made no notes nor public bug reports that I can find, so .. help /:
antifuchs
commented
1 year ago And just like that, I remembered: You use the yubikey-manager, and with that, reset the PIV app:
:; ykman piv info
PIV version: 5.4.3
PIN tries remaining: 0/3
Management key algorithm: 3
WARNING: Using default PIN!
WARNING: Using default Management key!
CHUID: No data available
CCC: No data available
:; ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from the YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
PIN: 123456
PUK: 12345678
Management Key: 010203040506070801020304050607080102030405060708
str4d
commented
1 year ago Reopening this because we should give some guidance in the error message when we detect there are no PIN attempts remaining. In particular, for a YubiKey configured for this plugin, a user has three more attempts to remember and recover, because their PUK gets set to their PIN.
antifuchs
commented
1 year ago That's a great point! One more thing that I noticed is that ykman seems to be able to detect that the default PINs are in place:
$ ykman piv info
PIV version: 5.4.3
PIN tries remaining: 3/3
Management key algorithm: 3
WARNING: Using default PIN!
WARNING: Using default Management key!
CHUID: No data available
CCC: No data availableIf it's possible for age-plugin-yubikey to see that too, I'd suggest changing the --generate logic to not even prompt for the default PIN and only ask for the new PIN instead.
alan-strohm
commented
5 months ago Reopening this because we should give some guidance in the error message when we detect there are no PIN attempts remaining. In particular, for a YubiKey configured for this plugin, a user has three more attempts to remember and recover, because their PUK gets set to their PIN.
In case others find this, the way I got my three more attempts is via
ykman piv access unblock-pin
Environment
What were you trying to do
I tried generating a key on a blank yubikey 5c nano.
What happened
I failed multiple times to correctly identify what the plugin was asking me to do (namely, enter the pin
123456), locking myself out:The attempts above, I failed to remember that it's not asking me the PIN for the GPG PIV app, but asks me to enter the default PIN. Oops.
So - how do I get it out of this state? I tried factory-resetting it with
gpg --card-edit, which didn't work (and in retrospect can't do anything either, since they're different apps on the key).