Yubikey not available

[FONDSMATIVE]

Hi Patrick,

thanks again for you great efforts!
What happens is: "Yubikey not available or timed out waiting for button press"

I am looping over the yubikey-luks-open script until the encrypted drive is open and afterwards I would love to run some other (backup) scripts.
We are running into that part that makes some problems I guess:

R="$(printf %s "$P1" | ykchalresp -"$YUBIKEY_LUKS_SLOT" -i- 2>/dev/null || true)"
if [ "$DBG" = "1" ]; then echo "Yubikey response: $R"; fi

if [ -z "$R" ]; then
    echo "Yubikey not available or timed out waiting for button press"
    exit 1
fi

On the one hand it seems like there is no value for "$R" but otherwise setting DBG=1 echos the Yubikey response: $R" correctly.

Could it be, that there should be some implementation of sleep or wait?
Many thanks again!
FONDSMATIVE

---

P.S.:

Part of the 'looping script'

n=5 #max 5 trys
c=0

until $(grep -qs ${_mntd} /proc/mounts) || true
do    
    ${_yubikey} 
    wait $!

    if grep -qs "${_mntd}" /proc/mounts; then
   	sudo ${_mnt} --uuid ${_uuid} ${_mntd} &> /dev/null
        exit 0
    else
	echo "SOMTHING WENT WRONG.."  	
	echo "TRY AGAIN..."
       
    fi

    (( c+=1 ))
   
    if (( c < n ))
    then
        continue
    else
        break
 	echo "SOMTHING WENT WRONG... SORRY"
    fi
done 

[gergap]

I'm having the same problem, but actually it is caused by the underlying ykchalresp tool.

$> echo test | ykchalresp -2 -i-
Yubikey core error: timeout

I'm on Debian11 (bullseye).

[gergap]

in verbose mode I see this:

$> echo test | ykchalresp -2 -i- -v
Firmware version 5.1.2
Sending 5 bytes HMAC challenge to slot 2
Yubikey core error: timeout

The LED is lighting up on the Yubikey, so it can reach it. This indicates it is not a permission problem.
Reinstalled already the yubikey tools, but this didn't help either.

version info:

$> ykchalresp -V
1.20.0

[gergap]

Just built the tool from source with debug info:

Firmware version 5.1.2
Sending 5 bytes HMAC challenge to slot 2
YK_DEBUG: Write 5 bytes to YubiKey :
   yk_wait_for_key_status: 00 05 01 02 03 0f 05 00 
          yk_write_to_key: 74 65 73 74 0a 00 00 80 
   yk_wait_for_key_status: 00 05 01 02 03 0f 05 00 
          yk_write_to_key: 00 38 e3 f6 00 00 00 89 
YK_DEBUG: Read 20 bytes from YubiKey :
   yk_wait_for_key_status: 00 05 01 02 03 0f 05 00 
   yk_wait_for_key_status: 00 05 01 02 03 0f 05 00 
   yk_wait_for_key_status: 00 05 01 02 03 0f 05 00 
   yk_wait_for_key_status: 00 05 01 02 03 0f 05 00 
   yk_wait_for_key_status: 00 05 01 02 03 0f 05 00 
   yk_wait_for_key_status: 00 05 01 02 03 0f 05 00 
Yubikey core error: timeout

It receives data, but obviously not the expected. I don't know this protocol. Maybe somebody with more insight can help here.

[gergap]

I was just using the wrong Yubikey, I have more than one.
Then one with the issue was just not configured for challenge/response, stupid me.

[falense]

I had this issue. I had configured the ChallengeResponse to keyslot 1 instead of keyslot 2. Adding it to keyslot 2 seems to have fixed the issue.

[3rett]

I was just using the wrong Yubikey, I have more than one. Then one with the issue was just not configured for challenge/response, stupid me.

What do you mean by this? Wrong type?

I am trying this on a brand new Debian 12 and am getting..

Yubikey not available or timed out waiting for button press

However, ykman shows this..

`root@0af1:~# ykman info
Device type: Security Key NFC
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: FIDO
NFC transport is enabled.

Applications USB NFC
FIDO2 Enabled Enabled
OTP Not available Not available
FIDO U2F Enabled Enabled
OATH Not available Not available
YubiHSM Auth Not available Not available
OpenPGP Not available Not available
PIV Not available Not available`

It is the 'Security' line, but I think all you need is FIDO2.

[3rett]

I found this..

YubiKey Personalization Tool. The tool works with any YubiKey (except the Security Key).

I'm assuming since this method requires YubiKey Personalization Tool config that the 'security' key is not supported. I just don't see that explicitly mentioned anywhere.

[Vincent43]

Yes, this functionality requires multi protocol YubiKey (v4 or v5). Security key won't work.