Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I unblock my key after several failed generate attempts? #148

Open
antifuchs opened this issue May 27, 2023 · 5 comments
Open

How do I unblock my key after several failed generate attempts? #148

antifuchs opened this issue May 27, 2023 · 5 comments

Comments

@antifuchs
Copy link

Environment

  • OS: macOS 13.3.1
  • age-plugin-yubikey version: 0.4.0

What were you trying to do

I tried generating a key on a blank yubikey 5c nano.

What happened

I failed multiple times to correctly identify what the plugin was asking me to do (namely, enter the pin 123456), locking myself out:

:;    age-plugin-yubikey --generate --pin-policy once --touch-policy cached
🎲 Generating key...

Enter PIN for YubiKey with serial 15748267 (default is 123456): [hidden]
Error: Invalid PIN (1 try remaining before it is blocked)

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]
:;    age-plugin-yubikey --generate --pin-policy once --touch-policy cached
🎲 Generating key...

Enter PIN for YubiKey with serial 15748267 (default is 123456): [hidden]
Error: Invalid PIN (0 tries remaining before it is blocked)

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]
:;    age-plugin-yubikey --generate --pin-policy once --touch-policy cached
🎲 Generating key...

Enter PIN for YubiKey with serial 15748267 (default is 123456): [hidden]
Error: Invalid PIN (0 tries remaining before it is blocked)

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]
:;    age-plugin-yubikey --list-all
:;    age-plugin-yubikey --generate --pin-policy once --touch-policy cached
🎲 Generating key...

Enter PIN for YubiKey with serial 15748267 (default is 123456): [hidden]
Error: Invalid PIN (0 tries remaining before it is blocked)

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]

The attempts above, I failed to remember that it's not asking me the PIN for the GPG PIV app, but asks me to enter the default PIN. Oops.

So - how do I get it out of this state? I tried factory-resetting it with gpg --card-edit, which didn't work (and in retrospect can't do anything either, since they're different apps on the key).
@antifuchs
Copy link
Author

antifuchs commented May 27, 2023
edited

I'm pretty sure this has happened to me at least once before, on a 4c nano - and I managed to recover from it? But I made no notes nor public bug reports that I can find, so .. help /:

@antifuchs
Copy link
Author

And just like that, I remembered: You use the yubikey-manager, and with that, reset the PIV app:

:;    ykman piv info
PIV version:              5.4.3
PIN tries remaining:      0/3
Management key algorithm: 3
WARNING: Using default PIN!
WARNING: Using default Management key!
CHUID: No data available
CCC:   No data available

:;    ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from the YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
	PIN:	123456
	PUK:	12345678
	Management Key:	010203040506070801020304050607080102030405060708

@str4d str4d reopened this May 28, 2023
@str4d
Copy link
Owner

str4d commented May 28, 2023

Reopening this because we should give some guidance in the error message when we detect there are no PIN attempts remaining. In particular, for a YubiKey configured for this plugin, a user has three more attempts to remember and recover, because their PUK gets set to their PIN.

@antifuchs
Copy link
Author

That's a great point! One more thing that I noticed is that ykman seems to be able to detect that the default PINs are in place:

$ ykman piv info
PIV version:              5.4.3
PIN tries remaining:      3/3
Management key algorithm: 3
WARNING: Using default PIN!
WARNING: Using default Management key!
CHUID: No data available
CCC:   No data available

If it's possible for age-plugin-yubikey to see that too, I'd suggest changing the --generate logic to not even prompt for the default PIN and only ask for the new PIN instead.

@alan-strohm
Copy link

Reopening this because we should give some guidance in the error message when we detect there are no PIN attempts remaining. In particular, for a YubiKey configured for this plugin, a user has three more attempts to remember and recover, because their PUK gets set to their PIN.

In case others find this, the way I got my three more attempts is via

ykman piv access unblock-pin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@antifuchs @alan-strohm @str4d