"Yubikey core error: Timeout" with HMAC challenge-response #89

New Issue

Closed

opened 2025-01-19 01:11:44 +08:00 by elaralia · 7 comments

elaralia commented 2025-01-19 01:11:44 +08:00 (Migrated from github.com)

Copy Link

Hi! This is kind of two issues, but both cause the same problem.

When I try to add a HMAC challenge-response slot using ykpersonalize, although it says "successful", there is still nothing programmed to the slot. If I take -oserial-api-visible out of the command, it fails with Yubikey core error: write error.

ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig fails to actually change the otp slots:

Using yubikey-personalization-gui results in the same thing, although it reads successful write. My udev rules are all updated correctly. It may be worth noting that trying to write with this used to fail:

However this wasn't a massive issue, as I could still write it with
ykman otp chalresp -t -g 2, which would work fine, and can be interacted with through ykman otp calculate:

But using it as a HMAC key gives Yubikey core error: Timeout. I think this may be to do with not having the correct configuration through ykman, because I think that the -oserial-api-visible is needed for it to work with this:

Hi! This is kind of two issues, but both cause the same problem. When I try to add a HMAC challenge-response slot using ykpersonalize, although it says "successful", there is still nothing programmed to the slot. If I take `-oserial-api-visible` out of the command, it fails with `Yubikey core error: write error`. `ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig` fails to actually change the otp slots:  Using `yubikey-personalization-gui` results in the same thing, although it reads successful write. My udev rules are all updated correctly. It may be worth noting that trying to write with this used to fail:   However this wasn't a massive issue, as I could still write it with `ykman otp chalresp -t -g 2`, which would work fine, and can be interacted with through `ykman otp calculate`:  But using it as a HMAC key gives `Yubikey core error: Timeout`. I think this may be to do with not having the correct configuration through ykman, because I think that the `-oserial-api-visible` is needed for it to work with this: 

pmnlla commented 2025-01-19 11:02:16 +08:00 (Migrated from github.com)

Copy Link

@qcoral 👀

@qcoral 👀

elaralia commented 2025-01-20 00:59:26 +08:00 (Migrated from github.com)

Copy Link

Maybe related that ykman otp delete seems to always act as if it fails, although it still deleted the slot:

Maybe related that `ykman otp delete` seems to always act as if it fails, although it still deleted the slot: 

polhenarejos commented 2025-01-20 01:22:18 +08:00 (Migrated from github.com)

Copy Link

Please provide:

• Board you are using
• Version of OS
• Version of client software

(Offtopic: may I ask you the software console/terminal? It looks nice)

Please provide: - Board you are using - Version of OS - Version of client software (Offtopic: may I ask you the software console/terminal? It looks nice)

elaralia commented 2025-01-20 02:19:50 +08:00 (Migrated from github.com)

Copy Link

• The board is a raspberry pi pico (just the regular 2040)
• OS is arch linux with 6.6.72 kernel
• Both yubikey-manager and yubikey-personalization are latest versions
  • ykman version 1:5.5.1-3
  • yubikey-personalization version 1.20.0-4
  • yubikey-personalization-gui version 3.1.25-3
• The version on the pico is 6.2, from last wednesday

I also now have the error Yubikey core error: write error after reinstalling on the pico to double check it was fully updated, although I was also getting this error yesterday after updating then. I no longer remember what I did to fix it, might have just restarted:

The terminal is foot, with fish running on Hyprland. I didn't do much, it's from these dotfiles. Definitely very pretty :)

- The board is a raspberry pi pico (just the regular 2040) - OS is arch linux with 6.6.72 kernel - Both `yubikey-manager` and `yubikey-personalization` are latest versions - ykman version `1:5.5.1-3` - yubikey-personalization version `1.20.0-4` - yubikey-personalization-gui version `3.1.25-3` - The version on the pico is `6.2`, from last wednesday I also now have the error `Yubikey core error: write error` after reinstalling on the pico to double check it was fully updated, although I was also getting this error yesterday after updating then. I no longer remember what I did to fix it, might have just restarted:  The terminal is foot, with fish running on Hyprland. I didn't do much, it's from [these dotfiles.](https://github.com/end-4/dots-hyprland/tree/main) Definitely very pretty :)

polhenarejos commented 2025-01-20 03:02:50 +08:00 (Migrated from github.com)

Copy Link

I fixed the deletion problem but I do not see the problem with chalresp.

First, personalization tools are no longer maintained, so I'll not give support for them since they are discontinued.

If you do:

ykman otp chalresp -t -g 2
ykman otp calculate -T -d 6 2 12345678

doesn't work?

I fixed the deletion problem but I do not see the problem with chalresp. First, personalization tools are no longer maintained, so I'll not give support for them since they are discontinued. If you do: ``` ykman otp chalresp -t -g 2 ykman otp calculate -T -d 6 2 12345678 ``` doesn't work?

elaralia commented 2025-01-20 16:05:21 +08:00 (Migrated from github.com)

Copy Link

ykman otp calculate works fine, it's only when used with ykchalresp, although I don't know if that is part of ykman or yuibkey-personalize:

`ykman otp calculate` works fine, it's only when used with `ykchalresp`, although I don't know if that is part of `ykman` or `yuibkey-personalize`: 

elaralia commented 2025-01-23 02:38:09 +08:00 (Migrated from github.com)

Copy Link

I've adjusted the code I was using it for to use ykman, but it isn't a drop in replacment; it has a much larger file size when packaged as an ELF binary (due to being in python), meaning my initramfs is larger than prefered. It does work properly with ykman however, so I'll close this issue and maybe support for ykchalresp could be added in the future at some point?

This is an awesome project btw, really interesting to go through!

I've adjusted the code I was using it for to use ykman, but it isn't a drop in replacment; it has a much larger file size when packaged as an ELF binary (due to being in python), meaning my initramfs is larger than prefered. It does work properly with ykman however, so I'll close this issue and maybe support for ykchalresp could be added in the future at some point? This is an awesome project btw, really interesting to go through!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

development

nightly-development

nightly-main

v7.4

v7.2

v7.0-eddsa

v7.0

v6.6

v6.4-eddsa1

v6.4

v6.2

v6.0-eddsa1

v6.0

v5.12-eddsa1

v5.12

nightly-stable

v5.10

v5.8-eddsa1

v5.8

v5.6-eddsa1

v5.6

v5.4

v3.0

v2.10

v2.8

v2.6

v2.4

v2.2

v2.0

v1.2

v1.0

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

dearsky

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dearsky/pico-fido#89