Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ykman list -s fails to display keys serial numbers #594

Open
lacombar opened this issue Jan 24, 2024 · 6 comments
Open

ykman list -s fails to display keys serial numbers #594

lacombar opened this issue Jan 24, 2024 · 6 comments

Comments

@lacombar
Copy link

lacombar commented Jan 24, 2024

  • YubiKey Manager (ykman) version: master as of e5a4f22
  • How was it installed?: cloned via git
  • Operating system and version: 6.6.7-200.fc39.x86_64
  • YubiKey model and version: Security Key by Yubico (5.0.2) [FIDO] / Security Key NFC (5.4.3) [FIDO]
  • Bug description summary:
    ykman list -s does not work.

Steps to reproduce

Run: ykman list -s

Expected result

Serial from the yubikey being displayed. There is no other documented way to list the serial numbers.

Other info

The devices are listed via https://github.com/Yubico/python-fido2. The HIDIOCGRAWUNIQ ioctl does not return anything.

Here is the diagnostics from the two keys on the system:

Detected YubiKeys over HID FIDO:
  CtapYubiKeyDevice(pid=0120, fingerprint='/dev/hidraw5'):
    CTAP device version:      5.0.2
    CTAPHID protocol version: 2
    Capabilities:             5
    Management:              
      Raw Info: <hidden>
      DeviceInfo:
        config:     
          enabled_capabilities:      
            USB: U2F|FIDO2: 0x202

          auto_eject_timeout:         0
          challenge_response_timeout: 15
          device_flags:               0

        serial:      None
        version:     5.0.2
        form_factor: Keychain (USB-A)
        supported_capabilities:
          USB: U2F|FIDO2: 0x202

        is_locked:   False
        is_fips:     False
        is_sky:      True

      Name: Security Key by Yubico

    Ctap2Info:
      versions:                        
        U2F_V2
        FIDO_2_0

      extensions:                      
        hmac-secret

      aaguid:                           <hidden>
      options:                         
        rk:        True
        up:        True
        plat:      False
        clientPin: False

      max_msg_size:                     1200
      pin_uv_protocols:                
        1

      max_creds_in_list:                None
      max_cred_id_length:               None
      transports:                      

      algorithms:                       None
      max_large_blob:                   None
      force_pin_change:                 False
      min_pin_length:                   4
      firmware_version:                 None
      max_cred_blob_length:             None
      max_rpids_for_min_pin:            0
      preferred_platform_uv_attempts:   None
      uv_modality:                      None
      certifications:                   None
      remaining_disc_creds:             None
      vendor_prototype_config_commands: None

    PIN: Not configured

  CtapYubiKeyDevice(pid=0402, fingerprint='/dev/hidraw1'):
    CTAP device version:      5.4.3
    CTAPHID protocol version: 2
    Capabilities:             5
    Management:
      Raw Info: <hidden>
      DeviceInfo:
        config:
          enabled_capabilities:
            USB: U2F|FIDO2: 0x202
            NFC: U2F|FIDO2: 0x206
          
          auto_eject_timeout:         0
          challenge_response_timeout: 15
          device_flags:               0

        serial:      None
        version:     5.4.3
        form_factor: Keychain (USB-A)
        supported_capabilities:
          USB: U2F|FIDO2: 0x202
          NFC: U2F|FIDO2: 0x206
        
        is_locked:   False
        is_fips:     False
        is_sky:      True
      
      Name: Security Key NFC
    
    Ctap2Info:
      versions:                        
        U2F_V2
        FIDO_2_0
        FIDO_2_1_PRE

      extensions:                      
        credProtect
        hmac-secret

      aaguid:                           <hidden>
      options:                         
        rk:                    True
        up:                    True
        plat:                  False
        clientPin:             False
        credentialMgmtPreview: True

      max_msg_size:                     1200
      pin_uv_protocols:                
        2
        1

      max_creds_in_list:                8
      max_cred_id_length:               128
      transports:                      
        nfc
        usb

      algorithms:                      
        alg:  -7
        type: public-key
        alg:  -8
        type: public-key

      max_large_blob:                   None
      force_pin_change:                 False
      min_pin_length:                   4
      firmware_version:                 328707
      max_cred_blob_length:             None
      max_rpids_for_min_pin:            0
      preferred_platform_uv_attempts:   None
      uv_modality:                      None
      certifications:                   None
      remaining_disc_creds:             None
      vendor_prototype_config_commands: None

    PIN: Not configured```
@emlun
Copy link
Member

emlun commented Jan 24, 2024

You can see in the output: serial: None. This is because the Security Key series does not have serial numbers.

@lacombar
Copy link
Author

lacombar commented Jan 24, 2024

how can ykman be used with multiple keys with no serial numbers ?

ERROR: Multiple YubiKeys detected. Use --device SERIAL to specify which one to use.

@lacombar
Copy link
Author

lacombar commented Jan 24, 2024

Also, currently ykman list -s does not output anything if the key has no serial number, at least, it should emit a message about a given key having no serial number.

~/% ykman list -s
~/%

@dainnilsson
Copy link
Member

ykman list will list all keys, including those without serial number. ykman list -s does what the --help output states: "output only serial numbers, one per line (devices without serial will be omitted)".

ykman commands that act on a single device use the serial number of the YubiKey to determine which device target, and cannot be used on devices without a serial number, if more than one is present. If you need to perform some action on multiple keys (batch programming, etc) then scripting can be used to iterate over connected devices.

@lacombar
Copy link
Author

  1. Just because something behave as documented does not imply the behavior is providing a very good UX. In this case, it's rather poor to have no output at all.

  2. Can serial number be programmed into a key ? [I'd assume not]

  3. if not, how can I reasonably expect prior to purchasing whether a key will have a serial number or not ? So far, out of 3 keys, only 1 has a serial number.

  4. even if using HID device node is not stable, why not at least provide this method to be able to use ykman as a backup identification with the key without having to resort to invoke the Python gods ?

@dainnilsson
Copy link
Member

dainnilsson commented Jan 25, 2024

  1. Just because something behave as documented does not imply the behavior is providing a very good UX. In this case, it's rather poor to have no output at all.

It looks like you're trying to use the command for something it was not intended to do, so I fully understand that you find the UX poor for that task.

  1. Can serial number be programmed into a key ? [I'd assume not]

No, devices which do not have serial numbers cannot have them programmed later.

  1. if not, how can I reasonably expect prior to purchasing whether a key will have a serial number or not ? So far, out of 3 keys, only 1 has a serial number.

The Security Key series, with the exception of the "Security Key Enterprise Edition" do not have serial numbers. All standard YubiKey models have serial numbers.

  1. even if using HID device node is not stable, why not at least provide this method to be able to use ykman as a backup identification with the key without having to resort to invoke the Python gods ?

It's something we may consider for future releases, if there is sufficient demand. However it would also need equivalent device paths for the OTP and CCID transports in addition to FIDO, as these typically show up as 3 different devices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants