Misleading “failed authentication with the application”

[acdha]

The Yubico PIV Manager desktop app works flawlessly with my Yubikey 4 on a macOS High Sierra system to generate keys but doesn't have a way to set things like touch policies.

I tried yubico-piv-tool version 1.5.0 from Homebrew and some commands (e.g. verify-pin) work but e.g. generate always returns “failed authentication with the application”.

[klali]

What this might be is that Yubico PIV Manager generates a derived management key based on the pin when initializing the key, yubico-piv-tool doesn't support that.

We're working on replacing the tooling (specifically Yubico PIV Manager) with YubiKey Manager (https://developers.yubico.com/yubikey-manager/). There is command line support in YubiKey Manager to deal with almost everything yubico-piv-tool supports and it also supports management key derivation. The documentation is quite lacking still but the subcommand to look at is ykman piv help.

[acdha]

That appears to be correct (except that it's ykman piv --help) as this worked:

ykman piv generate-key 9e -

Thanks!

[celesteking]

your software is a fucking nightmare

[a-dma]

I'll close this since the issue has been resolved and the root problem is know.

I'll ignore the last bit of constructive feedback...

[jursed]

@klali Sorry for the OT - is yubico-piv-manager now fully replaced by ykman piv, as of ykman 3.0.0?

(More generally, where could one find info on the current state of CLI tooling, i.e. what's actively maintained and what's deprecated? I sympathize with celesteking because the nomenclature is indeed confusing: yk*, yubico*, yubikey*...)

[klali]

Yes, yubikey-piv-manager says at it's top "Note: This project is deprecated and is no longer being maintained. Use YubiKey Manager (GUI, CLI) to configure a YubiKey device."

Any project of ours that is deprecated should have a note like that and ideally point to something that is maintained. I agree that the nomenclature and tooling is confused, the yubikey-manager project is an effort to clean up tooling and make that into one tool for configuring the YubiKey.

[DConcord]

I can't find mention anywhere prominently that yubikey-piv-manager is depricated. Numerous guides continue to offer it, and no alternative, it such as this one: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html

Then the documentation for the tool doesn't mention at all that it is deprecated:
https://developers.yubico.com/yubico-piv-tool/

the download page then doesn't mention it's deprecated either, and there is a release from just 3 months ago:
https://developers.yubico.com/yubico-piv-tool/Releases/

Github... no mention:
https://github.com/Yubico/yubico-piv-tool

So if it is mentioned anywhere... It certainly isn't prominent

[a-dma]

I'm afraid you're confusing yubico-piv-tool (this repository), with PIV Manager which as stated is clearly marked as deprecated.

[timfallmk]

It's worth stating for those that google this that there is still no mention of this tool being deprecated. Nowhere is it "clearly marked".

[brechtm]

I'll ignore the last bit of constructive feedback...

I agree that that comment was unhelpful, but I do understand where that was coming from. Please read #158 (comment) to see why this is still a problem in 2022. I personally don't think the Yubico software is problematic, but the documentation is not up to par (at least not for PIV SSH auth).

[xdubx]

greetings after 10 mins of try and does not understand https://developers.yubico.com/SSH/ :)