Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PID does not match. Want: PID.YK4_OTP_U2F_CCID, got: PID.YK4_OTP_CCID #318

Closed
GregoryOrciuch opened this issue Nov 22, 2018 · 19 comments
Closed

PID does not match. Want: PID.YK4_OTP_U2F_CCID, got: PID.YK4_OTP_CCID #318

GregoryOrciuch opened this issue Nov 22, 2018 · 19 comments
Assignees
@emlun
Labels
fedora

Comments

@GregoryOrciuch
Copy link

  • Yubico Authenticator version: 4.3.3 (yubioath-desktop-4.3.3-2.fc29.x86_64)
  • Operating system and version: Fedora 29
  • YubiKey model and version: yubikey 4
  • Bug description summary: Stuck on connecting to the device, it wont connectd.

I just upgraded from Fedora 28 to Fedora 29. Looks like the yubioath-desktop has been upgraded too.
And now stopped to work

yubioath-desktop --log-level DEBUG

qrc:/qml/SetPassword.qml:23:5: QML ColumnLayout: Detected anchors on an item that is managed by a layout. This is undefined behavior; use Layout.alignment instead.
qrc:/qml/SettingsDialog.qml:20:5: QML ColumnLayout: Detected anchors on an item that is managed by a layout. This is undefined behavior; use Layout.alignment instead.
qrc:/qml/AddCredentialSlot.qml:14:5: QML ColumnLayout: Detected anchors on an item that is managed by a layout. This is undefined behavior; use Layout.alignment instead.
qrc:/qml/AddCredential.qml:15:5: QML ColumnLayout: Detected anchors on an item that is managed by a layout. This is undefined behavior; use Layout.alignment instead.
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.Descriptor.open_device:86] transports: 0x4, self.mode.transports: 0x7
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:141] Opening driver for serial: None, pid: PID.YK4_OTP_U2F_CCID
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:143] Attempt 1 of 10
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:148] Found driver: <ykman.driver_ccid.CCIDDriver object at 0x7f0e4f0d41d0> serial: 5409549, pid: PID.YK4_OTP_CCID
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:156] PID does not match. Want: PID.YK4_OTP_U2F_CCID, got: PID.YK4_OTP_CCID
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.100000 s
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:143] Attempt 2 of 10
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:148] Found driver: <ykman.driver_ccid.CCIDDriver object at 0x7f0e4f0d41d0> serial: 5409549, pid: PID.YK4_OTP_CCID
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:156] PID does not match. Want: PID.YK4_OTP_U2F_CCID, got: PID.YK4_OTP_CCID
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.200000 s
2018-11-22T13:21:44+0100 DEBUG [ykman.descriptor.open_driver:143] Attempt 3 of 10
2018-11-22T13:21:45+0100 DEBUG [ykman.descriptor.open_driver:148] Found driver: <ykman.driver_ccid.CCIDDriver object at 0x7f0e4f0d41d0> serial: 5409549, pid: PID.YK4_OTP_CCID
2018-11-22T13:21:45+0100 DEBUG [ykman.descriptor.open_driver:156] PID does not match. Want: PID.YK4_OTP_U2F_CCID, got: PID.YK4_OTP_CCID
2018-11-22T13:21:45+0100 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.300000 s
2018-11-22T13:21:45+0100 DEBUG [ykman.descriptor.open_driver:143] Attempt 4 of 10
2018-11-22T13:21:45+0100 DEBUG [ykman.descriptor.open_driver:148] Found driver: <ykman.driver_ccid.CCIDDriver object at 0x7f0e4f0d41d0> serial: 5409549, pid: PID.YK4_OTP_CCID
2018-11-22T13:21:45+0100 DEBUG [ykman.descriptor.open_driver:156] PID does not match. Want: PID.YK4_OTP_U2F_CCID, got: PID.YK4_OTP_CCID
2018

any ideas ?
@emlun
Copy link
Member

emlun commented Nov 22, 2018

Thanks for reporting! What version of python3-yubikey-manager do you have installed?

@GregoryOrciuch
Copy link
Author

@emlun here it is (most likely default for fedora 29 now):
Name : python3-yubikey-manager
Version : 0.6.0
Release : 4.fc29
comes from: yubikey-manager-0.6.0-4.fc29.src.rpm

@GregoryOrciuch
Copy link
Author

GregoryOrciuch commented Nov 22, 2018
edited by emlun

more info:

ykman -l DEBUG info

2018-11-22T15:01:26+0100 DEBUG [ykman.descriptor.Descriptor.open_device:86] transports: 0x7, self.mode.transports: 0x7
2018-11-22T15:01:26+0100 DEBUG [ykman.descriptor.open_driver:141] Opening driver for serial: None, pid: PID.YK4_OTP_U2F_CCID
2018-11-22T15:01:26+0100 DEBUG [ykman.descriptor.open_driver:143] Attempt 1 of 10
2018-11-22T15:01:26+0100 DEBUG [ykman.descriptor.open_driver:148] Found driver: <ykman.driver_ccid.CCIDDriver object at 0x7f8555f4aeb8> serial: 5409549, pid: PID.YK4_OTP_CCID
2018-11-22T15:01:26+0100 DEBUG [ykman.descriptor.open_driver:156] PID does not match. Want: PID.YK4_OTP_U2F_CCID, got: PID.YK4_OTP_CCID
2018-11-22T15:01:26+0100 DEBUG [ykman.driver_otp.open_devices:413] Success in opening key at position 0
2018-11-22T15:01:26+0100 DEBUG [ykman.descriptor.open_driver:148] Found driver: <ykman.driver_otp.OTPDriver object at 0x7f8557b9c470> serial: 5409549, pid: PID.YK4_OTP_U2F_CCID
Device type: YubiKey 4
Serial number: 5409549
Firmware version: 4.3.4
Enabled connection(s): OTP+U2F+CCID

Device capabilities:
    OTP:        Enabled
    U2F:        Enabled
    CCID:       Enabled
    OPGP:       Enabled
    PIV:        Enabled
    OATH:       Enabled

ykman --version

YubiKey Manager (ykman) version: 0.6.0
Libraries:
    libykpers 1.19.0
    libu2f-host 1.1.6
    libusb 1.0.22

@GregoryOrciuch
Copy link
Author

GregoryOrciuch commented Nov 22, 2018
edited

I found that the F29 using some old version of yubikey-manager which is 0.6.0.

Upgraded the ykman commandline tools via pip:
pip install yubikey-manager

which is now:
YubiKey Manager (ykman) version: 1.0.1
Libraries:
libykpers 1.19.0
libusb 1.0.22

Then I'm able to use ykman commandline with my yk4
using command ykman oath code which is generating fine.

To wrap-up, fedora rpm's are old. they yubi auth gui is also old.The default builds are for debian or just sources. Fedora not well supported.

@emlun
Copy link
Member

emlun commented Nov 22, 2018

Ok, thanks! We'll look into it.

@emlun emlun self-assigned this Nov 22, 2018
@emlun
Copy link
Member

emlun commented Nov 22, 2018

Oh, I didn't see your last two comments until now. Yeah, my knee-jerk reaction to this is that it looks like a packaging issue, but I think yubioath-desktop 4.3.3 should work with ykman 0.6.0. We'll need to look a little closer to see what's gone wrong here.

@ardevd ardevd mentioned this issue Dec 1, 2018
Closed
@emlun
Copy link
Member

emlun commented Dec 3, 2018

Well, this turned out to be a bit of a rabbit hole...

  1. The error is manifested here. This line says PID does not match. Want: PID.YK4_OTP_U2F_CCID, got: PID.YK4_OTP_CCID... https://github.com/Yubico/yubikey-manager/blob/yubikey-manager-0.6.0/ykman/descriptor.py#L155
  2. The PID printed earlier in the same function looks correct... https://github.com/Yubico/yubikey-manager/blob/yubikey-manager-0.6.0/ykman/descriptor.py#L140
  3. ...so this means that the PID is identified incorrectly in the CCIDDriver constructor. https://github.com/Yubico/yubikey-manager/blob/yubikey-manager-0.6.0/ykman/driver_ccid.py#L102
  4. That constructor gets its name parameter from here... https://github.com/Yubico/yubikey-manager/blob/yubikey-manager-0.6.0/ykman/driver_ccid.py#L249
  5. ...which in turn reads it from the reader returned by _list_readers(). https://github.com/Yubico/yubikey-manager/blob/yubikey-manager-0.6.0/ykman/driver_ccid.py#L231
  6. System.readers() is defined in pyscard https://pyscard.sourceforge.io/epydoc/index.html
  7. and calling that function today (python-pyscard 1.9.7 and pcsclite 1.8.24) returns a PCSCReader with the name Yubico YubiKey OTP+FIDO+CCID 00 00, whereas yubikey-manager-0.6.0 expects this to be OTP+U2F+CCID instead of OTP+FIDO+CCID.

So I can only assume that the underlying smartcard drivers have changed the names associated with the YubiKey device definitions.

I don't know what the proper solution to this would be, but I have identified some workarounds:

  • Option 1: Disable the FIDO/U2F transport on the YubiKey: ykman mode o+c. This sidesteps this confusion by making sure the reader name doesn't contain FIDO.
  • Option 2: Upgrade yubikey-manager to version 0.6.1, which has updated its internals to they agree with the reader names returned by pyscard. (0.7.0 or later won't work, though, due to backwards-incompatible changes)

@dainnilsson @dagheyman any additional thoughts?

@sparklespdx
Copy link

sparklespdx commented Dec 3, 2018 via email

@dagheyman
Copy link

Are the RPMs maintained by anyone associated with the project?

No, they are maintained by third parties. I would suggest filing a bug with the packaging directly. My recommendation would be to package yubioath-desktop 4.3.4 together with yubikey-manager 1.0.1. That is the combination we currently have in the Ubuntu PPA.

@GregoryOrciuch
Copy link
Author

Hi,

I just submitted a bug to fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1655888

@kaueraal kaueraal mentioned this issue Dec 9, 2018
Closed
@dagheyman dagheyman mentioned this issue Jan 3, 2019
Closed
@gbcox
Copy link

gbcox commented Jan 3, 2019

I'm currently working on updating yubikey-manager and yubioath-desktop for Fedora 28 and 29. Right now I'm waiting on a dependency - python-fido2 to become available in the Fedora repositories. Once that is complete, I can build and make it available in the updates-testing repository - then production. Here is the link for the python-fido2 updates: https://bodhi.fedoraproject.org/updates/?search=fido2

Updates on the process can be found here:
https://bugzilla.redhat.com/show_bug.cgi?id=1655888

@emlun emlun mentioned this issue Jan 7, 2019
Closed
@GregoryOrciuch
Copy link
Author

fyi, this is progressing, soon to have updated packages on fedora 28 and 29.

"yubioath-desktop-4.3.5-3.gitd1187b6.fc29 has been submitted as an update to Fedora 29."/28

@andyneff
Copy link

@GregoryOrciuch Can the same be said for yubikey-manager?

@GregoryOrciuch
Copy link
Author

@andyneff yeap, "yubikey-manager-2.0.0-3.gite17b3de.fc29 has been submitted as an update to Fedora 29"/28

@gbcox
Copy link

gbcox commented Jan 10, 2019

Please test yubikey-manager and yubioath-desktop and leave the testing feedback here:
Thanks!

https://bodhi.fedoraproject.org/updates/FEDORA-2019-81120ce3e7 - F28 yubioath-desktop
https://bodhi.fedoraproject.org/updates/FEDORA-2019-e092df3ac0 - F29 yubioath-desktop
https://bodhi.fedoraproject.org/updates/FEDORA-2019-06cc6bf13e - F28 yubikey-manager
https://bodhi.fedoraproject.org/updates/FEDORA-2019-97a3cd5943 - F29 yubikey-manager

@andyneff
Copy link

andyneff commented Jan 10, 2019
edited

Old

dnf install yubikey-manager

for version 0.6.0-4, fails (as expected) for ykman piv info

New

dnf install https://kojipkgs.fedoraproject.org//packages/yubikey-manager/2.0.0/3.gite17b3de.fc29/noarch/python3-yubikey-manager-2.0.0-3.gite17b3de.fc29.noarch.rpm https://kojipkgs.fedoraproject.org//packages/yubikey-manager/2.0.0/3.gite17b3de.fc29/noarch/yubikey-manager-2.0.0-3.gite17b3de.fc29.noarch.rpm

Beautiful success with 2.0.0 for ykman piv info!!!

Tested using Fedora 29

@OlliC
Copy link

OlliC commented Jan 12, 2019

Works for me too now with this new packages on Fedora 29 with Yubikey 4 and Yubikey 5 NFC with all modes enabled (OTP+FIDO+CCID). Thanks

@cedws
Copy link

cedws commented Jan 12, 2019

I had to restart the pcscd service (sudo systemctl restart pcscd), but that RPM works great.

@dagheyman
Copy link

Closing this, glad the packages are working on fedora now. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emlun emlun

Labels
fedora
Milestone
No milestone
Development

No branches or pull requests
8 participants
@sparklespdx @emlun @GregoryOrciuch @gbcox @OlliC @andyneff @dagheyman @cedws