Yubico Forum
https://forum.yubico.com/

[RESOLVED] Locked Admin PIN
https://forum.yubico.com/viewtopic.php?f=35&t=2193
Page 1 of 1

Author:  enculturation [ Tue Feb 02, 2016 5:00 pm ]
Post subject:  [RESOLVED] Locked Admin PIN

I hate to admit this on a public forum, but I have managed to lock my admin pin. I can’t change or reset, when I do I get a card error. All of the information I’ve found online is written for the NEO.

Can someone help, or is this key a goner? Thanks!

Author:  ChrisHalos [ Tue Feb 02, 2016 8:07 pm ]
Post subject:  Re: Locked Admin PIN

Assuming you're referring to OpenPGP, the NEO instructions work for the YubiKey 4 as well:

https://developers.yubico.com/ykneo-ope ... pplet.html

You can skip the Prerequisites section when you're using the YubiKey 4. If you receive any errors running the commands manually, try the script option listed at the bottom of the instructions. You can start by checking what is locked (you may need to terminate the gpg-agent and scdaemon processes first):

gpg2 --card-status
Application ID ...: D2760001240102010006042126520000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04212652
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

When you check the "PIN retry counter", the first number is the remaining PIN entries, the second number is irrelevant, and the third number is the remaining Admin PIN entries. In my case, I haven't locked out the PIN or the Admin PIN (both counters are still showing "3"), so I need to lock both out before I can reset the applet:

gpg-connect-agent --hex
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 83 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 83 i.
OK
> scd apdu 00 e6 00 00
D[0000] 90 00 ..
OK
> scd apdu 00 44 00 00
D[0000] 90 00 ..
OK
>

At this point, you should be able to remove and re-insert the YubiKey 4, terminate the gpg-agent and scdaemon processes, and run "gpg2 --card-status" again to confirm the PIN retry counter is now at "3 0 3" again as expected. To better understand what the reset commands are:

scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 (Guess the PIN wrong one time - use this until the response is "D[0000] 69 83")
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 (Guess the Admin PIN wrong one time - use this until the response is "D[0000] 69 83")
scd apdu 00 e6 00 00 (terminate the card, correct response is "D[0000] 90 00")
scd apdu 00 44 00 00 (reactivate the card, correct response is "D[0000] 90 00")

Again, if you receive any errors, try following the script option located at the bottom of https://developers.yubico.com/ykneo-ope ... pplet.html

Example: On Windows 10, I create a text document (.txt) in my Documents folder called "ResetApplet.txt" (C:\Users\Chris\Documents\ResetApplet.txt), and paste the contents for the script (you will have to remove any leading spaces if you copy directly from the instructions):

/hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Card has been successfully reset.

I then open Command Prompt, change directory to my Documents folder ("cd C:\Users\Chris\Documents") and run the command:

C:\Users\Chris\Documents>gpg-connect-agent -r ResetApplet.txt
S SERIALNO D2760001240102010006042126520000 0
OK
D[0000] 69 82 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 83 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 83 i.
OK
D[0000] 90 00 ..
OK
D[0000] 90 00 ..
OK
Card has been successfully reset.
>

Author:  enculturation [ Tue Feb 02, 2016 9:08 pm ]
Post subject:  Re: [RESOLVED] Locked Admin PIN

I appreciate it. I ran into an error message even after running the script. However, it was fixed by rebooting restarting the daemons.

Author:  axel [ Fri May 13, 2016 4:35 pm ]
Post subject:  Re: [RESOLVED] Locked Admin PIN

Hello!

I have a similar problem, but this solution does not work. I managed to exhaust admin pin retries during botched key migration. Then I ran the gpg-agent script, and it did not reset the admin pin counter as seen.

Also the max key lengths were reset to 2048 and as this is yubikey 4 it should support 4096 (and i believe it did when I started the procedure).

Attachments:
File comment: problem screenshot
yubikey.png
yubikey.png [ 52.46 KiB | Viewed 4829 times ]

Author:  ChrisHalos [ Fri May 13, 2016 8:16 pm ]
Post subject:  Re: [RESOLVED] Locked Admin PIN

Hello Axel -

I'm confused, your key IS reset. With a YubiKey 4 you should see 3 0 3 for the PIN retry counter.

1st number - PIN retries remaining
2nd number - Reset Code retries remaining (there is no reset code by default, you have to set one if you want one, so you should see 0 here)
3rd number - Admin PIN retries remaining

Also, you will see 2048R 2048R 2048R for the Key attributes on a new key, because that's the default. When you load 4096 subkeys there you will see 4096R 4096R 4096R instead.

Author:  axel [ Sat May 14, 2016 11:20 pm ]
Post subject:  Re: [RESOLVED] Locked Admin PIN

Now I get it, I'm an idiot! Thanks!

Author:  techwg [ Tue Sep 26, 2017 1:30 pm ]
Post subject:  Re: [RESOLVED] Locked Admin PIN

Is all of that still required to reset? Isn't there a factory reset or something in openPGP or something that the PIV manager tool can reset?

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/