Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:39 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Tue Feb 02, 2016 5:00 pm 
Offline

Joined: Tue Feb 02, 2016 4:54 pm
Posts: 2
I hate to admit this on a public forum, but I have managed to lock my admin pin. I can’t change or reset, when I do I get a card error. All of the information I’ve found online is written for the NEO.

Can someone help, or is this key a goner? Thanks!


Last edited by enculturation on Tue Feb 02, 2016 9:06 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Locked Admin PIN
PostPosted: Tue Feb 02, 2016 8:07 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Assuming you're referring to OpenPGP, the NEO instructions work for the YubiKey 4 as well:

https://developers.yubico.com/ykneo-ope ... pplet.html

You can skip the Prerequisites section when you're using the YubiKey 4. If you receive any errors running the commands manually, try the script option listed at the bottom of the instructions. You can start by checking what is locked (you may need to terminate the gpg-agent and scdaemon processes first):

gpg2 --card-status
Application ID ...: D2760001240102010006042126520000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04212652
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

When you check the "PIN retry counter", the first number is the remaining PIN entries, the second number is irrelevant, and the third number is the remaining Admin PIN entries. In my case, I haven't locked out the PIN or the Admin PIN (both counters are still showing "3"), so I need to lock both out before I can reset the applet:

gpg-connect-agent --hex
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 83 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 83 i.
OK
> scd apdu 00 e6 00 00
D[0000] 90 00 ..
OK
> scd apdu 00 44 00 00
D[0000] 90 00 ..
OK
>

At this point, you should be able to remove and re-insert the YubiKey 4, terminate the gpg-agent and scdaemon processes, and run "gpg2 --card-status" again to confirm the PIN retry counter is now at "3 0 3" again as expected. To better understand what the reset commands are:

scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 (Guess the PIN wrong one time - use this until the response is "D[0000] 69 83")
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 (Guess the Admin PIN wrong one time - use this until the response is "D[0000] 69 83")
scd apdu 00 e6 00 00 (terminate the card, correct response is "D[0000] 90 00")
scd apdu 00 44 00 00 (reactivate the card, correct response is "D[0000] 90 00")

Again, if you receive any errors, try following the script option located at the bottom of https://developers.yubico.com/ykneo-ope ... pplet.html

Example: On Windows 10, I create a text document (.txt) in my Documents folder called "ResetApplet.txt" (C:\Users\Chris\Documents\ResetApplet.txt), and paste the contents for the script (you will have to remove any leading spaces if you copy directly from the instructions):

/hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Card has been successfully reset.

I then open Command Prompt, change directory to my Documents folder ("cd C:\Users\Chris\Documents") and run the command:

C:\Users\Chris\Documents>gpg-connect-agent -r ResetApplet.txt
S SERIALNO D2760001240102010006042126520000 0
OK
D[0000] 69 82 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 83 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 82 i.
OK
D[0000] 69 83 i.
OK
D[0000] 90 00 ..
OK
D[0000] 90 00 ..
OK
Card has been successfully reset.
>


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 02, 2016 9:08 pm 
Offline

Joined: Tue Feb 02, 2016 4:54 pm
Posts: 2
I appreciate it. I ran into an error message even after running the script. However, it was fixed by rebooting restarting the daemons.


Top
 Profile  
Reply with quote  
PostPosted: Fri May 13, 2016 4:35 pm 
Offline

Joined: Fri May 13, 2016 4:27 pm
Posts: 3
Hello!

I have a similar problem, but this solution does not work. I managed to exhaust admin pin retries during botched key migration. Then I ran the gpg-agent script, and it did not reset the admin pin counter as seen.

Also the max key lengths were reset to 2048 and as this is yubikey 4 it should support 4096 (and i believe it did when I started the procedure).


Attachments:
File comment: problem screenshot
yubikey.png
yubikey.png [ 52.46 KiB | Viewed 4835 times ]
Top
 Profile  
Reply with quote  
PostPosted: Fri May 13, 2016 8:16 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Hello Axel -

I'm confused, your key IS reset. With a YubiKey 4 you should see 3 0 3 for the PIN retry counter.

1st number - PIN retries remaining
2nd number - Reset Code retries remaining (there is no reset code by default, you have to set one if you want one, so you should see 0 here)
3rd number - Admin PIN retries remaining

Also, you will see 2048R 2048R 2048R for the Key attributes on a new key, because that's the default. When you load 4096 subkeys there you will see 4096R 4096R 4096R instead.


Top
 Profile  
Reply with quote  
PostPosted: Sat May 14, 2016 11:20 pm 
Offline

Joined: Fri May 13, 2016 4:27 pm
Posts: 3
Now I get it, I'm an idiot! Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 26, 2017 1:30 pm 
Offline

Joined: Sun Sep 24, 2017 3:10 pm
Posts: 11
Is all of that still required to reset? Isn't there a factory reset or something in openPGP or something that the PIV manager tool can reset?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group