Yubico Forum

I have a VM set up for provisioning Yubikey NEO-n that are all in CCID-only mode (-m81:15:60). During the provisioning process, the token was removed from the VM (logically) due to the timeout previously specified by ykpersonalize auto-eject timer of 60 seconds.

The issue is that the final command executed was

yubico-piv-tool -v -a set-mgm-key -k <keyvalue>

which outputted its success message, but seems to have not completely committed the key change. The result is that the default 010203... key as well as the key specified in the command both result in "Failed authentication with the applet." At this point, no privileged operation can be performed (verifying pin, changing puk, resetting applet) since the management keys supplied appear not to match that expected by the token.

My question is: is my token hosed? Is there a method to hard reset the token? I don't care about the content of it at this point, just the reuse of the hardware.

EDIT: Argh, I should read better...

Did you try locking up the applet by using bogus pins first before trying a reset?



Not sure if the reset command requires the management key or not.

Yeah, the yubico-piv-tool implicitly invokes the default management key if none is provided. You'll get a feel for just how many operations require the symmetric key once you change it and try to manage the token after the fact.

After tinkering with the token some more, it appears completely locked out of the CCID mode since it can't authenticate with the applet. The reset instructions from the manual all direct the user to lock the PIN/PUK, which I can't even get to. All other modes work as intended, and I can even still manage CCID reader timeouts, but unfortunately, I'm still stuck trying to recover the use of the hardware itself.

As an aside, if people are recovering from this just using the documented PIN/PUK blocking, it sounds like they're not even resetting the management key from the published default value, which is more than a little alarming if they're using them in security-relevant applications.

Hello,

Asym, good post. Please use the latest-version of the PIV-TOOLS https://developers.yubico.com/yubico-piv-tool/ the problem you described should be fixed.

Let me know the outcome please.

Tom.

_________________
-Tom

Running version 0.1.2 of yubico-piv-tool did the trick. If I were to venture a guess, it appears that the verify-pin and change-puk operations were modified not to require the passing of the management key since all attempts to validate the key (default or my supposedly newly installed one) for other privileged operations still failed. This let me block the PIN and PUK and successfully reset the applet. Thanks for the expedient resolution.

Any word on the turnaround window between version updates for this tool and its updated formula on homebrew by any chance?

Also, verbose mode for verify-pin now outputs twice to CLI, but change-puk seems fine