Newbie: Can update Smartcard PIN, but not Admin PIN or Name

KevinZ · February 18, 2024, 9:29am

Hello, I’m just getting started trying to use a Yubico 5 security key with GPG on a Ubuntu 22.04 system, and found something odd that’s probably user error.

When I use gpg --card-edit then admin and passwd, I can change the Yubico key’s PIN from the default to my own. However, when I try to execute name to change the name of the card, it immediately says, “Bad PIN” but never asked me to enter my PIN. If I try admin and passwd and 3 to change the admin PIN, I get the same result: “Bad PIN” but no chance to enter any PIN.

Any ideas what I’m doing wrong? Thanks for any help or advice.

-Kevin

cklassen · February 21, 2024, 8:29am

Did you try to use the option -v to get more information?

Maybe @bernhard has another idea. Else you could try to contact the community on the mailing list for gnupg because I think there are more people who have experience with Yubikeys.

bernhard · February 23, 2024, 7:26am

Hi Kevin,
as @cklassen wrote: try to get more information by using one or many -v arguments (there are some more options to get even more debug output) and then ask on gnupg-users@. Also give the precise model of the hardware token you are using (if it isn’t in the output).

One possibility think could be to reset the hardware token.

Best,
Bernhard

eebb · February 26, 2024, 4:04pm

Hi Kevin!
On Ubuntu you’ll probably have a fairly old version of gpg. We only recently improved the error messages in smartcard context which will not be in their version yet.

It was the case that “Bad PIN” was kind of a catchall message for different issues, most notably “PIN blocked”.

So that means your Admin-PIN is blocked. The Admn-PIN is need for a name change of the Yubikey, too. Looks like you have to factory-reset the card and start from scratch.

You have to be extra careful not to mix up the different PINs, it is very easy to do that …

KevinZ · February 27, 2024, 1:23pm

@eebb, @bernhard and cklassen (can only mention 2 users in a post?!), thanks so much for responding. I will follow up on this topic on gnu-users, but for completeness in this thread, I’ll also post this information here.

Here’s the output of dmesg when the Yubico 5 NFC token is plugged into the USB port:

[516421.362467] usb 3-4: new full-speed USB device number 14 using xhci_hcd
[516421.523850] usb 3-4: New USB device found, idVendor=1050, idProduct=0407, bcdDevice= 5.27
[516421.523854] usb 3-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[516421.523856] usb 3-4: Product: YubiKey OTP+FIDO+CCID
[516421.523857] usb 3-4: Manufacturer: Yubico
[516421.527405] input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:14.0/usb3/3-4/3-4:1.0/0003:1050:0407.0007/input/input20
[516421.590777] hid-generic 0003:1050:0407.0007: input,hidraw4: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-4/input0
[516421.591403] hid-generic 0003:1050:0407.0008: hiddev1,hidraw5: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-4/input1
[516421.822471] usb 3-12.2: new full-speed USB device number 15 using xhci_hcd
[516421.906492] usb 3-12.2: device descriptor read/64, error -71
[516422.106498] usb 3-12.2: device descriptor read/64, error -71
[516422.294486] usb 3-12.2: new full-speed USB device number 16 using xhci_hcd
[516422.374513] usb 3-12.2: device descriptor read/64, error -71
[516422.566515] usb 3-12.2: device descriptor read/64, error -71
[516422.675234] usb 3-12-port2: attempt power cycle
[516423.282518] usb 3-12.2: new full-speed USB device number 17 using xhci_hcd
[516423.282624] usb 3-12.2: Device not responding to setup address.
[516423.494643] usb 3-12.2: Device not responding to setup address.
[516423.706527] usb 3-12.2: device not accepting address 17, error -71
[516423.786529] usb 3-12.2: new full-speed USB device number 18 using xhci_hcd
[516423.786652] usb 3-12.2: Device not responding to setup address.
[516423.994656] usb 3-12.2: Device not responding to setup address.
[516424.202540] usb 3-12.2: device not accepting address 18, error -71
[516424.203303] usb 3-12-port2: unable to enumerate USB device
kevin@kevin-desktop:~$

Using gpg --card-edit --verbose --verbose only resulted in showing the OpenPGP card no. when the passwd command was entered; no other diagnostic data was shown. Here’s the version information:

kevin@kevin-desktop:~$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/kevin/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
kevin@kevin-desktop:~$

Thanks, again for your responses. I’ll repost this on the gnupg-users group.

-Kevin