Unable to generate OTP token using ykman
treydock opened this issue · comments
- YubiKey Manager (ykman) version: 3.1.2
- How was it installed?: brew
- Operating system and version: Mac OS X 10.15.7
- YubiKey model and version: YubiKey 5C NFC
- Bug description summary:
I am attempting to generate a OTP token that I can then set in an environment variable to be used by Duo through SSH. I'm unable to generate the token.
$ ykman otp calculate 1 $(openssl rand 16 -hex)
Usage: ykman otp calculate [OPTIONS] [1|2] [CHALLENGE]
Try 'ykman otp calculate -h' for help.
Error: Failed to calculate challenge.
Steps to reproduce
I ran the command above and get the error.
Expected result
I would expect some kind of OTP token to be printed in a way that I could use.
Actual results and logs
Error:
$ ykman otp calculate 1 $(openssl rand 16 -hex)
Usage: ykman otp calculate [OPTIONS] [1|2] [CHALLENGE]
Try 'ykman otp calculate -h' for help.
Error: Failed to calculate challenge.
Other info
[Anything else you would like to add?]
I saw a few other issues that pointed to maybe using ykchalresp
but that fails in a different way:
$ ykchalresp -1 -6 $(openssl rand 16 -hex)
Yubikey core error: timeout
I know the yubikey is working because I can use it for other apps and when I touch the key in terminal a bunch of random letters are pasted into my terminal.
It seems like you've programmed slot 1 with a YubiOTP credential, for example using the ykman otp yubiotp
command, and you're trying to get ykman otp calculate
to generate a YubiOTP (like vvcccciicfvuuivcvfngkdnlelrguefdnhnrbnnfgvnn
), correct?
That is unfortunately not what the ykman otp calculate
command does, it only works with a "challenge-response" credential programmed using ykman otp chalresp
.
I don't think there is a way to programmatically get a YubiOTP from the YubiKey, @dainnilsson please correct me if there is.
It turns out using ykman
might not be needed at all with how Yubikey works. If I touch the Yubikey with my terminal in focus, the token is dumped to the terminal. I for some reason thought there was some process involved in pulling a token from the key using ykman
. I ended up using this wrapper script with SSH to read the token and submit so I can use the Yubikey with Duo:
#!/bin/bash
echo "TOUCH Yubikey:"
read -s token
export DUO_PASSCODE=$token
ssh $@
I think I misunderstood what was needed to get my end result, so going to close this issue.
Also you are correct that slot 1 was YubiOTP , I had configured with YubiKey Manager to work with some services we use that require a OTP token.
Glad it worked out!
I for some reason thought there was some process involved in pulling a token from the key using
ykman
.
There is for the OATH-TOTP and "challenge-response" functions, but not for YubiOTP. Maybe that's the point of confusion. 🙂