Unable to generate OTP token using ykman

Question

Unable to generate OTP token using ykman

treydock opened this issue 3 years ago · comments

YubiKey Manager (ykman) version: 3.1.2
How was it installed?: brew
Operating system and version: Mac OS X 10.15.7
YubiKey model and version: YubiKey 5C NFC
Bug description summary:

I am attempting to generate a OTP token that I can then set in an environment variable to be used by Duo through SSH. I'm unable to generate the token.

$ ykman otp calculate 1 $(openssl rand 16 -hex)
Usage: ykman otp calculate [OPTIONS] [1|2] [CHALLENGE]
Try 'ykman otp calculate -h' for help.

Error: Failed to calculate challenge.

Steps to reproduce

I ran the command above and get the error.

Expected result

I would expect some kind of OTP token to be printed in a way that I could use.

Actual results and logs

Error:

$ ykman otp calculate 1 $(openssl rand 16 -hex)
Usage: ykman otp calculate [OPTIONS] [1|2] [CHALLENGE]
Try 'ykman otp calculate -h' for help.

Error: Failed to calculate challenge.

Other info

[Anything else you would like to add?]
I saw a few other issues that pointed to maybe using ykchalresp but that fails in a different way:

$ ykchalresp -1 -6  $(openssl rand 16 -hex)
Yubikey core error: timeout

I know the yubikey is working because I can use it for other apps and when I touch the key in terminal a bunch of random letters are pasted into my terminal.

Emil Lundberg · Answer 1 · Sat Mar 13 2021 07:55:22 GMT+0800 (China Standard Time)

It seems like you've programmed slot 1 with a YubiOTP credential, for example using the ykman otp yubiotp command, and you're trying to get ykman otp calculate to generate a YubiOTP (like vvcccciicfvuuivcvfngkdnlelrguefdnhnrbnnfgvnn), correct?

That is unfortunately not what the ykman otp calculate command does, it only works with a "challenge-response" credential programmed using ykman otp chalresp.

I don't think there is a way to programmatically get a YubiOTP from the YubiKey, @dainnilsson please correct me if there is.

treydock · Answer 2 · Sat Mar 13 2021 10:42:34 GMT+0800 (China Standard Time)

It turns out using ykman might not be needed at all with how Yubikey works. If I touch the Yubikey with my terminal in focus, the token is dumped to the terminal. I for some reason thought there was some process involved in pulling a token from the key using ykman. I ended up using this wrapper script with SSH to read the token and submit so I can use the Yubikey with Duo:

#!/bin/bash

echo "TOUCH Yubikey:"
read -s token

export DUO_PASSCODE=$token

ssh $@

I think I misunderstood what was needed to get my end result, so going to close this issue.

treydock · Answer 3 · Sat Mar 13 2021 10:43:37 GMT+0800 (China Standard Time)

Also you are correct that slot 1 was YubiOTP , I had configured with YubiKey Manager to work with some services we use that require a OTP token.

Emil Lundberg · Answer 4 · Tue Mar 16 2021 00:10:56 GMT+0800 (China Standard Time)

Glad it worked out!

I for some reason thought there was some process involved in pulling a token from the key using ykman.

There is for the OATH-TOTP and "challenge-response" functions, but not for YubiOTP. Maybe that's the point of confusion. 🙂