Unable to re-enable U2F on yubikey 4.3.7

[jrozner]

• YubiKey Manager (ykman) version: 5.5.1
• How was it installed?: homebrew
• Operating system and version: mac
• YubiKey model and version: yubikey 4 (4.3.7)
• Bug description summary:

I purchased a used yubikey 4 that had CCID and FIDO disabled on it (only OTP enabled). I've been able to re-enable CCID but FIDO doesn't seem to work. This makes it impossible to use the Yubikey verification page.

Steps to reproduce

ykman --log-level DEBUG config mode OTP+FIDO+CCID

Expected result

U2F should be enabled with FIDO not available.

Actual results and logs

Device type: YubiKey 4
Serial number: 9085789
Firmware version: 4.3.7
Enabled USB interfaces: OTP, CCID

Applications
Yubico OTP  	Enabled
FIDO U2F    	Disabled
FIDO2       	Not available
OATH        	Enabled
PIV         	Enabled
OpenPGP     	Enabled
YubiHSM Auth	Not available

Other info

[Anything else you would like to add?]

[dainnilsson]

Can you provide the output of running the config mode command with DEBUG logging?

[jrozner]

ykman --log-level DEBUG config mode OTP+FIDO+CCID
INFO 02:09:41.236 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 02:09:41.236 [ykman.logging.set_log_level:64]
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 02:09:41.236 [ykman._cli.__main__.cli:355] System info:
  ykman:            5.5.1
  Python:           3.12.8 (main, Dec  3 2024, 18:42:41) [Clang 16.0.0 (clang-1600.0.26.4)]
  Platform:         darwin
  Arch:             arm64
  System date:      2024-12-30
  Running as admin: False

DEBUG 02:09:41.251 [ykman.device.add:165] Add device for <class 'yubikit.core.smartcard.SmartCardConnection'>: ScardYubiKeyDevice(pid=0405, fingerprint='Yubico Yubikey 4 OTP+CCID')
DEBUG 02:09:41.254 [yubikit.support.read_info:264] Attempting to read device info, using ScardSmartCardConnection
DEBUG 02:09:41.254 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 02:09:41.255 [yubikit.management.__init__:559] Management session initialized for connection=ScardSmartCardConnection, version=4.3.7
DEBUG 02:09:41.255 [yubikit.management.read_device_info:587] Reading DeviceInfo page: 0
DEBUG 02:09:41.256 [yubikit.support.read_info:292] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>, nfc_restricted=False), serial=9085789, version=Version(major=4, minor=3, patch=7), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP|196: 255>}, is_locked=False, is_fips=False, is_sky=False, part_number=None, fips_capable=<CAPABILITY: 0>, fips_approved=<CAPABILITY: 0>, pin_complexity=False, reset_blocked=<CAPABILITY: 0>, fps_version=None, stm_version=None)
DEBUG 02:09:41.256 [yubikit.support.read_info:351] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|OATH|PIV|OPENPGP|196: 253>}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>, nfc_restricted=False), serial=9085789, version=Version(major=4, minor=3, patch=7), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP|196: 255>}, is_locked=False, is_fips=False, is_sky=False, part_number=None, fips_capable=<CAPABILITY: 0>, fips_approved=<CAPABILITY: 0>, pin_complexity=False, reset_blocked=<CAPABILITY: 0>, fps_version=None, stm_version=None)
DEBUG 02:09:41.269 [ykman.device.add:176] Resolved device 9085789
DEBUG 02:09:41.270 [ykman.device.add:165] Add device for <class 'yubikit.core.otp.OtpConnection'>: OtpYubiKeyDevice(pid=0405, fingerprint='4295067370')
DEBUG 02:09:41.273 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 02:09:41.274 [yubikit.management.__init__:559] Management session initialized for connection=ScardSmartCardConnection, version=4.3.7
hi
Set mode of YubiKey to OTP+FIDO+CCID? [y/N]: y
DEBUG 02:09:42.611 [yubikit.management.set_mode:642] Set mode: OTP+FIDO+CCID, chalresp_timeout: 0, auto_eject_timeout: None
INFO 02:09:42.622 [yubikit.management.set_mode:687] Mode configuration written
INFO 02:09:42.622 [ykman._cli.config.mode:712] USB mode updated
Mode set! You must remove and re-insert your YubiKey for this change to take effect.

I tried running this with sudo as well just to be sure but saw no difference. I unplugged the device and plugged it back in then ran ykman info and this is the result:

ykman info
Device type: YubiKey 4
Serial number: 9085789
Firmware version: 4.3.7
Enabled USB interfaces: OTP, CCID

Applications
Yubico OTP  	Enabled
FIDO U2F    	Disabled
FIDO2       	Not available
OATH        	Enabled
PIV         	Enabled
OpenPGP     	Enabled
YubiHSM Auth	Not available

[dainnilsson]

Hmm. I'm still not entirely sure what is happening, could you provide the output of running ykman --diagnose with the YubiKey inserted?

[jrozner]

ykman:            5.5.1
Python:           3.12.8 (main, Dec  3 2024, 18:42:41) [Clang 16.0.0 (clang-1600.0.26.4)]
Platform:         darwin
Arch:             arm64
System date:      2025-01-07
Running as admin: False
Detected PC/SC readers:
  Yubico Yubikey 4 OTP+CCID: Success

Detected YubiKeys over PC/SC:
  ScardYubiKeyDevice(pid=0405, fingerprint='Yubico Yubikey 4 OTP+CCID'):
    Management:
      Raw Info: 0c0101ff0204008aa35d03013d
      DeviceInfo:
        config:
          enabled_capabilities:
            USB: OTP|OATH|PIV|OPENPGP: 0xfd

          auto_eject_timeout:         0
          challenge_response_timeout: 0
          device_flags:               0
          nfc_restricted:             False

        serial:         9085789
        version:        4.3.7
        form_factor:    Unknown
        supported_capabilities:
          USB: OTP|U2F|OATH|PIV|OPENPGP: 0xff

        is_locked:      False
        is_fips:        False
        is_sky:         False
        part_number:    None
        fips_capable:   : 0x0
        fips_approved:  : 0x0
        pin_complexity: False
        reset_blocked:  : 0x0
        fps_version:    None
        stm_version:    None

      Name: YubiKey 4

    PIV:
      PIV version:              4.3.7
      PIN tries remaining:      3
      Management key algorithm: TDES
      CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb341005655806e5ceb774ef7ae28f799926c3350832303330303130313e00fe00
      CCC:   No data available
      Slot 9A (AUTHENTICATION):
        Private key type: EMPTY
        Public key type:  ECCP256
        Subject DN:       CN=yubico
        Issuer DN:        CN=yubico
        Serial:           6e:a5:34:3e:4d:5f:67:ee:9f:f1:ed:f0:80:62:d7:83:78:d3:ad:b7
        Fingerprint:      58b09130e364b6b11b76140fa92b7dc7706aaa9dd448ca38e06afb2388fef40d
        Not before:       2024-12-29T09:46:10+00:00
        Not after:        2025-12-29T09:46:10+00:00

    OATH:
      Oath version:       4.3.7
      Password protected: False

    OpenPGP:
      OpenPGP version:            2.1
      Application version:        4.3.7
      PIN tries remaining:        3
      Reset code tries remaining: 0
      Admin PIN tries remaining:  3
      Require PIN for signature:  Once
      KDF enabled:                False
      Touch policies:
        Signature key:      Off
        Encryption key:     Off
        Authentication key: Off

    YubiHSM Auth: YubiHSM Auth not accessible ApplicationNotAvailableError()

Detected YubiKeys over HID OTP:
  OtpYubiKeyDevice(pid=0405, fingerprint='4294983866'): OTP connection failure: OSError('Failed to open device for communication: -536870174')

Detected YubiKeys over HID FIDO:

End of diagnostics

[dainnilsson]

I don't see anything wrong in the commands you're sending but for some reason the key doesn't seem to be switching config. Try this command instead, then try unplugging and re-inserting, followed by a new ykman info:

ykman apdu -a management 161100:06000000

Please also provide the output of running the command.

After running the above command unplug the YubiKey and re-insert it, then try ykman info again.

[jrozner]

Doesn't seem to change anything. Is this a bug in the firmware or is the device itself broken?

➜ % ykman apdu -a management 161100:06000000
SELECT AID: A0 00 00 05 27 47 11 17
RECV (SW=9000):
56 69 72 74 75 61 6C 20 6D 67 72 20 2D 20 46 57   Virtual mgr - FW
20 76 65 72 73 69 6F 6E 20 34 2E 33 2E 37          version 4.3.7

SEND: 00 16 11 00 -- 06 00 00 00
RECV (SW=9000)
➜ % ykman info
Device type: YubiKey 4
Serial number: 9085789
Firmware version: 4.3.7
Enabled USB interfaces: OTP, CCID

Applications
Yubico OTP      Enabled
FIDO U2F        Disabled
FIDO2           Not available
OATH            Enabled
PIV             Enabled
OpenPGP         Enabled
YubiHSM Auth    Not available

[dainnilsson]

I'm not aware of any know bugs that would cause this behavior. It's possible that there is an issue with the device itself, or the initial programming of the device. It is possible that the key was part of a custom order which may include non-standard device programming. Sometimes this includes permanently disabling one or more protocols. However, I do find it strange that FIDO U2F is showing up as "Disabled" instead of "Not available" in that case.

I'm sorry, but I'm out of ideas at this point. For whatever reason, I don't think FIDO is functioning on this key.