Misleading “failed authentication with the application” #153
Comments
|
What this might be is that Yubico PIV Manager generates a derived management key based on the pin when initializing the key, yubico-piv-tool doesn't support that. We're working on replacing the tooling (specifically Yubico PIV Manager) with YubiKey Manager (https://developers.yubico.com/yubikey-manager/). There is command line support in YubiKey Manager to deal with almost everything yubico-piv-tool supports and it also supports management key derivation. The documentation is quite lacking still but the subcommand to look at is |
|
That appears to be correct (except that it's
Thanks! |
acdha
changed the title
|
your software is a fucking nightmare |
|
I'll close this since the issue has been resolved and the root problem is know. I'll ignore the last bit of constructive feedback... |
|
@klali Sorry for the OT - is (More generally, where could one find info on the current state of CLI tooling, i.e. what's actively maintained and what's deprecated? I sympathize with celesteking because the nomenclature is indeed confusing: |
|
Yes, yubikey-piv-manager says at it's top "Note: This project is deprecated and is no longer being maintained. Use YubiKey Manager (GUI, CLI) to configure a YubiKey device." Any project of ours that is deprecated should have a note like that and ideally point to something that is maintained. I agree that the nomenclature and tooling is confused, the yubikey-manager project is an effort to clean up tooling and make that into one tool for configuring the YubiKey. |
|
I can't find mention anywhere prominently that yubikey-piv-manager is depricated. Numerous guides continue to offer it, and no alternative, it such as this one: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html Then the documentation for the tool doesn't mention at all that it is deprecated: the download page then doesn't mention it's deprecated either, and there is a release from just 3 months ago: Github... no mention: So if it is mentioned anywhere... It certainly isn't prominent |
|
I'm afraid you're confusing yubico-piv-tool (this repository), with PIV Manager which as stated is clearly marked as deprecated. |
|
It's worth stating for those that google this that there is still no mention of this tool being deprecated. Nowhere is it "clearly marked". |
I agree that that comment was unhelpful, but I do understand where that was coming from. Please read #158 (comment) to see why this is still a problem in 2022. I personally don't think the Yubico software is problematic, but the documentation is not up to par (at least not for PIV SSH auth). |
|
greetings after 10 mins of try and does not understand https://developers.yubico.com/SSH/ :) |
|
This is the highest rated google search for "Failed authentication", so two notes to folks who might find this in the future.
|
|
here a working example for key piv as ssh https://gist.github.com/xdubx/54a735c5a6c934331c0753157540fbe7 |
The Yubico PIV Manager desktop app works flawlessly with my Yubikey 4 on a macOS High Sierra system to generate keys but doesn't have a way to set things like touch policies.
I tried
yubico-piv-toolversion 1.5.0 from Homebrew and some commands (e.g.verify-pin) work but e.g.generatealways returns “failed authentication with the application”.The text was updated successfully, but these errors were encountered: