Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OS X - 10.9 Maveriks; Personalization Tool presents error when a YubiKey is plugged in. #25

Open
Yubi-David opened this issue Oct 25, 2013 · 59 comments

Comments

@Yubi-David
Copy link

When running the Personalization tool on OS X 10.9 - Mavericks, it is not able to program any YubiKey plugged into the host Machine. In the upper right corner, where the tool displays if a YubiKey is inserted, it is instead reporting and error message when a YubiKey is plugged in.

@klali
Copy link
Member

klali commented Jan 7, 2014

Unable to reproduce.

What error message is it?

@Yubi-David
Copy link
Author

Error message is "Unknown error occurred"

Link to Salesforce case reporting issue: https://eu1.salesforce.com/500D000000VrwBA

@jacobian
Copy link

jacobian commented Mar 1, 2014

The problem appears to be permissions-related. Running the tool as root works:

$ sudo /Applications/YubiKey\ Personalization\ Tool.app/Contents/MacOS/YubiKey\ Personalization\ Tool

@klali
Copy link
Member

klali commented Mar 12, 2014

this is probably a library error: Yubico/yubikey-personalization#34
for me it works fine when running both 10.8 and 10.9, both standard account and admin account.
@jacobian anything else permissions related on your computer? what error message do you get, just "No YubiKey inserted" or "Unknown error occurred"?

/klas

@zgiles
Copy link

zgiles commented Mar 23, 2014

I found the same problem. It worked with the sudo command above..

@johntdyer
Copy link

any update here?

@zgiles
Copy link

zgiles commented Jun 13, 2014

Still need sudo AFAIK

@johntdyer
Copy link

@zgiles - yea thats pretty clear but I am wondering the plan is to resolve it ?

@klali
Copy link
Member

klali commented Jun 16, 2014

The problem with this issue has been reliably reproducing it.
So if you have this error, answering these questions might help:

  • What type of user account is the account running the tool? (and other circumstances around this)
  • What error message is displayed?
  • If you right click the Yubico logo and show diagnostics, is there an error message there?
  • Get the CLI tools from http://opensource.yubico.com/yubikey-personalization/releases.html
    • Does ykinfo -a work? what's the output?

/klas

@andres-ortiz
Copy link

I'v got the same problem on mac osx 10.10

On the right i can see a red message "Unknow error occured" when my yubikey is plugged
the diagnostic message is "USB Error: kIOReturnSuccess"

@n2aws
Copy link

n2aws commented Dec 3, 2014

OS: Mavericks 10.10.1
What type of user account is the account running the tool? (and other circumstances around this)
Admin account
What error message is displayed?
See the dropbox link to 2 screenshots below.
If you right click the Yubico logo and show diagnostics, is there an error message there?
See the dropbox link to 2 screenshots below.
Get the CLI tools from http://opensource.yubico.com/yubikey-personalization/releases.html
Does ykinfo -a work? what's the output?
$ ./ykinfo -a
USB error: kIOReturnSuccess
jpalmer-mbp:bin jpalmer$ sudo ./ykinfo -a
Password:
serial: 3036758
serial_hex: 2e5656
serial_modhex: dughgh
version: 3.3.0
touch_level: 1285
programming_sequence: 1
slot1_status: 1
slot2_status: 0
vendor_id: 1050
product_id: 116

@n2aws
Copy link

n2aws commented Dec 3, 2014

@gavinsimpson
Copy link

I have the same problem on Linux (Fedora 22 using the binaries from Fedora's pkg repo). If I run yubikey-personalization-gui as a normal user I see "Unknown error occurred" in red in the top right. All the details of the inserted Yubikey etc that should be located in the right-hand-side panel is all shown as N/A.

screenshot from 2015-10-03 16-20-22

Right clicking on the Yubico logo and displaying detailed diagnostics shows the following log:

2015-10-03T16:05:05; App_version: 3.1.20; Lib_version: 1.17.1; QT_version: 4.8.6; OS_version: Linux; Word_size: 64
2015-10-03T16:05:06; USB Error: Access denied (insufficient permissions)
....

with repeated USB Error: Access denied (insufficient permissions) entries as the app continues to poll.

I'm unable to run the GUI as root or via sudo as the following errors occur:

$ su -c "yubikey-personalization-gui" 
Password: 
Qt: Session management error: None of the authentication protocols specified are supported
QInotifyFileSystemWatcherEngine::addPaths: inotify_add_watch failed: No such file or directory
QFileSystemWatcher: failed to add paths: /root/.config/ibus/bus
Bus::open: Can not get ibus-daemon's address. 
IBusInputContext::createInputContext: no connection to ibus-daemon 
X Error: BadAccess (attempt to access private resource denied) 10
  Extension:    130 (MIT-SHM)
  Minor opcode: 1 (X_ShmAttach)
  Resource id:  0x140
X Error: BadShmSeg (invalid shared segment parameter) 128
  Extension:    130 (MIT-SHM)
  Minor opcode: 5 (X_ShmCreatePixmap)
  Resource id:  0xd6
X Error: BadDrawable (invalid Pixmap or Window parameter) 9
  Major opcode: 62 (X_CopyArea)
  Resource id:  0x2200015
X Error: BadDrawable (invalid Pixmap or Window parameter) 9
  Major opcode: 62 (X_CopyArea)
  Resource id:  0x2200015

Running ykinfo as a normal users produces the same error about insufficient permissions:

$ ykinfo -a
USB error: Access denied (insufficient permissions)

but running the same things via sudo I get:

$ sudo ykinfo -a
serial: 2601396
serial_hex: 27b1b4
serial_modhex: dinbnf
version: 2.4.2
touch_level: 2307
programming_sequence: 3
slot1_status: 1
slot2_status: 1
vendor_id: 1050
product_id: 10

The version of the GUI I'm using is:

Installed Packages
Name        : yubikey-personalization-gui
Arch        : x86_64
Epoch       : 0
Version     : 3.1.20
Release     : 1.fc22
Size        : 1.0 M
Repo        : @System
From repo   : fedora
Summary     : GUI for Yubikey personalization
URL         : http://opensource.yubico.com/yubikey-personalization-gui/
License     : BSD
Description : Yubico's YubiKey can be re-programmed with a new AES key. This is a graphical
            : tool that makes this an easy task.

@omnidan
Copy link

omnidan commented Oct 22, 2015

Same issue here, but even running with sudo does not fix it for me (OS X 10.11):

> sudo ykinfo -a
Yubikey core error: no yubikey present

The personalization tool shows "No YubiKey inserted" when ran normally and does not run at all with sudo.

EDIT: Seems like my Yubikey isn't supposed to work with it - https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/#toggle-id-10

@MikeWeller
Copy link

I have this problem on El Capitan. Pretty frustrating to plug in the new toy and it doesn't work with the software. Running through sudo is not ideal and isn't documented anywhere from what I could see.

edit: I originally said "Yosemite" but meant "El Capitan"

@kevinSuttle
Copy link

What @MikeWeller said.

@shawnb70
Copy link

Same issue with 10.10.5 and Yubikey neo. The command line personalization tools work fine when run with sudo, but give USB error messages as above when run as an unprivileged user.

@TomK
Copy link

TomK commented Oct 29, 2015

New replacement keys arrived this week, but now i'm also having a problem with the personalisation tools. It shows "No YubiKey inserted". Although this time I am able to use the key (on Github and Google) with the default configuration. I've been unable to launch as root however, so can't confirm that.

@SueHeim
Copy link

SueHeim commented Oct 29, 2015

Hi @TomK,
Are the new replacement keys you received related to the GitHub replacement keys? If so, those are U2F-only keys and cannot be configured. Meaning, they will not be recognized by the YubiKey Personalization Tool (see https://www.yubico.com/faq/why-doesnt-the-yubikey-personalization-tool-recognize-my-security-key/). The Security Key can be used with GitHub and Gmail (as you've seen) as well as Dropbox, and any other service that uses the U2F protocol.

Does that help with your issue? If not, please ignore me...

@TomK
Copy link

TomK commented Oct 29, 2015

@SueHeim Thank you, that resolves my problem. The previous "broken(?)" keys were configurable with the personalization tool, so I wrongly assumed these new ones would be too. My mistake. They work fine as U2F keys. Thanks!

@SueHeim
Copy link

SueHeim commented Oct 29, 2015

@TomK, glad to help you with your issue! Note that we are still offering a 20% discount on all YubiKeys for GitHub users. Just go to our store (https://www.yubico.com/store/) and sign in with your GitHub account. You can buy keys that can be configured, and that are also U2F (both the YubiKey NEO and YubiKey Edge are U2F-certified).

@voidzero
Copy link

Meh. The "unknown error occurred" should be replaced by an error that makes more sense. In this case, it's a known error: "permission denied".

Secondly such a problem can be mitigated properly by using an udev ruleset. Is any such ruleset available from somewhere? The sudo recommendation is a poor workaround. The Yubikey is to enhance security. Another good security practice is "don't get used to using sudo."

Yubico, C'mon. Fix this properly, please.

@klali
Copy link
Member

klali commented Nov 16, 2015

@voidzero this issue is about problems on OS X. For linux udev rules are included with the library package yubikey-personalization that is a dependency of this software and should be installed with it.

@voidzero
Copy link

I would still like it if the 'unknown error' could be changed to something more descriptive, but other than that you're right: what I said about Linux rules is irrelevant so I stand corrected on that. Apologies.

@gavinsimpson
Copy link

@klali Re:

this issue is about problems on OS X

Should I start a new issue for Linux as I'm seeing the same permissions issues on sveral Fedora 22 machines as I mentioned above. (And I do have ykpers [what fedora calls yubikey-personalization] installed with udev rules.)

@klali
Copy link
Member

klali commented Nov 16, 2015

@gavinsimpson please do. if the ykpersonalize tool fails as well please open the issue on https://github.com/Yubico/yubikey-personalization instead.

@scottpineapple
Copy link

Same error here of "2015-12-18T18:25:31; USB Error: kIOReturnSuccess"

Running Mac OS X 10.11.

sudo ykinfo -a shows:
"...
version: 4.1.10
touch_level: 527
programming_sequence: 3
slot1_status: 1
slot2_status: 1
vendor_id: 1050
product_id: 403"

Running tool as sudo does not resolve issue. :(

@ocsi01
Copy link

ocsi01 commented Jan 5, 2016

Same like @ScottyKnows

Touching the yubikey gives me the OTP string.

sudo ./ykinfo -a
serial: xxxxxxxx
serial_hex: xxxxx
serial_modhex: xxxx
version: 2.5.1
touch_level: 1793
programming_sequence: 1
slot1_status: 1
slot2_status: 0
vendor_id: 1050
product_id: 10

Personalizations tool UI and Authenticator UI on Mac is not working. ('unknown error' , "No Yubikey Found")

@danielgriggs
Copy link

Found what's causing it, I am surprised that YubiCo has been unable to reproduce it ever.

https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys

@klali
Copy link
Member

klali commented Sep 28, 2016

@danielgriggs that has been discussed in Yubico/yubikey-personalization#34 and people have reported mixed success. I'm very happy to hear that that solution worked for you and would be happy for more feedback if that helps for others.

@shish
Copy link

shish commented Oct 8, 2016

Just upgraded to OSX Sierra - now I'm also getting "unknown error" in the GUI when run as normal user, and "Illegal instruction: 4" when run with sudo :(

@crahan
Copy link

crahan commented Oct 20, 2016

Experiencing the same issue since upgrading to Sierra for my Neo-n. No issues with my Yubikey 4 though. That displays fine in the personalisation tool.

@rwlodkowski
Copy link

Got the same problem as @shish . Any ETA to fix this issue?

macOS 10.12 (16A323)
screen shot 2016-10-29 at 01 18 28

@ur5us
Copy link

ur5us commented Dec 22, 2016

In case it helps debugging, sometimes plugging in multiple times results in the Yubikey being recognized for probably 1 – 2 seconds but then I get "Unknown error occured" again so it's still unusable on macOS 10.12.1.

@bisko
Copy link

bisko commented Dec 23, 2016

I just noticed something else that can cause the kIOReturnExclusiveAccess error in the Diagnostics screen, which you can access by Right-clicking the yubico logo on the bottom right.

If you're running a keyboard altering tool, like Karabiner ( old KeyRemap4MacBook or the newer version Karabiner-Elements ) it may be causing the Secure Keyboard Entry protection or something similar to it to activate, which blocks access to the YubiKey.

Try to stop all possible external tools you may have installed and see if the YubiKey will get recognized.

UPDATE: It seems that there is no need to quit Karabiner-Elements. You just have to untick the YubiKey in "Modify events from this device" under the Devices tab. I think it needs to be done for each key if there are multiple keys.

@ur5us
Copy link

ur5us commented Dec 23, 2016

@bisko Thanks so much, that does solve the problem for me on macOS 10.12.1/2. I am using Karabiner-Elements and after turning it off the personalization tool recognizes the YubiKey 👍

@bisko
Copy link

bisko commented Dec 23, 2016

@ur5us I posted an update above. It's an easier fix than having to quit Karabiner-Elements :)

@ur5us
Copy link

ur5us commented Dec 23, 2016

@bisko Awesomesauce!

@magiconair
Copy link

@bisko I can confirm that this works.

@rwlodkowski
Copy link

rwlodkowski commented Dec 27, 2016

@bisko Yep. Same here. When the Karabiner-Elements is running YubiKey can't be recognised, when it's stoped YoubiKey is recognised properly. Same is true with just unticking your YubiKey under 'devices' section of Karabiner-Elements. Thanks!

@tiffehr
Copy link

tiffehr commented Apr 15, 2017

I just ran into this, with a brand new 4Nano AND an old 1st-generation Yubikey Standard. I'm on a all-but-fresh Mac OS Sierra (10.12.4 (16E195)) install and a fresh Personalization Tools (3.1.24) install. I see USB Error: kIOReturnExclusiveAccess, with occasional flickers of a connected Yubikey that immediately flash back to "Unknown error occurred"::"kIOReturnExclusiveAccess".

Karabiner is disabled in full.
iTerm/Terminal allow unsecure keyboard entry.
My user is root; sudo works but makes no difference with finding either Yubikey.

Rather than quitting Karabiner, simply toggling off its awareness of either Yubikey solved it. Both popped back up. Still frustrating, that some background process locks them down even if Karabiner is fully disabled.

@hofesh
Copy link

hofesh commented Sep 8, 2017

@bisko you're a life saver. Tried everything, can't believe this was the issue.

@therealklanni
Copy link

I just bought the blue Yubikey (i.e. not NEO or 4), and I'm unable to use it at all. I'm seeing "No YubiKey inserted" in the app (installed from App Store). Also tried ykpers (1.18.0), but I get Yubikey core error: no yubikey present even with sudo. I tried turning off "Secure Keyboard Input" in Terminal, rebooted, but the YubiKey is still not recognized by the personalization tool (either GUI or CLI).

Running ioreg -p IOUSB -l -w 0 outputs:

Security Key by Yubico@14200000  <class AppleUSBDevice, id 0x10000074c, registered, matched, active, busy 0 (14 ms), retain 14>
        {
          "sessionID" = 328984826792
          "iManufacturer" = 1
          "bNumConfigurations" = 1
          "idProduct" = 288
          "bcdDevice" = 1075
          "Bus Power Available" = 250
          "USB Address" = 15
          "bMaxPacketSize0" = 64
          "iProduct" = 2
          "iSerialNumber" = 0
          "bDeviceClass" = 0
          "Built-In" = No
          "locationID" = 337641472
          "bDeviceSubClass" = 0
          "bcdUSB" = 512
          "USB Product Name" = "Security Key by Yubico"
          "PortNum" = 2
          "non-removable" = "no"
          "IOCFPlugInTypes" = {"9dc7b780-9ec0-11d4-a54f-000a27052861"="IOUSBFamily.kext/Contents/PlugIns/IOUSBLib.bundle"}
          "bDeviceProtocol" = 0
          "IOUserClientClass" = "IOUSBDeviceUserClientV2"
          "IOPowerManagement" = {"DevicePowerState"=0,"CurrentPowerState"=3,"CapabilityFlags"=65536,"MaxPowerState"=4,"DriverPowerState"=3}
          "kUSBCurrentConfiguration" = 1
          "Device Speed" = 1
          "USB Vendor Name" = "Yubico"
          "idVendor" = 4176
          "IOGeneralInterest" = "IOCommand is not serializable"
          "IOClassNameOverride" = "IOUSBDevice"
        }

macOS Sierra 10.12.6 (16G29)

tl;dr — I tried everything I've seen suggested here and on the forums, but YubiKey is not recognized by the Personalization Tool. I actually purchased 3 of these and the result is the same with all units.

I'm very disappointed, but hopeful.

@therealklanni
Copy link

therealklanni commented Sep 30, 2017

:sigh: just found this on the website after more digging. It should really be made much more clear (on the product page and on the page for the Personalization Tool) that this key cannot be personalized. Looks like I'll be returning the ones I bought.

The YubiKey Personalization Tool is used to program YubiKeys such as YubiKey 4 and YubiKey NEO, which offer other protocols in addition to U2F. The FIDO U2F Security Key by Yubico is a U2F-only device that cannot be programmed.

@sbmarcos
Copy link

I'm having this exact same issue in High Sierra (10.13.5)

@raamdev
Copy link

raamdev commented Apr 15, 2019

I just experienced the "Unknown error occurred" on macOS 10.14.4 using a Yubikey 5C. After reading @bisko's comment about Karabiner and Secure Keyboard Entry protection, I remembered having problems with Secure Keyboard Entry protection and TextExpander v6.5 / 1Password.

Sure enough, switching to TextExpander and closing the window (Command-W), then re-inserting my Yubikey solved the problem with the YubiKey Personalization Tool being unable to read the key.

I've added the Yubikey Personalization Tool to the app exclusion list for TextExpander (TextExpander → Preferences → Expansion → Default is to expand snippet groups in: all applications, except...). I wasn't able to reproduce the original issue, so I'm not sure if this helps solves the problem, but I thought I'd note here that TextExpander / 1Password may also cause these issues with Secure Keyboard Entry protection.

@LaurentFough
Copy link

LaurentFough commented Sep 11, 2019

This is still alive, but thanks to some of the comments here, I was able to quickly discern which app was causing the interference.

All components of my Yubico/yubikey install are up-to-date.

Initially, I suspected: KeyCue, or Typinator (or Rocket: floating emoji panel) as those were the only type of keypress event monitoring apps that are running on my machine.

Secure Keyboard Entry is always active — disabling it had no effect.
^^Re-enabled, “because: security”.

Eventually turned out to be Rambox.
Specifically, you’ll have to go open:

System Preferences ➞ Security & Privacy ➞ Automation ➞ Rambox ➞ uncheck “System Events”

Just an FYI, in-case anyone comes across this still.

@livsnjutare
Copy link

System Preferences ➞ Security & Privacy ➞ Privacy ➞ Input Monitoring ➞ check the "YubiKey Personalization Tool".

https://support.apple.com/guide/mac-help/change-privacy-preferences-on-mac-mh32356/mac

@goodc0re
Copy link

I am having the same issue on macOS Mojave.
It is also causing KeePassXC not to recognize the YubiKeys.

I am not using any keyboard altering tools like Karabiner and I never had Secure Keyboard Entry activated in Terminal.

#94

keepassxreboot/keepassxc#3970

@goodc0re
Copy link

I am pretty sure I could identify the problem!

When I have the keybase application running (keybase.io), then the yubikey is not being recognized by applications unless the application is being run as root.

ykinfo -a will result in an error while sudo ykinfo -a will show the normal output

When I use activity monitor to close all keybase related processes, even without a reboot, the Yubikey App as well as other apps like KeepassXC will recognize the Yubikey again!

@jmvazquez
Copy link

When I have the keybase application running (keybase.io), then the yubikey is not being recognized by applications unless the application is being run as root.

It looks like it's when any application listed there has Input Monitoring privileges and is also running. I had Amazon Workspaces open while trying to configure my Yubikey and it kept failing until I closed Workspaces.

@codrinbucur
Copy link

codrinbucur commented Mar 29, 2020

I am having the same exact problem as soon as I applied the MacOS security patch and updated to Mojave 10.14.6.

yubikey-personalization-gui Version 3.1.25 does not detect any of my Yubikeys.

System Preferences ➞ Security & Privacy ➞ Privacy ➞ Input Monitoring doesn't exist on Mojave

Anyone found a solution to this?

Thanks!

@imifos
Copy link

imifos commented Apr 22, 2020

On Catalina, adding the Pers. Tool to "Security & Privacy, Privacy, Input Monitoring" did the trick.

@MatthewVance
Copy link

@codrinbucur I recently ran into a similar issue on MacOS Catalina (10.15.4) and found a work around. I'm not sure this will help you on Mojave, but I wanted to share in case it does and also capture this for others on Catalina who may still have issues even with "Input Monitoring" granted.

My setup and issue are slightly different so I'll explain that first and then explain the workaround.

The personalization GUI tool (version 3.1.25, library version 1.18.1) didn't recognize my ~10 year old Yubikey or newer Yubikey 5. The newer Yubikey Manager (version 1.1.4) detected my Yubikey 5 but not the old model. Both apps had been granted "Input Monitoring" permissions in System Preferences.

Oddly, I also noticed the Yubikey Manager ran into a permission issue when trying to access the OTP interface (it was enabled and I tried disabling/re-enabling it) even though all the other features appeared to work once "Input Monitoring" was granted.

Being the paranoid security person I am (and many other Yubikey users likely are), my day-to-day account is a Standard rather than Admin user. An earlier comment mentioned needing sudo so I decided to switch over to my admin account and try the GUI again. Once I launched the GUI apps while logged in as a MacOS admin user, everything worked as expected.

@Javabien
Copy link

Javabien commented Jun 2, 2020

In my case, I just upgraded to the latest version (3.1.25) ... I don't really know if it helped, but then I had to allow the app:
System PreferencesSecurity & PrivacyPrivacyInput MonitoringYubiKey Personalization Tool
image

@Zenexer
Copy link

Zenexer commented Jun 30, 2020

Javabien's solution worked for me. The issue was that YubiKey Personalization Tool lacked the Input Monitoring permission. I probably wouldn't have denied this permission if asked, so I'm not sure what happened.

@softcoder
Copy link

The same fix works in Pop-Os Linux (based on ubuntu), must run sudo in front

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests