Aller au contenu

How to reset your Yubikey when you locked your PIN

This article is a short reminder of the procedure to follow to reset a Yubikey to its factory defaults and thus reset the user and admin PIN when you locked them after too many unsuccessful tries using GPG/SSH.

gpg --card-status
Application ID ...: D2760001240102010006090289860000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 09992652
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

This procedure should be used only if you don't have a PUK code to use, which is the simple and non-destructive way to recover from a locked PIN situation.

Using a PUK code (non-destructive)

Using a PUK code, you can use the passwd command in gpg to clear the PIN lock counters.

$ gpg --card-edit --expert

gpg/card> help
quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
fetch          fetch the key specified in the card URL
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code

gpg/card> passwd
gpg: OpenPGP card no. XXXXXXXXXXXXXXXXXX detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2

Reset your Yubikey to factory defaults (destructive)

So you locked your GPG (user/admin) PIN counters?

PIN retry counter : 0 0 3
                    ^   ^
     user PIN counter   admin PIN counter

Warning

Reseting your Yubikey to its factory defaults means that you will loose everything stored on it, so you'll have to setup your GPG/SSH again!

The procedure is about sending hexadecimal commands through the gpg-agent:

$ gpg-connect-agent --hex

> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 83 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 83 i.
OK
> scd apdu 00 e6 00 00
D[0000] 90 00 ..
OK
> scd apdu 00 44 00 00
D[0000] 90 00 ..
OK
>

Then unplug/replug your Yubikey + restart your gpg-agent daemon:

$ pkill gpg-agent && pkill scdaemon
$ gpg-agent --card-status

[...]
PIN retry counter : 3 0 3
[...]