I am using Yubikey 5 NFC security tokens with firmware 5.4.3 to start my FDE Ubuntu 24.04 system successfully, i.e. I get asked for the FIDO2 PIN on system start, enter it, touch my key and after a few more seconds I've got a running system.
Now I bought a few additional Yubikey 5 NFC with firmware 5.7.1 and cannot get it running. I am asked for the Yubikey PIN twice (in case I enter the correct one; if not, I receive a corresponding error message immediately), but the fact that my Yubikey is unlocked gets completely ignored.
During my search for a solution I found this bug report: https://github.com/systemd/systemd/issues/36235 - the steps listed there (with a few minor modifications) do not completely work for me either:
1. export SYSTEMD_LOG_LEVEL=debug
2. dd if=/dev/zero of=test bs=8M count=10
3. cryptsetup luksFormat test
4. system-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes --fido2-with-user-presence=yes test
# steps 1-4 work without any errors
- (sudo) systemd-cryptsetup attach test test - fido2-device=auto
step 5 does not work; I get asked twice for the PIN
and subsequent user presence confirmation, but then nothing happens
To rule out the possibility that my new systems simply do not register those Yubikeys correctly anymore, I even deleted the FIDO2 slot on a working system, reregistered my old key to make sure it still works and then tried it using the new Yubikey (fw 5.7.1) which failed.
One difference between firmwares 5.4.3 and 5.7.1 that I am aware of is the availability of the user verification feature and I thought if maybe I have to set an additional parameter, but so far failed to find a solution (and also to find a corresponding bug report).
Can anybody help? Thanks in advance!
