Yubikey OTP failure #302

New Issue

Closed

opened 2025-10-09 16:21:23 +03:00 by OVERLORD · 9 comments

OVERLORD commented 2025-10-09 16:21:23 +03:00

Owner

Copy Link

Originally created by @pquantin on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.5-d7adce97
• Web-vault version: v2024.6.2c
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Alpine)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.47.1
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: ADMIN_TOKEN, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://************************",
  "domain_origin": "*****://************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials,ssh-key-vault-item,ssh-agent,extension-refresh",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "trace",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": true,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 30,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "96472",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

1.32.5-d7adce97

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx on Synology NAS

Host/Server Operating System

NAS/SAN

Operating System Version

NAS Synology 7.2.2

Clients

Web Vault

Client Version

No response

Steps To Reproduce

Try to use Yubikey OTP for 2nd step authentication.

Expected Result

Yubikey OTP succeeds.

Actual Result

The Vaultwarden logs shows an error regarding an invalid padding. This used to work in the past (the Yubikey is registered in my account and was working fine the last time I tried it some time ago). Moreover the Yubikey works fine with https://demo.yubico.com/otp/verify

Logs

[2024-12-08 20:54:50.702][error][ERROR] Failed to verify Yubikey against OTP server.
[CAUSE] DecodeError(
    InvalidPadding,
)
[2024-12-08 20:54:50.705][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

No response

Additional Context

No response

Originally created by @pquantin on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.5-d7adce97 * Web-vault version: v2024.6.2c * OS/Arch: linux/x86_64 * Running within a container: true (Base: Alpine) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.47.1 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ADMIN_TOKEN, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://************************", "domain_origin": "*****://************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials,ssh-key-vault-item,ssh-agent,extension-refresh", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "trace", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "************************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 30, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "96472", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.32.5-d7adce97 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx on Synology NAS ### Host/Server Operating System NAS/SAN ### Operating System Version NAS Synology 7.2.2 ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce Try to use Yubikey OTP for 2nd step authentication. ### Expected Result Yubikey OTP succeeds. ### Actual Result The Vaultwarden logs shows an error regarding an invalid padding. This used to work in the past (the Yubikey is registered in my account and was working fine the last time I tried it some time ago). Moreover the Yubikey works fine with https://demo.yubico.com/otp/verify ### Logs ```text [2024-12-08 20:54:50.702][error][ERROR] Failed to verify Yubikey against OTP server. [CAUSE] DecodeError( InvalidPadding, ) [2024-12-08 20:54:50.705][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_

OVERLORD added the bug label 2025-10-09 16:21:23 +03:00

OVERLORD closed this issue 2025-10-09 16:21:25 +03:00

OVERLORD commented 2025-10-09 16:21:26 +03:00

Author

Owner

Copy Link

@pquantin commented on GitHub:

I tried doing that before filling the issue and I get the same error. This is a Yubikey 5C NFC. No idea how to move forward, especially as it was working fine before.

@pquantin commented on GitHub: I tried doing that before filling the issue and I get the same error. This is a Yubikey 5C NFC. No idea how to move forward, especially as it was working fine before.

OVERLORD commented 2025-10-09 16:21:26 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

I'm using the same version

@BlackDex commented on GitHub: I'm using the same version

OVERLORD commented 2025-10-09 16:21:26 +03:00

Author

Owner

Copy Link

@pquantin commented on GitHub:

Any extra info I could provide to move forward? I guess it could be related to #5248 but I do not have anymore the previous docker image to test against.

@pquantin commented on GitHub: Any extra info I could provide to move forward? I guess it could be related to #5248 but I do not have anymore the previous docker image to test against.

OVERLORD commented 2025-10-09 16:21:27 +03:00

Author

Owner

Copy Link

@pquantin commented on GitHub:

Some extra info: reverting to 1.32.5 tag works fine. But using 1.32.5-d7adce97 (latest testing image) fails with the error previously mentioned.

@pquantin commented on GitHub: Some extra info: reverting to 1.32.5 tag works fine. But using 1.32.5-d7adce97 (latest testing image) fails with the error previously mentioned.

OVERLORD commented 2025-10-09 16:21:29 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Seems to work just fine for me using a YubiKey-5C via USB-C on my Laptop.
Same via my Android Phone.

Try to remove the key and add it again and see if that helps.

@BlackDex commented on GitHub: Seems to work just fine for me using a YubiKey-5C via USB-C on my Laptop. Same via my Android Phone. Try to remove the key and add it again and see if that helps.

OVERLORD commented 2025-10-09 16:21:31 +03:00

Author

Owner

Copy Link

@axi92 commented on GitHub:

I had the same issue, I did not find anything in the changelog. But thanks to the issue I was able to fix it by adding a '=' at the end =)

@axi92 commented on GitHub: I had the same issue, I did not find anything in the changelog. But thanks to the issue I was able to fix it by adding a '=' at the end =)

OVERLORD commented 2025-10-09 16:21:31 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Cool. Great that it worked.
Most of the time those extra = padding chars are not that big of an issue. But that is mostly for ASCII data.
Since these keys are binary it could cause weird issues if not padded correctly.

Assuming or fixing it automatically could also cause strange issues sometimes.

@BlackDex commented on GitHub: Cool. Great that it worked. Most of the time those extra `=` padding chars are not that big of an issue. But that is mostly for ASCII data. Since these keys are binary it could cause weird issues if not padded correctly. Assuming or fixing it automatically could also cause strange issues sometimes.

OVERLORD commented 2025-10-09 16:21:33 +03:00

Author

Owner

Copy Link

@pquantin commented on GitHub:

Thanks a lot, that helped. BTW great work and dedication for this project, this is greatly appreciated 👍

@pquantin commented on GitHub: Thanks a lot, that helped. BTW great work and dedication for this project, this is greatly appreciated 👍

OVERLORD commented 2025-10-09 16:21:34 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

I think you need to add one or two = signs to your YUBICO_SECRET_KEY value.
It might be it's stripped somehow or not added for some reason.

@BlackDex commented on GitHub: I think you need to add one or two `=` signs to your `YUBICO_SECRET_KEY` value. It might be it's stripped somehow or not added for some reason.

OVERLORD referenced this issue 2025-10-09 18:29:31 +03:00

[PR #302] [MERGED] implement TTLs for icon cache #3757

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#302