Critical Error During Fido2 Update Linux(Debian 12 and Kali)

Nitrokeys FIDO2 / Nitrokey 3
1

Greetings Nitrokey Team,
Here is the error message I got after the following command

nitropy fido2 update

Traceback (most recent call last):
File “/root/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/update.py”, line 71, in update
client = find(serial)
File “/root/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/fido2/init.py”, line 33, in find
raise NoSoloFoundError(“no Nitrokey FIDO2 found”)
pynitrokey.exceptions.NoSoloFoundError: no Nitrokey FIDO2 found
1885 DEBUG root print: If you are on Linux, are your udev rules up to date?
1885 DEBUG root print: For more, see:
1885 DEBUG root print: Getting Started - Nitrokey Documentation

Kindly help

2

And what Nitrokey product do you have?

What is the output of lsusb?

3

Apologies.
Clay Logic Nitrokey 3A Mini/3A NFC/3C NFC

Also, I followed the guide for installing UDEV rules but to no avail.

I highly appreciate any further support.

4

The nitropy tool combines command for differen products sold by Nitrokey. For updating a Nitrokey 3, the subcommand nk3 is used instead of fido2.

https://docs.nitrokey.com/nitrokeys/nitrokey3/firmware-update

5

Many thanks for the quick reply.
As far as I remember, I inquired about a FIDO2 update because of the following test results:

[5/5] fido2 FIDO2 FAILURE FIDO2 pin is set, but not provided (use the --pin argument)

6

It got even worse:

339 INFO pynitrokey.cli.trussed.test uname: uname_result(system=‘Linux’, node=‘kali-raspberry-pi5’, release=‘6.6.74+rpt-rpi-2712’, version=‘#1 SMP PREEMPT Kali 1:6.6.74-1+rpt2+0kali9 (2025-02-12)’, machine=‘aarch64’)
346 INFO pynitrokey.cli.trussed.test Found 0 CTAPHID devices:
346 DEBUG root print: Critical error:
346 DEBUG root print: No connected NK3 devices found
346 DEBUG root listing all connected devices:
347 DEBUG root :: ‘Nitrokey FIDO2’ keys
347 DEBUG root :: ‘Nitrokey Start’ keys:
359 DEBUG root :: ‘NK3’ keys
365 DEBUG root :: ‘NKPK’ keys
367 DEBUG root print:

I may need to send it back to manufacturers.

I tried to update, however, I did so with an installed usbguard.
I am also using a RP 5 device.

7

Seems like the udev rules are not in place and the Nitrokey does not get detected. I would try updates more from a popular distribution like Debian or Ubuntu.

What are you trying to achieve with the firmware update? Are you interested in a new feature? Trying to fix a bug? There is no need to update all new firmware releases for everyday use.

8

Greetings and apologies for the delayed response, I was away from my devices.
As for your question, kindly note the following:

  • I would love to enable full FIDO2 features, as they were unnoticed by the Nitrokey 3A test.
  • I would love to utilize a better encryption and security on my Raspberry Pi 5 device, while incorporating Kali Linux by generating keys from the Nitrokey (for various uses from logging, to SSH, PGP keys etc)
  • In addition, I would like to encrypt my Home Internet WIFI connection by utilizing these tools.
    I did notice that Nitrokey 3 is also compatible with pfsense but I would like to leave that for later and focus on the current task.
    Here is a somewhat similar tutorial for Yubikey

Configuring Yubikeys for SSH Authentication | Kali Linux Documentation

Furthermore, is 2FA possible with a Nitrokey for logging into my Home Internet Network?
What other possibilities are there for providing better Home Internet Network security by combining a NitroKey 3A and a Raspberry Pi 5 device with Kali Linux OS?

Many thanks for the keen interest in the topic, as I highly believe that trial and error is a integral part in acquiring knowledge and becoming a better learner overall.

9

The error message shown in the nitropy nk3 test just shows that you need to set and provide a PIN. FIDO2 is enabled from the getgo.

You can test it with https://webauthn.io/

In the FAQ you can find general usecases for your Nitrokey.

10

Well, a PIN has been provided and it has been changed more than a single time.

My guess is that it could be an admin PIN error. (not the general one)

Or maybe it is the Raspberry Pi 5 with the Kali Linux OS.

Let me delve deeper in the issue, and I will keep the community posted.

Meanwhile, I highly appreciate any informative suggestions by you or any other experienced user.

Thanks and Regards

11

There are multiple PINs on a Nitrokey 3. For FIDO2, there is only one.

Before being able to use the key, it should be recognizable by nitropy. I am unsure in what state the Nitrokey is right now.

First step would be to have nitropy list have the device listed.

On your Debian 12 system, did you install the udev rules?

2 Likes
12

Hello, I lost access to my other account, so I will reply from my GitHub’s.

Thanks for the clarification. Basics come first.

I ended up factory resetting everything, including the FIDO2, NK3, Stored Secrets & etc.
Went more carefully through the basics again and now all is working well.

I will update regarding the Kali Linux Compatability.
As much as I understood later :

  • libnitrokey package is available for Kali Linux.
  • Generated SSH Keys on a separate device, if done with Nitrokey Device, are way safer way to access your Raspberry Pi device.
    Still learning a lot, but I am eager to hear someone else’s experience with Nitrokeys, Raspberry Pi and Kali Linux.
13

Glad to hear. Regarding SSH keys, do you mean generated on a Linux box and then copied to the Nitrokey or generated on the device?

I treat some Nitrokeys GPG keys as ephemeral and change them from time to time and use automation to configure devices with the current list of authorized keys.

If you plan on keeping a backup, make sure to test it or have two SSH keys to authenticate to not lock yourself out.

1 Like
14

SSH keys on Debian 12 generated with a Nitrokey to access the other device, indeed.

Works just fine.

I need to take a further look at the backup SSH Keys.
Do you use Terminal for the automation or any other automation tool?

15

The backup process can be somewhat complicated. It is important to test the recovery. The key-to-card process deletes the key on your Linux system. As there are three keys, you should copy them all with their public keys. Consider doing a paper backup just in case.

Having two Nitrokeys and one from a different vendor could be a smart choice. I recommend following the 3-2-1 backup strategy: three backups, two different types of media, and one external backup.

Depending on your use case, consider having also a backup of your PINs in 2 different password safes.

ECC keys are small enough to stamp them on steel (protection against fire).

1000×1000 187 KB

Typically I buy devices 3 times when they are critical: one for primary use, one as a backup, and one for development or testing procedures (such as firmware updates and restorations).

These are best practices for professional use and may be excessive for personal use, but why risk making mistakes when others have already found solutions?

For automation, I primarily use Ansible or shell scripts to setup my local sandboxes.