Can't configure the challenge-response with onlykey-cli

I would like to use my OnlyKey as a replacement for my two YubiKey. I use the challenge-response to unlock my KeePassXC database. I can’t set my OnlyKey. I followed this tuto:

I generate my key:

$ openssl rand -hex 20

I configure my yubikey with my two key:

ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig -a{MYKEY}
Firmware version 5.2.4 Touch level 1281 Program sequence 1
Configuration data to be written to key configuration 1:

fixed: m:
uid: n/a
key: h:182513a847928f253b363983d4d8b269b1ddecb1
acc_code: h:000000000000
ticket_flags: CHAL_RESP
extended_flags: SERIAL_API_VISIBLE

Commit? (y/n) [n]: y

And now, I configure my OnlyKey (it is in config mode):

onlykey-cli setkey 130 9 {MYKEY}

But I have no feedback from the command line. In the tutorial, there is as return:

Successfully set ECC Key

When I test my OnlyKey in KeePassXC, I can’t open my db unlike with my two YubiKey.

Does anyone have an idea?

Is your yubikey personalization tool app set to hmac-sh1 variable input?

so in the onlykey-cli app you typed setkey 130 9 yourcodehere?
If so what you need to do is this, type setkey 130 9 then when “Password/Key:” shows type your challenge responce code in with no spaces. (it worked on for me with my 2x Yubikeys and OnlyKey)

(unrelated but you can’t set a challenge responce for keepass with keechallenge, as it uses fixed code)

Yes I set hmac-sh1 variable input in my Yubikey. I think it’s -ohmac-lt64 as a parameter to pass to ykpersonalize. But I can test after with yubikey personalization tool app.

I tested 2 solutions to program with onlykey-cli. In interactive mode:

$ onlykey-cli
OnlyKey CLI v1.2.4
Control-D to exit.
OnlyKey> setkey 130 9
Type Control-T to toggle password visible.
Password/Key: ********************

and with cli:

$ onlykey-cli setkey 130 9 MYKEY

But these two commands do not return the tutorial confirmation:

Successfully set ECC Key

I also tested with onlykey-app:
Advenced > Add private key

Slot: HMAC 1 (130)
Key: MYKEY with 20 bytes hex

And I have this error:

ECC Key must be 64 characters.

I use this version:

$ onlykey-cli version
OnlyKey CLI v1.2.4

$ onlykey-cli fwversion

Holeoe, thank you for your answer, I hope to succeed.

I think either my key is wrong. I do:

$ openssl rand -hex 20

And I write this key (an exmple):


Thank for your help

One quick note you have turned off then 2FA on your accounts linked to the only keys? or kept at least one of your keys with the old data until you get the new one working and added to your accounts.

The first of your two solutions is how I managed to set it on the onlykey-cli command line app.

I believe the command -ohmac-lt64 for the ykpersonalize command line app sets its to fixed 64 byte input (which I believe the OnlyKey doesn’t support, please correct me if I am wrong, and I can’t find the command for variable input on yubico), I used the yubikey personalization tool app, the non command line version (as I found alot easier, as it was difficult to get all the information needed to use the command line app)

On the yubikey personalization tool app, click on the tab challenge responce, then select the slot, then select require user input and then select variable input, then click on the generate button and then click write configuration. Copy the code down and then write it to the onlykey with out the spaces.

If you do test it with the onlykey app (setting the challenge responce) with the tab advanced, add private key, hmachas1, slot and then the key let me know as I didn’t realise the app allowed to set it this way