diff --git a/ChangeLog b/ChangeLog
index 5ad3a1c..76bc4b8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2013-01-30  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp.c (cmd_external_authenticate): Fix off-by-one error.
+
+	* tool/gnuk_token.py (gnuk_token.cmd_external_authenticate): Add
+	KEYNO to the arguments.
+
+	* tool/upgrade_by_passwd.py (main): Explicitly say it's KEYNO.
+
 2013-01-28  Niibe Yutaka  <gniibe@fsij.org>
 
 	* src/openpgp-do.c (gpg_pw_get_retry_counter): New.
diff --git a/src/openpgp.c b/src/openpgp.c
index eb63e86..af686a9 100644
--- a/src/openpgp.c
+++ b/src/openpgp.c
@@ -1002,7 +1002,7 @@ cmd_external_authenticate (void)
 
   DEBUG_INFO (" - EXTERNAL AUTHENTICATE\r\n");
 
-  if (keyno > 4)
+  if (keyno >= 4)
     {
       GPG_CONDITION_NOT_SATISFIED ();
       return;
diff --git a/tool/gnuk_token.py b/tool/gnuk_token.py
index f60e6aa..2de473f 100644
--- a/tool/gnuk_token.py
+++ b/tool/gnuk_token.py
@@ -432,14 +432,14 @@ class gnuk_token(object):
             raise ValueError("%02x%02x" % (sw[0], sw[1]))
         return self.cmd_get_response(sw[1])
 
-    def cmd_external_authenticate(self, signed):
-        cmd_data = iso7816_compose(0x82, 0x00, 0x00, signed[0:128], cls=0x10)
+    def cmd_external_authenticate(self, keyno, signed):
+        cmd_data = iso7816_compose(0x82, 0x00, keyno, signed[0:128], cls=0x10)
         sw = self.icc_send_cmd(cmd_data)
         if len(sw) != 2:
             raise ValueError(sw)
         if not (sw[0] == 0x90 and sw[1] == 0x00):
             raise ValueError("%02x%02x" % (sw[0], sw[1]))
-        cmd_data = iso7816_compose(0x82, 0x00, 0x00, signed[128:])
+        cmd_data = iso7816_compose(0x82, 0x00, keyno, signed[128:])
         sw = self.icc_send_cmd(cmd_data)
         if len(sw) != 2:
             raise ValueError(sw)
diff --git a/tool/upgrade_by_passwd.py b/tool/upgrade_by_passwd.py
index 92c9e8d..4ef0f0f 100755
--- a/tool/upgrade_by_passwd.py
+++ b/tool/upgrade_by_passwd.py
@@ -45,14 +45,15 @@ def main(passwd, data_regnual, data_upgrade):
 
     gnuk = get_gnuk_device()
     gnuk.cmd_verify(BY_ADMIN, passwd)
-    gnuk.cmd_write_binary(1, rsa_raw_pubkey, False)
+    keyno = 0
+    gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)
 
     gnuk.cmd_select_openpgp()
     challenge = gnuk.cmd_get_challenge()
     digestinfo = binascii.unhexlify(SHA256_OID_PREFIX) + challenge
     signed = rsa.compute_signature(rsa_key, digestinfo)
     signed_bytes = rsa.integer_to_bytes_256(signed)
-    gnuk.cmd_external_authenticate(signed_bytes)
+    gnuk.cmd_external_authenticate(keyno, signed_bytes)
     gnuk.stop_gnuk()
     mem_info = gnuk.mem_info()
     print "%08x:%08x" % mem_info