Sunday, July 01, 2018

Re: State of Yubikey/U2F support on OpenBSD

Hello Rickard,

On Sun, Jul 1, 2018 at 12:30 PM, Rickard von Essen
<rickard.von.essen@gmail.com> wrote:
> Hi Eric,
>
> Thanks for replying. If I can sort out most ykman issues I'll create a port
> for it, which hopefully will make it easier for more people to use
> YubiKeys with OpenBSD.
>
>> A) CCID worked out of the box with a yubikey 4, with pcscd and gpg
>> works fine with it for me, IIRC you can even make it work with GPG
>> without pcscd, but I'd need to verify again.
>
> I have several YubiKey NEO and 4 Nano, but neither of them work with
> CCID, they fails to connect. I'm very interested to see which versions
> you have installed of ykman and dependencies.
>
> I can run OTP commands and "ykman list"
>

I do not use ykman, so I cannot speak about ykman.
ykpers and ykclient were already packaged and worked fine for my use.


> $ ykman list
> YubiKey 4 [OTP+FIDO+CCID] Serial: 5977032
>
> But when I try to list oaths it doesn't connect:
>
> $ ykman -l DEBUG oath list
>
> 2018-07-01T11:43:43+0200 INFO [ykman.logging_setup.setup:59]
> Initialized logging for ykman version: 0.7.1-dev
> 2018-07-01T11:43:43+0200 DEBUG
> [ykman.descriptor.Descriptor.open_device:75] transports: 0x4,
> self.mode.transports: 0x7
> 2018-07-01T11:43:43+0200 DEBUG [ykman.descriptor.open_device:80]
> Opening driver for serial: None, type: YUBIKEY.YK4, mode:
> OTP+FIDO+CCID
> [...]
> 2018-07-01T11:43:47+0200 DEBUG [ykman.descriptor.open_device:82]
> Attempt 10 of 10
> 2018-07-01T11:43:47+0200 DEBUG [ykman.descriptor.open_device:101]
> Sleeping for 1.000000 s
> 2018-07-01T11:43:48+0200 DEBUG [ykman.descriptor.open_device:103] No
> matching device found
> Usage: ykman [OPTIONS] COMMAND [ARGS]...
>
> Error: Failed connecting to the YubiKey.
>
> These are the versions I have:
>
> $ ykman version
>
> YubiKey Manager (ykman) version: 0.7.1-dev
> Libraries:
> libykpers 1.18.1
> libusb 1.0.21
>
> $ pkg_info pcscd
>
> Information for inst:pcsc-lite-1.8.22p1
> [...]

Do you run pcscd while running your attempts?

Try shutting it down when you want direct access to the yubikey?
pcscd get a hold of the USB device and AFAIR I cannot use ykpers or
ykclient while pcscd is running, so I'd expect the same with ykman.

HTH,
Eric.

>
> $ pip3.6 show yubikey-manager
>
> Name: yubikey-manager
> Version: 0.7.1.dev0
> Summary: Tool for managing your YubiKey configuration.
> Home-page: https://github.com/Yubico/yubikey-manager
> Author: Dain Nilsson
> Author-email: dain@yubico.com
> License: BSD 2 clause
> Location: /home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg
> Requires: six, pyscard, pyusb, click, cryptography, pyopenssl, fido2
>
> $ pip3.6 show pyscard six pyusb click cryptography pyOpenSSL fido2
>
> Name: pyscard
> Version: 1.9.7
> Summary: Smartcard module for Python.
> Home-page: https://github.com/LudovicRousseau/pyscard
> Author: Ludovic Rousseau
> Author-email: ludovic.rousseau@free.fr
> License: UNKNOWN
> Location: /home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg
> Requires:
> ---
> Name: six
> Version: 1.11.0
> Summary: Python 2 and 3 compatibility utilities
> Home-page: http://pypi.python.org/pypi/six/
> Author: Benjamin Peterson
> Author-email: benjamin@python.org
> License: MIT
> Location: /home/rickard/.local/lib/python3.6/site-packages
> Requires:
> ---
> Name: pyusb
> Version: 1.0.2
> Summary: Python USB access module
> Home-page: http://walac.github.io/pyusb
> Author: Wander Lairson Costa
> Author-email: wander.lairson@gmail.com
> License: BSD
> Location: /home/rickard/.local/lib/python3.6/site-packages
> Requires:
> ---
> Name: click
> Version: 6.7
> Summary: A simple wrapper around optparse for powerful command line utilities.
> Home-page: http://github.com/mitsuhiko/click
> Author: Armin Ronacher
> Author-email: armin.ronacher@active-4.com
> License: UNKNOWN
> Location: /home/rickard/.local/lib/python3.6/site-packages
> Requires:
> ---
> Name: cryptography
> Version: 2.2.2
> Summary: cryptography is a package which provides cryptographic
> recipes and primitives to Python developers.
> Home-page: https://github.com/pyca/cryptography
> Author: The cryptography developers
> Author-email: cryptography-dev@python.org
> License: BSD or Apache License, Version 2.0
> Location: /usr/local/lib/python3.6/site-packages
> Requires: idna, asn1crypto, six, cffi
> ---
> Name: pyOpenSSL
> Version: 18.0.0
> Summary: Python wrapper module around the OpenSSL library
> Home-page: https://pyopenssl.org/
> Author: Hynek Schlawack
> Author-email: hs@ox.cx
> License: Apache License, Version 2.0
> Location: /home/rickard/.local/lib/python3.6/site-packages
> Requires: six, cryptography
> ---
> Name: fido2
> Version: 0.3.0
> Summary: Python based FIDO 2.0 library
> Home-page: https://github.com/Yubico/python-fido2
> Author: Dain Nilsson
> Author-email: dain@yubico.com
> License: UNKNOWN
> Location: /home/rickard/.local/lib/python3.6/site-packages
> Requires: six, cryptography
>
> // Rickard
> On Sat, 30 Jun 2018 at 12:32, Eric Augé <eau+obsd@unix4fun.net> wrote:
>>
>> Hello Rickard,
>>
>> A) CCID worked out of the box with a yubikey 4, with pcscd and gpg
>> works fine with it for me, IIRC you can even make it work with GPG
>> without pcscd, but I'd need to verify again.
>> B) same, chromium crashes, I started investigating but lack the
>> knowledge in chromium and I am a bit lost, there are several tickets
>> open on chromium side as you mentioned.
>> C) I have not tried.
>>
>> HTH,
>> Eric.
>>
>> On Fri, Jun 29, 2018 at 11:41 AM, Rickard von Essen
>> <rickard.von.essen@gmail.com> wrote:
>> >
>> > I've been experimenting with switching over one of my laptops to OpenBSD, but
>> > there is one main problem stopping me from switching. The support for Yubikeys
>> > and U2F.
>> >
>> > I'm try to gather a list of things that currently doesn't work. And maybe find
>> > some collaborators to investigate and maybe fix the issues. So if you are
>> > interested to work on any of these or have further information please post on
>> > this thread.
>> >
>> > A) Yubikey-manager (ykman) is the new Yubikey CLI. I got it to install but only
>> > one out of three transport (protocols) works. OTP works. CCID fails connecting
>> > to the Yubikey via pcscd, further investigation needed (this is hopefully not to
>> > hard to fix). FIDO doesn't work since the pyu2f library doesn't support OpenBSD,
>> > this is probably not to hard to fix. I'm tracking these in [1].
>> >
>> > B) Chromium (v 65.0.3325.181) crashes when U2F auth is requested and a key is
>> > inserted, see [2]. I haven't yet debugged this, but fixing this probably
>> > requires a fair amount of knowledge about Chromiums internals.
>> >
>> > C) Firefox (v 59.0.2) doesn't officially support U2F but have a config option to
>> > enable this [3][4]. Unfortunately this doesn't work on OpenBSD (but macOS for
>> > example). (Firefox 60 is supposed to support the new FIDO2 standard this might
>> > improve on U2F support too.)
>> >
>> > [1] https://github.com/Yubico/yubikey-manager/issues/124
>> > [2] https://bugs.chromium.org/p/chromium/issues/detail?id=451248
>> > [3] https://discourse.mozilla.org/t/u2f-standard-to-firefox/23301/2
>> > [4] https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/
>> >

No comments:

Post a Comment