Tuesday, March 03, 2026

Re: YubiKey and FIDO, how do you do it?

On 2026/03/03 19:55, Mikolaj Kucharski wrote:
> On Tue, Mar 03, 2026 at 03:35:43PM +0000, Stuart Henderson wrote:
> > On 2026/03/03 11:31, Mikolaj Kucharski wrote:
> > > Hi.
> > >
> > > I am not sure should following command work:
> > >
> > > $ ykman fido info
> > > WARNING: No OTP HID backend available. OTP protocols will not function.
> >
> > that warning is unrelated to fido, just the OTP commands
> >
> > > and it's stuck like that. I have pcscd running. Not sure what did I
> > > miss.
> >
> > did you follow the package message? it doesn't really work properly on
> > OpenBSD but for me it's ok for *one* command after connecting, then I
> > need to re-plug.
> >
> > suggest using another OS to do management of this, OpenBSD doesn't
> > really support userland access to USB devices.
> >
>
> Do you mean below message?
>
> > For "ykman fido", make sure pcscd is running, and if commands stall,
> > try removing and reconnecting your YubiKey (likely to happen after
> > each command).

yes

**if commands stall, try removing and reconnecting your YubiKey**

> I did start /usr/local/sbin/pcscd -f -d and also via rc.d(8), and it's
> sutck in both ways and from the debug logs I don't see any clues.
>
> Do you mean to configure the YubiKey or even to use it on OpenBSD?
>
> --
> Regards,
> Mikolaj
>

$ pkg_info yubikey-manager
Information for http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/yubikey-manager-5.8.0.tgz

Comment:
library and CLI tool (ykman) for configuring a YubiKey

Description:
The YubiKey Manager can configure FIDO2, OTP and PIV functionality on
a YubiKey. It works with any currently supported YubiKey. You can also
use the tool to check the type and firmware of a YubiKey. In addition,
you can use the extended settings to specify other features, such as to
configure 3-second long touch.

Maintainer: The OpenBSD ports mailing-list <ports@openbsd.org>

WWW: https://developers.yubico.com/yubikey-manager/

Install notice:
NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD.

"ykman otp" is not functional as there is no suitable HID backend; some OTP
operations can be done with the old yubikey-personalization CLI tool and the
Qt-based yubikey-personalization-gui package.

For "ykman fido", make sure pcscd is running, and if commands stall,
try removing and reconnecting your YubiKey (likely to happen after each
command).

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)