Hello Rickard, On Sun, Jul 1, 2018 at 12:30 PM, Rickard von Essen <rickard.von.es...@gmail.com> wrote: > Hi Eric, > > Thanks for replying. If I can sort out most ykman issues I'll create a port > for it, which hopefully will make it easier for more people to use > YubiKeys with OpenBSD. > >> A) CCID worked out of the box with a yubikey 4, with pcscd and gpg >> works fine with it for me, IIRC you can even make it work with GPG >> without pcscd, but I'd need to verify again. > > I have several YubiKey NEO and 4 Nano, but neither of them work with > CCID, they fails to connect. I'm very interested to see which versions > you have installed of ykman and dependencies. > > I can run OTP commands and "ykman list" >
I do not use ykman, so I cannot speak about ykman. ykpers and ykclient were already packaged and worked fine for my use. > $ ykman list > YubiKey 4 [OTP+FIDO+CCID] Serial: 5977032 > > But when I try to list oaths it doesn't connect: > > $ ykman -l DEBUG oath list > > 2018-07-01T11:43:43+0200 INFO [ykman.logging_setup.setup:59] > Initialized logging for ykman version: 0.7.1-dev > 2018-07-01T11:43:43+0200 DEBUG > [ykman.descriptor.Descriptor.open_device:75] transports: 0x4, > self.mode.transports: 0x7 > 2018-07-01T11:43:43+0200 DEBUG [ykman.descriptor.open_device:80] > Opening driver for serial: None, type: YUBIKEY.YK4, mode: > OTP+FIDO+CCID > [...] > 2018-07-01T11:43:47+0200 DEBUG [ykman.descriptor.open_device:82] > Attempt 10 of 10 > 2018-07-01T11:43:47+0200 DEBUG [ykman.descriptor.open_device:101] > Sleeping for 1.000000 s > 2018-07-01T11:43:48+0200 DEBUG [ykman.descriptor.open_device:103] No > matching device found > Usage: ykman [OPTIONS] COMMAND [ARGS]... > > Error: Failed connecting to the YubiKey. > > These are the versions I have: > > $ ykman version > > YubiKey Manager (ykman) version: 0.7.1-dev > Libraries: > libykpers 1.18.1 > libusb 1.0.21 > > $ pkg_info pcscd > > Information for inst:pcsc-lite-1.8.22p1 > [...] Do you run pcscd while running your attempts? Try shutting it down when you want direct access to the yubikey? pcscd get a hold of the USB device and AFAIR I cannot use ykpers or ykclient while pcscd is running, so I'd expect the same with ykman. HTH, Eric. > > $ pip3.6 show yubikey-manager > > Name: yubikey-manager > Version: 0.7.1.dev0 > Summary: Tool for managing your YubiKey configuration. > Home-page: https://github.com/Yubico/yubikey-manager > Author: Dain Nilsson > Author-email: d...@yubico.com > License: BSD 2 clause > Location: > /home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg > Requires: six, pyscard, pyusb, click, cryptography, pyopenssl, fido2 > > $ pip3.6 show pyscard six pyusb click cryptography pyOpenSSL fido2 > > Name: pyscard > Version: 1.9.7 > Summary: Smartcard module for Python. > Home-page: https://github.com/LudovicRousseau/pyscard > Author: Ludovic Rousseau > Author-email: ludovic.rouss...@free.fr > License: UNKNOWN > Location: > /home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg > Requires: > --- > Name: six > Version: 1.11.0 > Summary: Python 2 and 3 compatibility utilities > Home-page: http://pypi.python.org/pypi/six/ > Author: Benjamin Peterson > Author-email: benja...@python.org > License: MIT > Location: /home/rickard/.local/lib/python3.6/site-packages > Requires: > --- > Name: pyusb > Version: 1.0.2 > Summary: Python USB access module > Home-page: http://walac.github.io/pyusb > Author: Wander Lairson Costa > Author-email: wander.lair...@gmail.com > License: BSD > Location: /home/rickard/.local/lib/python3.6/site-packages > Requires: > --- > Name: click > Version: 6.7 > Summary: A simple wrapper around optparse for powerful command line utilities. > Home-page: http://github.com/mitsuhiko/click > Author: Armin Ronacher > Author-email: armin.ronac...@active-4.com > License: UNKNOWN > Location: /home/rickard/.local/lib/python3.6/site-packages > Requires: > --- > Name: cryptography > Version: 2.2.2 > Summary: cryptography is a package which provides cryptographic > recipes and primitives to Python developers. > Home-page: https://github.com/pyca/cryptography > Author: The cryptography developers > Author-email: cryptography-...@python.org > License: BSD or Apache License, Version 2.0 > Location: /usr/local/lib/python3.6/site-packages > Requires: idna, asn1crypto, six, cffi > --- > Name: pyOpenSSL > Version: 18.0.0 > Summary: Python wrapper module around the OpenSSL library > Home-page: https://pyopenssl.org/ > Author: Hynek Schlawack > Author-email: h...@ox.cx > License: Apache License, Version 2.0 > Location: /home/rickard/.local/lib/python3.6/site-packages > Requires: six, cryptography > --- > Name: fido2 > Version: 0.3.0 > Summary: Python based FIDO 2.0 library > Home-page: https://github.com/Yubico/python-fido2 > Author: Dain Nilsson > Author-email: d...@yubico.com > License: UNKNOWN > Location: /home/rickard/.local/lib/python3.6/site-packages > Requires: six, cryptography > > // Rickard > On Sat, 30 Jun 2018 at 12:32, Eric Augé <eau+o...@unix4fun.net> wrote: >> >> Hello Rickard, >> >> A) CCID worked out of the box with a yubikey 4, with pcscd and gpg >> works fine with it for me, IIRC you can even make it work with GPG >> without pcscd, but I'd need to verify again. >> B) same, chromium crashes, I started investigating but lack the >> knowledge in chromium and I am a bit lost, there are several tickets >> open on chromium side as you mentioned. >> C) I have not tried. >> >> HTH, >> Eric. >> >> On Fri, Jun 29, 2018 at 11:41 AM, Rickard von Essen >> <rickard.von.es...@gmail.com> wrote: >> > >> > I've been experimenting with switching over one of my laptops to OpenBSD, >> > but >> > there is one main problem stopping me from switching. The support for >> > Yubikeys >> > and U2F. >> > >> > I'm try to gather a list of things that currently doesn't work. And maybe >> > find >> > some collaborators to investigate and maybe fix the issues. So if you are >> > interested to work on any of these or have further information please post >> > on >> > this thread. >> > >> > A) Yubikey-manager (ykman) is the new Yubikey CLI. I got it to install but >> > only >> > one out of three transport (protocols) works. OTP works. CCID fails >> > connecting >> > to the Yubikey via pcscd, further investigation needed (this is hopefully >> > not to >> > hard to fix). FIDO doesn't work since the pyu2f library doesn't support >> > OpenBSD, >> > this is probably not to hard to fix. I'm tracking these in [1]. >> > >> > B) Chromium (v 65.0.3325.181) crashes when U2F auth is requested and a key >> > is >> > inserted, see [2]. I haven't yet debugged this, but fixing this probably >> > requires a fair amount of knowledge about Chromiums internals. >> > >> > C) Firefox (v 59.0.2) doesn't officially support U2F but have a config >> > option to >> > enable this [3][4]. Unfortunately this doesn't work on OpenBSD (but macOS >> > for >> > example). (Firefox 60 is supposed to support the new FIDO2 standard this >> > might >> > improve on U2F support too.) >> > >> > [1] https://github.com/Yubico/yubikey-manager/issues/124 >> > [2] https://bugs.chromium.org/p/chromium/issues/detail?id=451248 >> > [3] https://discourse.mozilla.org/t/u2f-standard-to-firefox/23301/2 >> > [4] >> > https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/ >> >