Hi Eric,
Thanks for replying. If I can sort out most ykman issues I'll create a port
for it, which hopefully will make it easier for more people to use
YubiKeys with OpenBSD.
> A) CCID worked out of the box with a yubikey 4, with pcscd and gpg
> works fine with it for me, IIRC you can even make it work with GPG
> without pcscd, but I'd need to verify again.
I have several YubiKey NEO and 4 Nano, but neither of them work with
CCID, they fails to connect. I'm very interested to see which versions
you have installed of ykman and dependencies.
I can run OTP commands and "ykman list"
$ ykman list
YubiKey 4 [OTP+FIDO+CCID] Serial: 5977032
But when I try to list oaths it doesn't connect:
$ ykman -l DEBUG oath list
2018-07-01T11:43:43+0200 INFO [ykman.logging_setup.setup:59]
Initialized logging for ykman version: 0.7.1-dev
2018-07-01T11:43:43+0200 DEBUG
[ykman.descriptor.Descriptor.open_device:75] transports: 0x4,
self.mode.transports: 0x7
2018-07-01T11:43:43+0200 DEBUG [ykman.descriptor.open_device:80]
Opening driver for serial: None, type: YUBIKEY.YK4, mode:
OTP+FIDO+CCID
[...]
2018-07-01T11:43:47+0200 DEBUG [ykman.descriptor.open_device:82]
Attempt 10 of 10
2018-07-01T11:43:47+0200 DEBUG [ykman.descriptor.open_device:101]
Sleeping for 1.000000 s
2018-07-01T11:43:48+0200 DEBUG [ykman.descriptor.open_device:103] No
matching device found
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Error: Failed connecting to the YubiKey.
These are the versions I have:
$ ykman version
YubiKey Manager (ykman) version: 0.7.1-dev
Libraries:
libykpers 1.18.1
libusb 1.0.21
$ pkg_info pcscd
Information for inst:pcsc-lite-1.8.22p1
[...]
$ pip3.6 show yubikey-manager
Name: yubikey-manager
Version: 0.7.1.dev0
Summary: Tool for managing your YubiKey configuration.
Home-page: https://github.com/Yubico/yubikey-manager
Author: Dain Nilsson
Author-email: d...@yubico.com
License: BSD 2 clause
Location:
/home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg
Requires: six, pyscard, pyusb, click, cryptography, pyopenssl, fido2
$ pip3.6 show pyscard six pyusb click cryptography pyOpenSSL fido2
Name: pyscard
Version: 1.9.7
Summary: Smartcard module for Python.
Home-page: https://github.com/LudovicRousseau/pyscard
Author: Ludovic Rousseau
Author-email: ludovic.rouss...@free.fr
License: UNKNOWN
Location:
/home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg
Requires:
---
Name: six
Version: 1.11.0
Summary: Python 2 and 3 compatibility utilities
Home-page: http://pypi.python.org/pypi/six/
Author: Benjamin Peterson
Author-email: benja...@python.org
License: MIT
Location: /home/rickard/.local/lib/python3.6/site-packages
Requires:
---
Name: pyusb
Version: 1.0.2
Summary: Python USB access module
Home-page: http://walac.github.io/pyusb
Author: Wander Lairson Costa
Author-email: wander.lair...@gmail.com
License: BSD
Location: /home/rickard/.local/lib/python3.6/site-packages
Requires:
---
Name: click
Version: 6.7
Summary: A simple wrapper around optparse for powerful command line utilities.
Home-page: http://github.com/mitsuhiko/click
Author: Armin Ronacher
Author-email: armin.ronac...@active-4.com
License: UNKNOWN
Location: /home/rickard/.local/lib/python3.6/site-packages
Requires:
---
Name: cryptography
Version: 2.2.2
Summary: cryptography is a package which provides cryptographic
recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
Author-email: cryptography-...@python.org
License: BSD or Apache License, Version 2.0
Location: /usr/local/lib/python3.6/site-packages
Requires: idna, asn1crypto, six, cffi
---
Name: pyOpenSSL
Version: 18.0.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
Author: Hynek Schlawack
Author-email: h...@ox.cx
License: Apache License, Version 2.0
Location: /home/rickard/.local/lib/python3.6/site-packages
Requires: six, cryptography
---
Name: fido2
Version: 0.3.0
Summary: Python based FIDO 2.0 library
Home-page: https://github.com/Yubico/python-fido2
Author: Dain Nilsson
Author-email: d...@yubico.com
License: UNKNOWN
Location: /home/rickard/.local/lib/python3.6/site-packages
Requires: six, cryptography
// Rickard
On Sat, 30 Jun 2018 at 12:32, Eric Augé <eau+o...@unix4fun.net> wrote:
>
> Hello Rickard,
>
> A) CCID worked out of the box with a yubikey 4, with pcscd and gpg
> works fine with it for me, IIRC you can even make it work with GPG
> without pcscd, but I'd need to verify again.
> B) same, chromium crashes, I started investigating but lack the
> knowledge in chromium and I am a bit lost, there are several tickets
> open on chromium side as you mentioned.
> C) I have not tried.
>
> HTH,
> Eric.
>
> On Fri, Jun 29, 2018 at 11:41 AM, Rickard von Essen
> <rickard.von.es...@gmail.com> wrote:
> >
> > I've been experimenting with switching over one of my laptops to OpenBSD,
> > but
> > there is one main problem stopping me from switching. The support for
> > Yubikeys
> > and U2F.
> >
> > I'm try to gather a list of things that currently doesn't work. And maybe
> > find
> > some collaborators to investigate and maybe fix the issues. So if you are
> > interested to work on any of these or have further information please post
> > on
> > this thread.
> >
> > A) Yubikey-manager (ykman) is the new Yubikey CLI. I got it to install but
> > only
> > one out of three transport (protocols) works. OTP works. CCID fails
> > connecting
> > to the Yubikey via pcscd, further investigation needed (this is hopefully
> > not to
> > hard to fix). FIDO doesn't work since the pyu2f library doesn't support
> > OpenBSD,
> > this is probably not to hard to fix. I'm tracking these in [1].
> >
> > B) Chromium (v 65.0.3325.181) crashes when U2F auth is requested and a key
> > is
> > inserted, see [2]. I haven't yet debugged this, but fixing this probably
> > requires a fair amount of knowledge about Chromiums internals.
> >
> > C) Firefox (v 59.0.2) doesn't officially support U2F but have a config
> > option to
> > enable this [3][4]. Unfortunately this doesn't work on OpenBSD (but macOS
> > for
> > example). (Firefox 60 is supposed to support the new FIDO2 standard this
> > might
> > improve on U2F support too.)
> >
> > [1] https://github.com/Yubico/yubikey-manager/issues/124
> > [2] https://bugs.chromium.org/p/chromium/issues/detail?id=451248
> > [3] https://discourse.mozilla.org/t/u2f-standard-to-firefox/23301/2
> > [4]
> > https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/
> >
