On Sat, May 23, 2020 at 11:39:33AM +0000, Armands Stiegra wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Saturday, May 23, 2020 11:06 AM, Stuart Henderson <[email protected]> > wrote: > > > On 2020/05/23 09:41, Armands Stiegra wrote: > > > > > Hello, dear OpenBSD developers, > > > Humbly asking for your help, as I am unable to figure out, how to fix > > > the error below and if it is a known problem. It seems to me that > > > yubikey-manager fido functionality is not working on a fresh install > > > of OpenBSD 6.7. > > > > ykman requires python-fido2 to do this; python-fido2 has not implemented > > this functionality on OpenBSD. > > Thank you for your quick explanation. > > Is there currently any other way to set FIDO PIN on a Yubikey on OpenBSD to > use a resident key? > > $ ssh-keygen -t ed25519-sk -O resident > Generating public/private ed25519-sk key pair. > You may need to touch your authenticator to authorize key generation. > Enter file in which to save the key (/home/stiegra/.ssh/id_ed25519_sk): > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /home/stiegra/.ssh/id_ed25519_sk > Your public key has been saved in /home/stiegra/.ssh/id_ed25519_sk.pub > The key fingerprint is: > ... > > $ ssh-keygen -Kvvv > debug3: start_helper: started pid=12899 > debug3: ssh_msg_send: type 5 > debug3: ssh_msg_recv entering > debug1: start_helper: starting /usr/libexec/ssh-sk-helper > debug1: sshsk_load_resident: provider "internal" > debug1: ssh_sk_load_resident_keys: trying /dev/fido/0 > debug1: read_rks: get metadata for /dev/fido/0 failed: > FIDO_ERR_INVALID_ARGUMENT > debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0 > debug1: ssh-sk-helper: reply len 4 > debug3: ssh_msg_send: type 5 > debug3: reap_helper: pid=12899 > Enter PIN for authenticator: > debug3: start_helper: started pid=7343 > debug3: ssh_msg_send: type 5 > debug3: ssh_msg_recv entering > debug1: start_helper: starting /usr/libexec/ssh-sk-helper > debug1: sshsk_load_resident: provider "internal", have-pin > debug1: ssh_sk_load_resident_keys: trying /dev/fido/0 > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET > debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0 > debug1: ssh-sk-helper: reply len 4 > debug3: ssh_msg_send: type 5 > debug3: reap_helper: pid=7343 > No keys to download > > This line suggests that PIN is not set: > > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET > > Kind regards > Armands Stiegra >
You might try using a virtualenv with cloning python-fido2 vs installing from pypi/ports. $ python3 -m venv fido2 $ . fido2/bin/activate $ pip install git+https://github.com/Yubico/python-fido2.git $ pip install yubikey-manager Beyond that, YMMV. I don't have any Yubikey 5s to verify that functionality Lucas
