Yubikey-manager 4 moved away from using libykpersonalize and uses HID to program yubikeys instead. There is currently no FreeBSD support for HID in the package, which means that OTP (and other) subcommands fail: WARNING: No OTP HID backend available. OTP protocols will not function. Error: No YubiKey found with the given interface(s) There are various possible solutions: 1. Implement and upstream HID support for FreeBSD - I tried, but didn't succeed (there seems to be ongoing work to support hidraw, but we're not there yet) 2. Re-import python code that makes use of libykpersonalize (probably over a patch in the port) 3. Document that this simply won't work and people should use ykpersonalize instead
(Adding @emaste, as he is (at least once was) a yubikey and/or fido key user) After analyzing the situation, I implemented OTP HID support for FreeBSD and also fixed FIDO2 support. You can find the pull requests here: https://github.com/Yubico/python-fido2/pull/139 https://github.com/Yubico/yubikey-manager/pull/504 These patches work both for uhid(4) and the new hidraw(4) driver. Depending on the configuration of the yubikey, it might attach as a keyboard (as this is one of its primary functions), which might make it unavailable to yubikey-manager. I usually do this as a workaround: usbconfig ugen0.3 power_off usbconfig ugen0.3 add_quirk UQ_KBD_IGNORE usbconfig ugen0.3 power_on So once the port is modified, adding something like this to pkg-message (or a better fix to address the problem) would be a good idea.
The python-fido2 changes were merged upstream, I prepared bug #264281 to update security/py-fido2. https://github.com/Yubico/yubikey-manager/pull/504 is ready to land, I'll ideally wait until it is merged before preparing a patch to the port (which I'll then attach to this PR).
Created attachment 234262 [details] Patch to allow using yubikey-manager with OTP HID again As the pull request was merged to upstreams "next" branch[0], I prepared a patch to the port, suitable to be applied using `git am`. [0]https://github.com/Yubico/yubikey-manager/commit/ecd7897b3f02054
I would be good to have this in the ports tree before 2022Q3 is tagged, that's within the next 2-3 weeks (which would make it about six weeks after reporting the problem and about four weeks after providing a fix), which sounds fair to me.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=95299192d7e94b6fcb1e345c36d85ad989f6c42d commit 95299192d7e94b6fcb1e345c36d85ad989f6c42d Author: Michael Gmelin <grembo@FreeBSD.org> AuthorDate: 2022-05-27 13:13:56 +0000 Commit: Michael Gmelin <grembo@FreeBSD.org> CommitDate: 2022-06-23 15:20:24 +0000 security/py-yubikey-manager: Add OTP HID support for FreeBSD This makes yubikey-manager usable on FreeBSD again. FreeBSD support was broken since reliance on libusb and libykpersonalize was dropped upstream in 4.0.0. This supports the classic uhid(4) driver and the more modern hidraw(4) driver. See: https://github.com/Yubico/yubikey-manager/pull/504 As I had to redo the patch after the update to 4.0.9, I took the chance to add unit test support (`make test`). A future change could remove the dependency on ykpersonalize. PR: 263916 Approved by: egypcio (maintainer timeout, about 4 weeks) security/py-yubikey-manager/Makefile | 9 +- .../files/patch-README.adoc (new) | 47 ++++ .../files/patch-ykman_hid_____init____.py (new) | 12 + .../files/patch-ykman_hid_freebsd.py (new) | 301 +++++++++++++++++++++ security/py-yubikey-manager/pkg-message (new) | 34 +++ 5 files changed, 401 insertions(+), 2 deletions(-)