Bug 263916 - security/py-yubikey-manager: Many subcommands fail due to lack of HID support
Summary: security/py-yubikey-manager: Many subcommands fail due to lack of HID support
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Vinícius Zavam
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-11 10:53 UTC by Michael Gmelin
Modified: 2022-05-27 13:22 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (egypcio)


Attachments
Patch to allow using yubikey-manager with OTP HID again (17.67 KB, patch)
2022-05-27 13:22 UTC, Michael Gmelin
grembo: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Gmelin freebsd_committer 2022-05-11 10:53:26 UTC
Yubikey-manager 4 moved away from using libykpersonalize and uses HID to program yubikeys instead. There is currently no FreeBSD support for HID in the package, which means that OTP (and other) subcommands fail:

  WARNING: No OTP HID backend available. OTP protocols will not function.
  Error: No YubiKey found with the given interface(s)

There are various possible solutions:

  1. Implement and upstream HID support for FreeBSD - I tried, but didn't succeed (there seems to be ongoing work to support hidraw, but we're not there yet)
  2. Re-import python code that makes use of libykpersonalize (probably over a patch in the port)
  3. Document that this simply won't work and people should use ykpersonalize instead
Comment 1 Michael Gmelin freebsd_committer 2022-05-14 20:59:25 UTC
(Adding @emaste, as he is (at least once was) a yubikey and/or fido key user)

After analyzing the situation, I implemented OTP HID support for FreeBSD and also fixed FIDO2 support. You can find the pull requests here:

  https://github.com/Yubico/python-fido2/pull/139
  https://github.com/Yubico/yubikey-manager/pull/504

These patches work both for uhid(4) and the new hidraw(4) driver.

Depending on the configuration of the yubikey, it might attach as
a keyboard (as this is one of its primary functions), which might make
it unavailable to yubikey-manager.

I usually do this as a workaround:

  usbconfig ugen0.3 power_off
  usbconfig ugen0.3 add_quirk UQ_KBD_IGNORE
  usbconfig ugen0.3 power_on

So once the port is modified, adding something like this to pkg-message
(or a better fix to address the problem) would be a good idea.
Comment 2 Michael Gmelin freebsd_committer 2022-05-27 12:41:34 UTC
The python-fido2 changes were merged upstream, I prepared bug #264281 to update security/py-fido2.

https://github.com/Yubico/yubikey-manager/pull/504 is ready to land, I'll ideally wait until it is merged before preparing a patch to the port (which I'll then attach to this PR).
Comment 3 Michael Gmelin freebsd_committer 2022-05-27 13:22:55 UTC
Created attachment 234262 [details]
Patch to allow using yubikey-manager with OTP HID again

As the pull request was merged to upstreams "next" branch[0], I prepared a patch to the port, suitable to be applied using `git am`.

[0]https://github.com/Yubico/yubikey-manager/commit/ecd7897b3f02054