Yubikey-manager 4 moved away from using libykpersonalize and uses HID to program yubikeys instead. There is currently no FreeBSD support for HID in the package, which means that OTP (and other) subcommands fail:
WARNING: No OTP HID backend available. OTP protocols will not function.
Error: No YubiKey found with the given interface(s)
There are various possible solutions:
1. Implement and upstream HID support for FreeBSD - I tried, but didn't succeed (there seems to be ongoing work to support hidraw, but we're not there yet)
2. Re-import python code that makes use of libykpersonalize (probably over a patch in the port)
3. Document that this simply won't work and people should use ykpersonalize instead
(Adding @emaste, as he is (at least once was) a yubikey and/or fido key user)
After analyzing the situation, I implemented OTP HID support for FreeBSD and also fixed FIDO2 support. You can find the pull requests here:
These patches work both for uhid(4) and the new hidraw(4) driver.
Depending on the configuration of the yubikey, it might attach as
a keyboard (as this is one of its primary functions), which might make
it unavailable to yubikey-manager.
I usually do this as a workaround:
usbconfig ugen0.3 power_off
usbconfig ugen0.3 add_quirk UQ_KBD_IGNORE
usbconfig ugen0.3 power_on
So once the port is modified, adding something like this to pkg-message
(or a better fix to address the problem) would be a good idea.
The python-fido2 changes were merged upstream, I prepared bug #264281 to update security/py-fido2.
https://github.com/Yubico/yubikey-manager/pull/504 is ready to land, I'll ideally wait until it is merged before preparing a patch to the port (which I'll then attach to this PR).
Created attachment 234262 [details]
Patch to allow using yubikey-manager with OTP HID again
As the pull request was merged to upstreams "next" branch, I prepared a patch to the port, suitable to be applied using `git am`.