263916 – security/py-yubikey-manager: Many subcommands fail due to lack of HID support

Bug 263916 - security/py-yubikey-manager: Many subcommands fail due to lack of HID support

Summary: security/py-yubikey-manager: Many subcommands fail due to lack of HID support

Status:	New

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Vinícius Zavam

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-05-11 10:53 UTC by Michael Gmelin
Modified:	2022-05-27 13:22 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (egypcio)

Attachments
Patch to allow using yubikey-manager with OTP HID again (17.67 KB, patch) 2022-05-27 13:22 UTC, Michael Gmelin	grembo: maintainer-approval?	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Gmelin freebsd_committer

2022-05-11 10:53:26 UTC

Yubikey-manager 4 moved away from using libykpersonalize and uses HID to program yubikeys instead. There is currently no FreeBSD support for HID in the package, which means that OTP (and other) subcommands fail:

  WARNING: No OTP HID backend available. OTP protocols will not function.
  Error: No YubiKey found with the given interface(s)

There are various possible solutions:

  1. Implement and upstream HID support for FreeBSD - I tried, but didn't succeed (there seems to be ongoing work to support hidraw, but we're not there yet)
  2. Re-import python code that makes use of libykpersonalize (probably over a patch in the port)
  3. Document that this simply won't work and people should use ykpersonalize instead

Comment 1 Michael Gmelin freebsd_committer

2022-05-14 20:59:25 UTC

(Adding @emaste, as he is (at least once was) a yubikey and/or fido key user)

After analyzing the situation, I implemented OTP HID support for FreeBSD and also fixed FIDO2 support. You can find the pull requests here:

  https://github.com/Yubico/python-fido2/pull/139
  https://github.com/Yubico/yubikey-manager/pull/504

These patches work both for uhid(4) and the new hidraw(4) driver.

Depending on the configuration of the yubikey, it might attach as
a keyboard (as this is one of its primary functions), which might make
it unavailable to yubikey-manager.

I usually do this as a workaround:

  usbconfig ugen0.3 power_off
  usbconfig ugen0.3 add_quirk UQ_KBD_IGNORE
  usbconfig ugen0.3 power_on

So once the port is modified, adding something like this to pkg-message
(or a better fix to address the problem) would be a good idea.

Comment 2 Michael Gmelin freebsd_committer

2022-05-27 12:41:34 UTC

The python-fido2 changes were merged upstream, I prepared bug #264281 to update security/py-fido2.

https://github.com/Yubico/yubikey-manager/pull/504 is ready to land, I'll ideally wait until it is merged before preparing a patch to the port (which I'll then attach to this PR).

Comment 3 Michael Gmelin freebsd_committer

2022-05-27 13:22:55 UTC

Created attachment 234262 [details]
Patch to allow using yubikey-manager with OTP HID again

As the pull request was merged to upstreams "next" branch[0], I prepared a patch to the port, suitable to be applied using `git am`.

[0]https://github.com/Yubico/yubikey-manager/commit/ecd7897b3f02054