Stuart Henderson <[email protected]> wrote: > On 2019/12/19 18:35, Reyk Floeter wrote: > > On Thu, Dec 19, 2019 at 12:18:28PM -0600, Lucas Raab wrote: > > > Hello, > > > > > > Updated py-fido2 below and has been tested with a Yubikey 4 and > > > security/yubico/yubikey-manager. Note, either chmod the USB devices or > > > run ykman with doas after the recent USB device permissions changes. > > > > > > > py-fido2 needs to be updated to use fido(4) instead of probing uhid > > devices (/dev/fido/X instead of /dev/uhidX). Fido is 0666 so you > > don't need > > > > This: > > https://github.com/Yubico/python-fido2/blob/master/fido2/_pyu2f/openbsd.py > > > > Like that: > > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libfido2/src/hid_openbsd.c.diff?r1=1.1&r2=1.2&f=h > > That won't help for ykman, it accesses the non-fido(4) devices too, > either itself (via libusb) for the yubikey side of things or via pcscd > for the smartcard side of things.
Yes, things will need to adapt. I'm going to keep repeating this: Providing raw usb access to userland applications is not acceptable. I predict they will adapt, and it will take some time. libusb is an unacceptable model.
