On Thu, Dec 19, 2019 at 12:50:04PM -0700, Theo de Raadt wrote: > Stuart Henderson <[email protected]> wrote: > > > On 2019/12/19 18:35, Reyk Floeter wrote: > > > On Thu, Dec 19, 2019 at 12:18:28PM -0600, Lucas Raab wrote: > > > > Hello, > > > > > > > > Updated py-fido2 below and has been tested with a Yubikey 4 and > > > > security/yubico/yubikey-manager. Note, either chmod the USB devices or > > > > run ykman with doas after the recent USB device permissions changes. > > > > > > > > > > py-fido2 needs to be updated to use fido(4) instead of probing uhid > > > devices (/dev/fido/X instead of /dev/uhidX). Fido is 0666 so you > > > don't need > > > > > > This: > > > https://github.com/Yubico/python-fido2/blob/master/fido2/_pyu2f/openbsd.py > > > > > > Like that: > > > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libfido2/src/hid_openbsd.c.diff?r1=1.1&r2=1.2&f=h > > > > That won't help for ykman, it accesses the non-fido(4) devices too, > > either itself (via libusb) for the yubikey side of things or via pcscd > > for the smartcard side of things. > > Yes, things will need to adapt. > > I'm going to keep repeating this: Providing raw usb access to userland > applications is not acceptable. > > I predict they will adapt, and it will take some time. > > libusb is an unacceptable model.
What is then the path forward for ports such as these? If writing drivers is the new fiat, what is the balance between keeping ports up to date/supported and getting drivers into the tree?
