Re: ykman fido list Exception: Unsupported platform: openbsd6
On 2020/05/23 23:23, Stuart Henderson wrote:
> On 2020/05/23 13:52, Armands Stiegra wrote:
> > On Saturday, May 23, 2020 12:36 PM, Lucas Raab
> > wrote:
> > > $ pip install git+https://github.com/Yubico/python-fido2.git
>
> Interesting, worr had a diff committed there adding OpenBSD support.
> Even with hangs that seems somewhat useful so I've updated the port in
> -current to pull that in. The hangs seem pretty consistent: I am able
> to get it to do one operation, then it hangs and I need to unplug/replug.
...and that is fixed with this diff from patrick@:
Index: uhidev.c
===
RCS file: /cvs/src/sys/dev/usb/uhidev.c,v
retrieving revision 1.79
diff -u -p -r1.79 uhidev.c
--- uhidev.c22 Feb 2020 14:01:34 - 1.79
+++ uhidev.c24 May 2020 15:16:00 -
@@ -521,6 +521,7 @@ uhidev_open(struct uhidev *scd)
error = EIO;
goto out1;
}
+ usbd_clear_endpoint_stall(sc->sc_ipipe);
DPRINTF(("uhidev_open: sc->sc_ipipe=%p\n", sc->sc_ipipe));
@@ -547,6 +548,8 @@ uhidev_open(struct uhidev *scd)
error = EIO;
goto out2;
}
+ usbd_clear_endpoint_stall(sc->sc_opipe);
+
DPRINTF(("uhidev_open: sc->sc_opipe=%p\n", sc->sc_opipe));
sc->sc_oxfer = usbd_alloc_xfer(sc->sc_udev);
Re: ykman fido list Exception: Unsupported platform: openbsd6
‐‐‐ Original Message ‐‐‐ On Saturday, May 23, 2020 10:23 PM, Stuart Henderson wrote: > The git version of yubikey-manager doesn't seem necessary to get this to > work so I haven't updated the port of that. I am sorry, it was my mistake. I meant "git version of python-fido2". Thank you very much. Kind regards Armands Stiegra
Re: ykman fido list Exception: Unsupported platform: openbsd6
On 2020/05/23 13:52, Armands Stiegra wrote: > On Saturday, May 23, 2020 12:36 PM, Lucas Raab > wrote: > > $ pip install git+https://github.com/Yubico/python-fido2.git Interesting, worr had a diff committed there adding OpenBSD support. Even with hangs that seems somewhat useful so I've updated the port in -current to pull that in. The hangs seem pretty consistent: I am able to get it to do one operation, then it hangs and I need to unplug/replug. > I was able to set FIDO PIN and store a resident SSH key. > > From what I tested, I can report that > > (fido2) stiegra$ ykman fido > > commands work using Git version of yubikey-manager, although not perfectly - > they are hanging a bit, but remove/reinsert of yubikey helps. The git version of yubikey-manager doesn't seem necessary to get this to work so I haven't updated the port of that. > (fido2) stiegra$ ykman fido reset > > does not work, but that is probably expected: > > (fido2) stiegra$ ykman fido reset > WARNING! This will delete all FIDO credentials, including FIDO U2F > credentials, and restore factory settings. Proceed? [y/N]: y > Remove and re-insert your YubiKey to perform the reset... > Usage: ykman fido reset [OPTIONS] > Try 'ykman fido reset -h' for help. > > Error: Reset failed. I'm not sure what to expect to work and not work with these really.
Re: ykman fido list Exception: Unsupported platform: openbsd6
‐‐‐ Original Message ‐‐‐ On Saturday, May 23, 2020 12:36 PM, Lucas Raab wrote: > On Sat, May 23, 2020 at 11:39:33AM +, Armands Stiegra wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On Saturday, May 23, 2020 11:06 AM, Stuart Henderson s...@spacehopper.org > > wrote: > > > > > On 2020/05/23 09:41, Armands Stiegra wrote: > > > > > > > Hello, dear OpenBSD developers, > > > > Humbly asking for your help, as I am unable to figure out, how to fix > > > > the error below and if it is a known problem. It seems to me that > > > > yubikey-manager fido functionality is not working on a fresh install > > > > of OpenBSD 6.7. > > > > > > ykman requires python-fido2 to do this; python-fido2 has not implemented > > > this functionality on OpenBSD. > > > > Thank you for your quick explanation. > > Is there currently any other way to set FIDO PIN on a Yubikey on OpenBSD to > > use a resident key? > > $ ssh-keygen -t ed25519-sk -O resident > > Generating public/private ed25519-sk key pair. > > You may need to touch your authenticator to authorize key generation. > > Enter file in which to save the key (/home/stiegra/.ssh/id_ed25519_sk): > > Enter passphrase (empty for no passphrase): > > Enter same passphrase again: > > Your identification has been saved in /home/stiegra/.ssh/id_ed25519_sk > > Your public key has been saved in /home/stiegra/.ssh/id_ed25519_sk.pub > > The key fingerprint is: > > ... > > $ ssh-keygen -Kvvv > > debug3: start_helper: started pid=12899 > > debug3: ssh_msg_send: type 5 > > debug3: ssh_msg_recv entering > > debug1: start_helper: starting /usr/libexec/ssh-sk-helper > > debug1: sshsk_load_resident: provider "internal" > > debug1: ssh_sk_load_resident_keys: trying /dev/fido/0 > > debug1: read_rks: get metadata for /dev/fido/0 failed: > > FIDO_ERR_INVALID_ARGUMENT > > debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0 > > debug1: ssh-sk-helper: reply len 4 > > debug3: ssh_msg_send: type 5 > > debug3: reap_helper: pid=12899 > > Enter PIN for authenticator: > > debug3: start_helper: started pid=7343 > > debug3: ssh_msg_send: type 5 > > debug3: ssh_msg_recv entering > > debug1: start_helper: starting /usr/libexec/ssh-sk-helper > > debug1: sshsk_load_resident: provider "internal", have-pin > > debug1: ssh_sk_load_resident_keys: trying /dev/fido/0 > > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET > > debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0 > > debug1: ssh-sk-helper: reply len 4 > > debug3: ssh_msg_send: type 5 > > debug3: reap_helper: pid=7343 > > No keys to download > > This line suggests that PIN is not set: > > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET > > Kind regards > > Armands Stiegra > > You might try using a virtualenv with cloning python-fido2 vs installing > from pypi/ports. > > $ python3 -m venv fido2 > $ . fido2/bin/activate > $ pip install git+https://github.com/Yubico/python-fido2.git > $ pip install yubikey-manager > > Beyond that, YMMV. I don't have any Yubikey 5s to verify that functionality > > Lucas Thanks Lucas and Stuart for your help and great idea, it actually worked. I am happy. I was able to set FIDO PIN and store a resident SSH key. >From what I tested, I can report that (fido2) stiegra$ ykman fido commands work using Git version of yubikey-manager, although not perfectly - they are hanging a bit, but remove/reinsert of yubikey helps. Only (fido2) stiegra$ ykman fido reset does not work, but that is probably expected: (fido2) stiegra$ ykman fido reset WARNING! This will delete all FIDO credentials, including FIDO U2F credentials, and restore factory settings. Proceed? [y/N]: y Remove and re-insert your YubiKey to perform the reset... Usage: ykman fido reset [OPTIONS] Try 'ykman fido reset -h' for help. Error: Reset failed. Kind regards Armands Stiegra
Re: ykman fido list Exception: Unsupported platform: openbsd6
‐‐‐ Original Message ‐‐‐ On Saturday, May 23, 2020 11:06 AM, Stuart Henderson wrote: > On 2020/05/23 09:41, Armands Stiegra wrote: > > > Hello, dear OpenBSD developers, > > Humbly asking for your help, as I am unable to figure out, how to fix > > the error below and if it is a known problem. It seems to me that > > yubikey-manager fido functionality is not working on a fresh install > > of OpenBSD 6.7. > > ykman requires python-fido2 to do this; python-fido2 has not implemented > this functionality on OpenBSD. Thank you for your quick explanation. Is there currently any other way to set FIDO PIN on a Yubikey on OpenBSD to use a resident key? $ ssh-keygen -t ed25519-sk -O resident Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter file in which to save the key (/home/stiegra/.ssh/id_ed25519_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/stiegra/.ssh/id_ed25519_sk Your public key has been saved in /home/stiegra/.ssh/id_ed25519_sk.pub The key fingerprint is: ... $ ssh-keygen -Kvvv debug3: start_helper: started pid=12899 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/libexec/ssh-sk-helper debug1: sshsk_load_resident: provider "internal" debug1: ssh_sk_load_resident_keys: trying /dev/fido/0 debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_INVALID_ARGUMENT debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0 debug1: ssh-sk-helper: reply len 4 debug3: ssh_msg_send: type 5 debug3: reap_helper: pid=12899 Enter PIN for authenticator: debug3: start_helper: started pid=7343 debug3: ssh_msg_send: type 5 debug3: ssh_msg_recv entering debug1: start_helper: starting /usr/libexec/ssh-sk-helper debug1: sshsk_load_resident: provider "internal", have-pin debug1: ssh_sk_load_resident_keys: trying /dev/fido/0 debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0 debug1: ssh-sk-helper: reply len 4 debug3: ssh_msg_send: type 5 debug3: reap_helper: pid=7343 No keys to download This line suggests that PIN is not set: debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET Kind regards Armands Stiegra
Re: ykman fido list Exception: Unsupported platform: openbsd6
On Sat, May 23, 2020 at 11:39:33AM +, Armands Stiegra wrote: > ‐‐‐ Original Message ‐‐‐ > On Saturday, May 23, 2020 11:06 AM, Stuart Henderson > wrote: > > > On 2020/05/23 09:41, Armands Stiegra wrote: > > > > > Hello, dear OpenBSD developers, > > > Humbly asking for your help, as I am unable to figure out, how to fix > > > the error below and if it is a known problem. It seems to me that > > > yubikey-manager fido functionality is not working on a fresh install > > > of OpenBSD 6.7. > > > > ykman requires python-fido2 to do this; python-fido2 has not implemented > > this functionality on OpenBSD. > > Thank you for your quick explanation. > > Is there currently any other way to set FIDO PIN on a Yubikey on OpenBSD to > use a resident key? > > $ ssh-keygen -t ed25519-sk -O resident > Generating public/private ed25519-sk key pair. > You may need to touch your authenticator to authorize key generation. > Enter file in which to save the key (/home/stiegra/.ssh/id_ed25519_sk): > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /home/stiegra/.ssh/id_ed25519_sk > Your public key has been saved in /home/stiegra/.ssh/id_ed25519_sk.pub > The key fingerprint is: > ... > > $ ssh-keygen -Kvvv > debug3: start_helper: started pid=12899 > debug3: ssh_msg_send: type 5 > debug3: ssh_msg_recv entering > debug1: start_helper: starting /usr/libexec/ssh-sk-helper > debug1: sshsk_load_resident: provider "internal" > debug1: ssh_sk_load_resident_keys: trying /dev/fido/0 > debug1: read_rks: get metadata for /dev/fido/0 failed: > FIDO_ERR_INVALID_ARGUMENT > debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0 > debug1: ssh-sk-helper: reply len 4 > debug3: ssh_msg_send: type 5 > debug3: reap_helper: pid=12899 > Enter PIN for authenticator: > debug3: start_helper: started pid=7343 > debug3: ssh_msg_send: type 5 > debug3: ssh_msg_recv entering > debug1: start_helper: starting /usr/libexec/ssh-sk-helper > debug1: sshsk_load_resident: provider "internal", have-pin > debug1: ssh_sk_load_resident_keys: trying /dev/fido/0 > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET > debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0 > debug1: ssh-sk-helper: reply len 4 > debug3: ssh_msg_send: type 5 > debug3: reap_helper: pid=7343 > No keys to download > > This line suggests that PIN is not set: > > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET > > Kind regards > Armands Stiegra > You might try using a virtualenv with cloning python-fido2 vs installing from pypi/ports. $ python3 -m venv fido2 $ . fido2/bin/activate $ pip install git+https://github.com/Yubico/python-fido2.git $ pip install yubikey-manager Beyond that, YMMV. I don't have any Yubikey 5s to verify that functionality Lucas
Re: ykman fido list Exception: Unsupported platform: openbsd6
On 2020/05/23 09:41, Armands Stiegra wrote: > Hello, dear OpenBSD developers, > > Humbly asking for your help, as I am unable to figure out, how to fix > the error below and if it is a known problem. It seems to me that > yubikey-manager fido functionality is not working on a fresh install > of OpenBSD 6.7. ykman requires python-fido2 to do this; python-fido2 has not implemented this functionality on OpenBSD.
