ykman fido list Exception: Unsupported platform: openbsd6

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

ykman fido list Exception: Unsupported platform: openbsd6

Armands Stiegra
Hello, dear OpenBSD developers,

Humbly asking for your help, as I am unable to figure out, how to fix the error below and if it is a known problem. It seems to me that yubikey-manager fido functionality is not working on a fresh install of OpenBSD 6.7.

$ uname -a
OpenBSD stiegra.my.domain 6.7 GENERIC.MP#1 amd64

$ ykman -v
YubiKey Manager (ykman) version: 3.1.1
Libraries:
    libykpers 1.20.0
    libusb 1.0.23

$ ykman list
YubiKey 5 Nano [OTP+FIDO+CCID] Serial: 11117521

$ ykman fido info
Traceback (most recent call last):
  File "/usr/local/bin/ykman", line 11, in <module>
    load_entry_point('yubikey-manager==3.1.1', 'console_scripts', 'ykman')()
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/__main__.py", line 273, in main
    cli(obj={})
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/fido.py", line 87, in info
    controller = ctx.obj['controller']
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/util.py", line 127, in __getitem__
    self.resolve()
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/util.py", line 124, in resolve
    self._objects[k] = f()
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/__main__.py", line 194, in resolve_device
    dev = _run_cmd_for_single(ctx, subcmd.name, transports, reader)
  File "/usr/local/lib/python3.7/site-packages/ykman/cli/__main__.py", line 132, in _run_cmd_for_single
    return descriptor.open_device(transports)
  File "/usr/local/lib/python3.7/site-packages/ykman/descriptor.py", line 96, in open_device
    for drv in _list_drivers(transports):
  File "/usr/local/lib/python3.7/site-packages/ykman/descriptor.py", line 164, in _list_drivers
    for dev in open_fido():
  File "/usr/local/lib/python3.7/site-packages/ykman/driver_fido.py", line 97, in open_devices
    for dev in CtapHidDevice.list_devices(descriptor_filter):
  File "/usr/local/lib/python3.7/site-packages/fido2/hid.py", line 135, in list_devices
    for d in hidtransport.hid.Enumerate():
  File "/usr/local/lib/python3.7/site-packages/fido2/_pyu2f/__init__.py", line 29, in Enumerate
    return InternalPlatformSwitch('Enumerate')
  File "/usr/local/lib/python3.7/site-packages/fido2/_pyu2f/__init__.py", line 55, in InternalPlatformSwitch
    raise Exception('Unsupported platform: ' + sys.platform)
Exception: Unsupported platform: openbsd6

Thanks in advance.

Kind regards
Armands Stiegra

Reply | Threaded
Open this post in threaded view
|

Re: ykman fido list Exception: Unsupported platform: openbsd6

Stuart Henderson
On 2020/05/23 09:41, Armands Stiegra wrote:
> Hello, dear OpenBSD developers,
>
> Humbly asking for your help, as I am unable to figure out, how to fix
> the error below and if it is a known problem. It seems to me that
> yubikey-manager fido functionality is not working on a fresh install
> of OpenBSD 6.7.

ykman requires python-fido2 to do this; python-fido2 has not implemented
this functionality on OpenBSD.

Reply | Threaded
Open this post in threaded view
|

Re: ykman fido list Exception: Unsupported platform: openbsd6

Armands Stiegra
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, May 23, 2020 11:06 AM, Stuart Henderson <[hidden email]> wrote:

> On 2020/05/23 09:41, Armands Stiegra wrote:
>
> > Hello, dear OpenBSD developers,
> > Humbly asking for your help, as I am unable to figure out, how to fix
> > the error below and if it is a known problem. It seems to me that
> > yubikey-manager fido functionality is not working on a fresh install
> > of OpenBSD 6.7.
>
> ykman requires python-fido2 to do this; python-fido2 has not implemented
> this functionality on OpenBSD.

Thank you for your quick explanation.

Is there currently any other way to set FIDO PIN on a Yubikey on OpenBSD to use a resident key?

$ ssh-keygen -t ed25519-sk -O resident
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/home/stiegra/.ssh/id_ed25519_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/stiegra/.ssh/id_ed25519_sk
Your public key has been saved in /home/stiegra/.ssh/id_ed25519_sk.pub
The key fingerprint is:
...

$ ssh-keygen -Kvvv
debug3: start_helper: started pid=12899
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_load_resident: provider "internal"
debug1: ssh_sk_load_resident_keys: trying /dev/fido/0
debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_INVALID_ARGUMENT
debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0
debug1: ssh-sk-helper: reply len 4
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=12899
Enter PIN for authenticator:
debug3: start_helper: started pid=7343
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper
debug1: sshsk_load_resident: provider "internal", have-pin
debug1: ssh_sk_load_resident_keys: trying /dev/fido/0
debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET
debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0
debug1: ssh-sk-helper: reply len 4
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=7343
No keys to download

This line suggests that PIN is not set:

debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET

Kind regards
Armands Stiegra

Reply | Threaded
Open this post in threaded view
|

Re: ykman fido list Exception: Unsupported platform: openbsd6

Lucas Raab
On Sat, May 23, 2020 at 11:39:33AM +0000, Armands Stiegra wrote:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Saturday, May 23, 2020 11:06 AM, Stuart Henderson <[hidden email]> wrote:
>
> > On 2020/05/23 09:41, Armands Stiegra wrote:
> >
> > > Hello, dear OpenBSD developers,
> > > Humbly asking for your help, as I am unable to figure out, how to fix
> > > the error below and if it is a known problem. It seems to me that
> > > yubikey-manager fido functionality is not working on a fresh install
> > > of OpenBSD 6.7.
> >
> > ykman requires python-fido2 to do this; python-fido2 has not implemented
> > this functionality on OpenBSD.
>
> Thank you for your quick explanation.
>
> Is there currently any other way to set FIDO PIN on a Yubikey on OpenBSD to use a resident key?
>
> $ ssh-keygen -t ed25519-sk -O resident
> Generating public/private ed25519-sk key pair.
> You may need to touch your authenticator to authorize key generation.
> Enter file in which to save the key (/home/stiegra/.ssh/id_ed25519_sk):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in /home/stiegra/.ssh/id_ed25519_sk
> Your public key has been saved in /home/stiegra/.ssh/id_ed25519_sk.pub
> The key fingerprint is:
> ...
>
> $ ssh-keygen -Kvvv
> debug3: start_helper: started pid=12899
> debug3: ssh_msg_send: type 5
> debug3: ssh_msg_recv entering
> debug1: start_helper: starting /usr/libexec/ssh-sk-helper
> debug1: sshsk_load_resident: provider "internal"
> debug1: ssh_sk_load_resident_keys: trying /dev/fido/0
> debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_INVALID_ARGUMENT
> debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0
> debug1: ssh-sk-helper: reply len 4
> debug3: ssh_msg_send: type 5
> debug3: reap_helper: pid=12899
> Enter PIN for authenticator:
> debug3: start_helper: started pid=7343
> debug3: ssh_msg_send: type 5
> debug3: ssh_msg_recv entering
> debug1: start_helper: starting /usr/libexec/ssh-sk-helper
> debug1: sshsk_load_resident: provider "internal", have-pin
> debug1: ssh_sk_load_resident_keys: trying /dev/fido/0
> debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET
> debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0
> debug1: ssh-sk-helper: reply len 4
> debug3: ssh_msg_send: type 5
> debug3: reap_helper: pid=7343
> No keys to download
>
> This line suggests that PIN is not set:
>
> debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET
>
> Kind regards
> Armands Stiegra
>

You might try using a virtualenv with cloning python-fido2 vs installing
from pypi/ports.

$ python3 -m venv fido2
$ . fido2/bin/activate
$ pip install git+https://github.com/Yubico/python-fido2.git
$ pip install yubikey-manager

Beyond that, YMMV. I don't have any Yubikey 5s to verify that functionality

Lucas

Reply | Threaded
Open this post in threaded view
|

Re: ykman fido list Exception: Unsupported platform: openbsd6

Armands Stiegra
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, May 23, 2020 12:36 PM, Lucas Raab <[hidden email]> wrote:

> On Sat, May 23, 2020 at 11:39:33AM +0000, Armands Stiegra wrote:
>
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Saturday, May 23, 2020 11:06 AM, Stuart Henderson [hidden email] wrote:
> >
> > > On 2020/05/23 09:41, Armands Stiegra wrote:
> > >
> > > > Hello, dear OpenBSD developers,
> > > > Humbly asking for your help, as I am unable to figure out, how to fix
> > > > the error below and if it is a known problem. It seems to me that
> > > > yubikey-manager fido functionality is not working on a fresh install
> > > > of OpenBSD 6.7.
> > >
> > > ykman requires python-fido2 to do this; python-fido2 has not implemented
> > > this functionality on OpenBSD.
> >
> > Thank you for your quick explanation.
> > Is there currently any other way to set FIDO PIN on a Yubikey on OpenBSD to use a resident key?
> > $ ssh-keygen -t ed25519-sk -O resident
> > Generating public/private ed25519-sk key pair.
> > You may need to touch your authenticator to authorize key generation.
> > Enter file in which to save the key (/home/stiegra/.ssh/id_ed25519_sk):
> > Enter passphrase (empty for no passphrase):
> > Enter same passphrase again:
> > Your identification has been saved in /home/stiegra/.ssh/id_ed25519_sk
> > Your public key has been saved in /home/stiegra/.ssh/id_ed25519_sk.pub
> > The key fingerprint is:
> > ...
> > $ ssh-keygen -Kvvv
> > debug3: start_helper: started pid=12899
> > debug3: ssh_msg_send: type 5
> > debug3: ssh_msg_recv entering
> > debug1: start_helper: starting /usr/libexec/ssh-sk-helper
> > debug1: sshsk_load_resident: provider "internal"
> > debug1: ssh_sk_load_resident_keys: trying /dev/fido/0
> > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_INVALID_ARGUMENT
> > debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0
> > debug1: ssh-sk-helper: reply len 4
> > debug3: ssh_msg_send: type 5
> > debug3: reap_helper: pid=12899
> > Enter PIN for authenticator:
> > debug3: start_helper: started pid=7343
> > debug3: ssh_msg_send: type 5
> > debug3: ssh_msg_recv entering
> > debug1: start_helper: starting /usr/libexec/ssh-sk-helper
> > debug1: sshsk_load_resident: provider "internal", have-pin
> > debug1: ssh_sk_load_resident_keys: trying /dev/fido/0
> > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET
> > debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/fido/0
> > debug1: ssh-sk-helper: reply len 4
> > debug3: ssh_msg_send: type 5
> > debug3: reap_helper: pid=7343
> > No keys to download
> > This line suggests that PIN is not set:
> > debug1: read_rks: get metadata for /dev/fido/0 failed: FIDO_ERR_PIN_NOT_SET
> > Kind regards
> > Armands Stiegra
>
> You might try using a virtualenv with cloning python-fido2 vs installing
> from pypi/ports.
>
> $ python3 -m venv fido2
> $ . fido2/bin/activate
> $ pip install git+https://github.com/Yubico/python-fido2.git
> $ pip install yubikey-manager
>
> Beyond that, YMMV. I don't have any Yubikey 5s to verify that functionality
>
> Lucas

Thanks Lucas and Stuart for your help and great idea, it actually worked. I am happy.

I was able to set FIDO PIN and store a resident SSH key.

From what I tested, I can report that

(fido2) stiegra$ ykman fido

commands work using Git version of yubikey-manager, although not perfectly - they are hanging a bit, but remove/reinsert of yubikey helps.

Only

(fido2) stiegra$ ykman fido reset

does not work, but that is probably expected:

(fido2) stiegra$ ykman fido reset
WARNING! This will delete all FIDO credentials, including FIDO U2F credentials, and restore factory settings. Proceed? [y/N]: y
Remove and re-insert your YubiKey to perform the reset...
Usage: ykman fido reset [OPTIONS]
Try 'ykman fido reset -h' for help.

Error: Reset failed.

Kind regards
Armands Stiegra

Reply | Threaded
Open this post in threaded view
|

Re: ykman fido list Exception: Unsupported platform: openbsd6

Stuart Henderson
On 2020/05/23 13:52, Armands Stiegra wrote:
> On Saturday, May 23, 2020 12:36 PM, Lucas Raab <[hidden email]> wrote:
> > $ pip install git+https://github.com/Yubico/python-fido2.git

Interesting, worr had a diff committed there adding OpenBSD support.
Even with hangs that seems somewhat useful so I've updated the port in
-current to pull that in. The hangs seem pretty consistent: I am able
to get it to do one operation, then it hangs and I need to unplug/replug.

> I was able to set FIDO PIN and store a resident SSH key.
>
> From what I tested, I can report that
>
> (fido2) stiegra$ ykman fido
>
> commands work using Git version of yubikey-manager, although not perfectly - they are hanging a bit, but remove/reinsert of yubikey helps.

The git version of yubikey-manager doesn't seem necessary to get this to
work so I haven't updated the port of that.

> (fido2) stiegra$ ykman fido reset
>
> does not work, but that is probably expected:
>
> (fido2) stiegra$ ykman fido reset
> WARNING! This will delete all FIDO credentials, including FIDO U2F credentials, and restore factory settings. Proceed? [y/N]: y
> Remove and re-insert your YubiKey to perform the reset...
> Usage: ykman fido reset [OPTIONS]
> Try 'ykman fido reset -h' for help.
>
> Error: Reset failed.

I'm not sure what to expect to work and not work with these really.

Reply | Threaded
Open this post in threaded view
|

Re: ykman fido list Exception: Unsupported platform: openbsd6

Armands Stiegra
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, May 23, 2020 10:23 PM, Stuart Henderson <[hidden email]> wrote:

> The git version of yubikey-manager doesn't seem necessary to get this to
> work so I haven't updated the port of that.

I am sorry, it was my mistake. I meant "git version of python-fido2". Thank you very much.

Kind regards
Armands Stiegra

Reply | Threaded
Open this post in threaded view
|

Re: ykman fido list Exception: Unsupported platform: openbsd6

Stuart Henderson
In reply to this post by Stuart Henderson
On 2020/05/23 23:23, Stuart Henderson wrote:
> On 2020/05/23 13:52, Armands Stiegra wrote:
> > On Saturday, May 23, 2020 12:36 PM, Lucas Raab <[hidden email]> wrote:
> > > $ pip install git+https://github.com/Yubico/python-fido2.git
>
> Interesting, worr had a diff committed there adding OpenBSD support.
> Even with hangs that seems somewhat useful so I've updated the port in
> -current to pull that in. The hangs seem pretty consistent: I am able
> to get it to do one operation, then it hangs and I need to unplug/replug.

...and that is fixed with this diff from patrick@:

Index: uhidev.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/uhidev.c,v
retrieving revision 1.79
diff -u -p -r1.79 uhidev.c
--- uhidev.c 22 Feb 2020 14:01:34 -0000 1.79
+++ uhidev.c 24 May 2020 15:16:00 -0000
@@ -521,6 +521,7 @@ uhidev_open(struct uhidev *scd)
  error = EIO;
  goto out1;
  }
+ usbd_clear_endpoint_stall(sc->sc_ipipe);
 
  DPRINTF(("uhidev_open: sc->sc_ipipe=%p\n", sc->sc_ipipe));
 
@@ -547,6 +548,8 @@ uhidev_open(struct uhidev *scd)
  error = EIO;
  goto out2;
  }
+ usbd_clear_endpoint_stall(sc->sc_opipe);
+
  DPRINTF(("uhidev_open: sc->sc_opipe=%p\n", sc->sc_opipe));
 
  sc->sc_oxfer = usbd_alloc_xfer(sc->sc_udev);