search

Yubico / yubikey-manager

Python library and command line tool for configuring any YubiKey over all USB interfaces.
https://developers.yubico.com/yubikey-manager/
BSD 2-Clause "Simplified" License
883 stars 126 forks source link

ykman doesn't install on OpenBSD (6.3) #124

Closed rickard-von-essen closed 4 years ago

rickard-von-essen commented 6 years ago

I would like to gather all issues with getting Yubikey Manager to run on OpenBSD with the goal of providing a port (package) for ykman .

  1. pyscard doesn't compile on OpenBSD Resolved by installing port pcsc-lite and the rest of deps from native OpenBSD packages resolves all issues.
  2. ykman crashes when a YubiKey is plugged in (but yubikey-personalization works). pscsdmust be running.
  3. FIDO: pyu2f doesn't support OpenBSD, see https://github.com/google/pyu2f/blob/master/pyu2f/hid/__init__.py#L46
  4. CCID (oath, piv, ...): Fails to connect to device. open_reader doesn't return any device.
  5. OTP: Works! 🎉
rickard-von-essen commented 6 years ago

pyscard uses PCSC-lite which states that is supports OpenBSD.

rickard-von-essen commented 6 years ago 
$ ykman
Usage: ykman [OPTIONS] COMMAND [ARGS]...

  Configure your YubiKey via the command line.

Options:
  -v, --version
  -d, --device SERIAL
  -l, --log-level [DEBUG|INFO|WARNING|ERROR|CRITICAL]
                                  Enable logging at given verbosity level
  --log-file FILE                 Write logs to the given FILE instead of
                                  standard error; ignored unless --log-level
                                  is also set
  -h, --help                      Show this message and exit.

Commands:
  config   Enable/Disable applications.
  fido     Manage FIDO applications.
  info     Show general information.
  list     List connected YubiKeys.
  mode     Manage connection modes (USB Interfaces).
  oath     Manage OATH application.
  openpgp  Manage OpenPGP application.
  otp      Manage OTP Application.
  piv      Manage PIV application.
$ ykman -v
YubiKey Manager (ykman) version: 0.7.0
Libraries:
    libykpers 1.18.1
    libusb 1.0.21
$ pkg_info pcsc-lite
Information for inst:pcsc-lite-1.8.22p1

Comment:
resource manager for PC/SC

Description:
PC/SC architecture for most Unix type operating systems.
It allows easy porting of Windows smartcard software to other
operating systems. It supports many types of serial, PCMCIA, and
USB smartcard readers and cryptographic tokens.

Maintainer: David Coppa <dcoppa@openbsd.org>

WWW: http://pcsclite.alioth.debian.org/pcsclite.html

$ pip3.6 show pyscard
Name: pyscard
Version: 1.9.7
Summary: Smartcard module for Python.
Home-page: https://github.com/LudovicRousseau/pyscard
Author: Ludovic Rousseau
Author-email: ludovic.rousseau@free.fr
License: UNKNOWN
Location: /home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg
Requires: 
$ ykman info # No YubiKey present
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: No YubiKey detected!
$ ykman info # YubiKey present
Traceback (most recent call last):
  File "/home/rickard/.local/bin/ykman", line 11, in <module>
    load_entry_point('yubikey-manager==0.7.0', 'console_scripts', 'ykman')()
  File "/home/rickard/.local/lib/python3.6/site-packages/ykman/cli/__main__.py", line 211, in main
    cli(obj={})
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 1063, in invoke
    Command.invoke(self, ctx)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/home/rickard/.local/lib/python3.6/site-packages/ykman/cli/util.py", line 77, in inner
    f(*args, **kwargs)
  File "/home/rickard/.local/lib/python3.6/site-packages/ykman/cli/__main__.py", line 154, in cli
    dev = _run_cmd_for_single(ctx, subcmd.name, transports)
  File "/home/rickard/.local/lib/python3.6/site-packages/ykman/cli/__main__.py", line 115, in _run_cmd_for_single
    return descriptor.open_device(transports)
  File "/home/rickard/.local/lib/python3.6/site-packages/ykman/descriptor.py", line 88, in open_device
    for drv in _list_drivers(transports):
  File "/home/rickard/.local/lib/python3.6/site-packages/ykman/descriptor.py", line 140, in _list_drivers
    for dev in open_ccid():
  File "/home/rickard/.local/lib/python3.6/site-packages/ykman/driver_ccid.py", line 266, in open_devices
    readers = _list_readers()
  File "/home/rickard/.local/lib/python3.6/site-packages/ykman/driver_ccid.py", line 256, in _list_readers
    return System.readers()
  File "/home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg/smartcard/System.py", line 42, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg/smartcard/pcsc/PCSCReader.py", line 108, in readers
    hcontext = PCSCContext().getContext()
  File "/home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg/smartcard/pcsc/PCSCContext.py", line 53, in __init__
    PCSCContext.instance = PCSCContext.__PCSCContextSingleton()
  File "/home/rickard/.local/lib/python3.6/site-packages/pyscard-1.9.7-py3.6-openbsd-6.3-amd64.egg/smartcard/pcsc/PCSCContext.py", line 40, in __init__
    raise EstablishContextException(hresult)
smartcard.pcsc.PCSCExceptions.EstablishContextException: 'Failure to establish context: Service not available.'
rickard-von-essen commented 6 years ago

The same happens when using 7e71d5c

rickard-von-essen commented 6 years ago

Maybe someone can have a look at the stack trace and give me a hint on what to look into further?

dagheyman commented 6 years ago

Is there a pcscd daemon running?

rickard-von-essen commented 6 years ago

@dagheyman Yes! That was it! Works g one after starting pcscd.

I'll open a PR with added instructions for OpenBSD, after that I'll see if I can submit a port for pyscard and yubikey-manager.

Regardless of that I think this should be handled with an error message hinting the user of possible solutions. "Error connecting to PSCSd, is the service running?" etc.

dagheyman commented 6 years ago

Cool, thanks for the work on this!

Regardless of that I think this should be handled with an error message hinting the user of possible solutions. "Error connecting to PSCSd, is the service running?" etc.

Fair point, I'll try to look into that.

rickard-von-essen commented 6 years ago

Good news: OTP works! 🎉 Bad news: FIDO and CCID doesn't, I'll dig some more.

rickard-von-essen commented 6 years ago

With CCID Transport:

2018-06-26T13:37:20+0200 INFO [ykman.logging_setup.setup:59] Initialized logging for ykman version: 0.7.1-dev
2018-06-26T13:37:20+0200 DEBUG [ykman.descriptor.Descriptor.open_device:75] transports: 0x4, self.mode.transports: 0x7
2018-06-26T13:37:20+0200 DEBUG [ykman.descriptor.open_device:80] Opening driver for serial: None, type: YUBIKEY.NEO, mode: OTP+FIDO+CCID
2018-06-26T13:37:20+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 1 of 10
2018-06-26T13:37:20+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.100000 s
[...]
2018-06-26T13:37:24+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 10 of 10
2018-06-26T13:37:24+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 1.000000 s
2018-06-26T13:37:25+0200 DEBUG [ykman.descriptor.open_device:103] No matching device found

This might just be me that haven't configured /etc/ccid/reader.conf...

rickard-von-essen commented 6 years ago

With FIDO Transport:

Traceback (most recent call last):
  File "/home/rickard/.local/bin/ykman", line 11, in <module>
    load_entry_point('yubikey-manager==0.7.1.dev0', 'console_scripts', 'ykman')()
  File "/home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg/ykman/cli/__main__.py", line 212, in main
    cli(obj={})
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 1063, in invoke
    Command.invoke(self, ctx)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/home/rickard/.local/lib/python3.6/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg/ykman/cli/util.py", line 77, in inner
    f(*args, **kwargs)
  File "/home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg/ykman/cli/__main__.py", line 154, in cli
    dev = _run_cmd_for_single(ctx, subcmd.name, transports)
  File "/home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg/ykman/cli/__main__.py", line 115, in _run_cmd_for_single
    return descriptor.open_device(transports)
  File "/home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg/ykman/descriptor.py", line 84, in open_device
    for drv in _list_drivers(transports):
  File "/home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg/ykman/descriptor.py", line 146, in _list_drivers
    for dev in open_fido():
  File "/home/rickard/.local/lib/python3.6/site-packages/yubikey_manager-0.7.1.dev0-py3.6.egg/ykman/driver_fido.py", line 86, in open_devices
    for dev in CtapHidDevice.list_devices(descriptor_filter):
  File "/home/rickard/.local/lib/python3.6/site-packages/fido2/hid.py", line 121, in list_devices
    for d in hidtransport.hid.Enumerate():
  File "/home/rickard/.local/lib/python3.6/site-packages/fido2/pyu2f/__init__.py", line 29, in Enumerate
    return InternalPlatformSwitch('Enumerate')
  File "/home/rickard/.local/lib/python3.6/site-packages/fido2/pyu2f/__init__.py", line 52, in InternalPlatformSwitch
    raise Exception('Unsupported platform: ' + sys.platform)
Exception: Unsupported platform: openbsd6

pyu2f doesn't support OpenBSD, see https://github.com/google/pyu2f/blob/master/pyu2f/hid/__init__.py#L46

I'll look into this last.

rickard-von-essen commented 6 years ago

Just one quick update CCID fails because pcscd doesn't detect the YubiKey. Will continue to investigate that in more detail.

dagheyman commented 6 years ago

Do you have a port of libccid installed? If yes, what version? Support for YubiKey 4 was added in 1.4.20.

rickard-von-essen commented 6 years ago

Yeah, realized yesterday that I needed the ccid package and everything except FIDO works. I'll write some instructions for the README. When I have some spare time I'll see if I can write BSD support in py-u2f.

Could device scanning be done with libusb?

dagheyman commented 6 years ago

Could device scanning be done with libusb?

Yes, pyusb typically uses libusb as a backend.

dagheyman commented 4 years ago

The tool seems to be uploaded to OpenBSD ports now (https://github.com/openbsd/ports/tree/04e8d1d98266c4fb884e5e29d70d94e702aaf862/security/yubico/yubikey-manager), closing the issue.