Open ohz10 opened 2 years ago
Can you try running ykman --diagnose info
, as both root and unprivileged user? Maybe that could help determine what the problem is.
On another note you could also try using sudo -E
, as that should preserve environment variables (including DISPLAY
) for the sudo-ed command.
FYI, there's no sudo
on OpenBSD by default anymore (and I won't be installing it). I can use doas
and I believe I can preserve environment variables - but one at a time, not the entire user environment. Do you happen to have a list of what might be needed besides DISPLAY?
I'll try ykman --diagnose info
when I get home tonight.
As usual, things are just different on OpenBSD.
# ykman --diagnose info
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try 'ykman -h' for help.
Error: No such option: --diagnose
I was able to run 'ykman' with elevated perms using 'doas'. It turns out there's a 'keepenv' option and using that got me past the DISPLAY issue when trying to run 'yubikey-personalization-GUI', however it still failed b/c it isn't able to execute correctly under 'doas' because Qt can't load the platform plug-in 'xcb' when run this way.
Ah, my mistake - version 3.1.1 is way before --diagnose
was added. Please try ykman --log-level debug info
instead. Is there any way you can try a newer version?
Also, ykman
doesn't use Qt. Are you talking about the GUI (yubikey-manager-qt), or both the CLI and GUI?
Regarding Qt. Both my password manager, which needs to read the Yubikey, and the yubikey-personalization-gui use Qt.
This uses pcscd
to communicate with the actual hardware. You probably need to grant yourself permission to read-write to its socket. On my system, that's in /run/pcscd/pcscd.comm
. Probably adding yourself to whatever group owns that is enough.
This uses
pcscd
to communicate with the actual hardware. You probably need to grant yourself permission to read-write to its socket. On my system, that's in/run/pcscd/pcscd.comm
. Probably adding yourself to whatever group owns that is enough.
Thanks, I will give this a try next time I get a chance.
Things might have changed over time, but I wanted to leave a note here about how I resolved the issue. I had to set g+rw permissions on the USB device and ensure that my user was added to the operator group (or wheel).
YubiKey Manager (ykman) version: 3.1.1 Libraries: libykpers 1.20.0 libusb 1.0.23
How was it installed?:
pkg_add yubikey-manager
Operating system and version:
OpenBSD 6.9 GENERIC.MP#3 amd64
YubiKey model and version:
Yubikey 5C
Bug description summary:
This isn't a bug, but a request for help with configuration. I was able to detect & configure my yubikey as
root
, however, I can't detect, read, or configure my yubikey as an unprivileged user.Steps to reproduce
$ ykman info
Expected result
Actual results and logs
Other info
pscsd
is running.I'm sure there are some permissions I need to add somewhere, but I'm not sure exactly what's necessary. I tried using
ktrace
to figure out what devices were being opened and read, and then adding group read/write permissions on those devices, but it didn't resolve my issue - I still wasn't able to read/configure the yubikey as an unprivileged user.I need to be able to at least detect and read the yubikey as a normal user so I can use it with my password manager
keepassxc
. Usingdoas
orsudo
doesn't seem to help in this scenario, because when run that way,keepassxc
can't connect to my unprivileged user's DISPLAY.