Share USB Device over Network with socat

tuaris

tuaris

I have the following USB device installed on a Raspberry Pi running FreeBSD 13.1:

Code: 
# usbconfig -d ugen1.4 show_ifdrv
ugen1.4: <Yubico Yubikey 4 OTP+U2F+CCID> at usbus1, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (30mA)
ugen1.4.0: ukbd0: <Yubico Yubikey 4 OTP+U2F+CCID, class 0/0, rev 2.00/4.42, addr 4>
ugen1.4.1: uhid0: <Yubico Yubikey 4 OTP+U2F+CCID, class 0/0, rev 2.00/4.42, addr 4>

I would like to attach that device to a remote FreeBSD 13.1 server running as a virtual machine.

I have successfully done something similar with a Z-WAVE USB dongle for misc/openhab using net/socat and net/ser2net. However this question has nothing to do with OpenHAB.

I have tried the following.

On the Raspberry Pi:
socat tcp-l:3334,keepalive,reuseaddr /dev/ugen1.4

On the remote virtual server:
socat pty,link=/dev/ugen1.4,ignoreof,waitslave tcp:192.168.0.72:3334

The usbconfig command does not list it as a device:

Code: 
# usbconfig
ugen0.1: <(0x15ad) UHCI root HUB> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen1.1: <(0x15ad) EHCI root HUB> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen0.2: <VMware VMware Virtual USB Mouse> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (0mA)
ugen0.3: <VMware, Inc. VMware Virtual USB Hub> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)

I also tried using /dev/ukbd0 and /dev/uhid0 directly, but ykman piv info reports nothing found.
 
Perhaps I'm overlooking something here, but wouldn't doing this (sharing it over a network) "defeat the purpose" of using it for authentication?

All approaches for human authentication rely on at least one of the following:
  • Something you know (eg. a password)
  • Something you have (eg. a smartcard)
  • Something you are (eg. a fingerprint)
  • Someone you know (eg. celebrity or public figure)*
(see: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html)

Not srs
 
alexseitsinger said:
Perhaps I'm overlooking something here, but wouldn't doing this (sharing it over a network) "defeat the purpose" of using it for authentication?

All approaches for human authentication rely on at least one of the following:
  • Something you know (eg. a password)
  • Something you have (eg. a smartcard)
  • Something you are (eg. a fingerprint)
  • Someone you know (eg. celebrity or public figure)*
(see: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html)

Not srs
Click to expand...
Actually the opposite is true in my use case (in my opinion at least). It's a perfectly valid situation:
  1. Rather than have the Yubikey attached to one of the USB ports on the hypervisor in a separate room, the key remains with me.
  2. There is less chance that the key gets attached to the wrong VM
  3. It does not occupy one of the limited amount of USB ports on a server
  4. USB pass through to a guest VM on the hypervisor is not always reliable
  5. Can't take advantage of VMware's VMotion feature if the VM is reliant on a USB device being connected physically to the host server
 
Have you tried to do this with /dev/usb/1.4.0 and (all the other in 1.4.*)
And then simply do the symlink /dev/ugen1.4 -> usb/1.4.0

And if it still does not work, complete it with each device (ukbd, uhid).

Does the use case is ssh key authentication ? Or there is more functionality needed ?
 
tuaris said:
Actually the opposite is true in my use case (in my opinion at least). It's a perfectly valid situation:
  1. Rather than have the Yubikey attached to one of the USB ports on the hypervisor in a separate room, the key remains with me.
  2. There is less chance that the key gets attached to the wrong VM
  3. It does not occupy one of the limited amount of USB ports on a server
  4. USB pass through to a guest VM on the hypervisor is not always reliable
  5. Can't take advantage of VMware's VMotion feature if the VM is reliant on a USB device being connected physically to the host server
Click to expand...
It really sounds like you want to eliminate the usefulness of the Yubikey here, for me.

Perhaps if you gave me an example use case it would make more sense?
 
You must log in or register to reply here.
Back
Top