FreeBSD and u2f devices

iandstanley

New Member


Messages: 3

Hi

REPURPOSING A HAND-ME-DOWN A CHEAPO LAPTOP
Having spent a *long time* in penguinland I have been getting back to FreeBSD with a cheap acer laptop a friend gave me. (Windows 10 was now too big for it to update itself on. lol). I first tried my trusty debian but couldn't get the bootloader to work.

So I decided to see if I could get FreeBSD to install on it. Over the years I drifted away from BSD due to a series of laptops where I couldn't get networking/sound/periphials working due to a bunch of cheaper laptops. I was surpised to find how much easier FreeBSD has become over the years. Thankyou all for your hard work.

Anyway this tiny non-removeable 32gb drive laptop I plan to use mainly for writing and email; spending about half of my time outside of X for a distraction free environment.

The system is mostly setup thanks to the great guides in the handbook and soem useful posts in the forums.

However, I have found a couple of problems that I cannot resolve and was wondering if anybody could give me any pointers to what I have missed.

I have been trying to get my Yubikeys working with FreeBSD 13.0-RELEASE

I've managed to get the keys working partially but not with the main functions I use the keys for regularly (u2f account protection of websites). Despite the keys being recognised by the system and are even useable by some programs, other programs like Yubico's own gui tools just fail. Neither can I use u2f in firefox to access any of my web accounts.

I've installed from pkg repo for simplicity.

SETUP
So far I have installed:
  • u2f-devd and libu2f-host
and followed instructions I found on the forums for adding user to u2f group and restarting devd.
  • libyubikey
  • and yubico-piv-tool, yubikey-agent, yubikey-manager-qt, yubikey-personalization-gui, pam_yubico all ready for when it is working.
  • pcsc-lite, opensc
I'm running openssh-portable 8.4, gpg 2.2.27


PROBLEM
I am having problems
  1. authenticating using u2f into website under firefox 88 (default pkg install)
  2. running Yubico's tools
FIREFOX
I have also enabled firefox's u2f and webauthn support in about:config. The following are all set to true
  • security.webauth.u2f
  • security.webauthn.webauthn
  • security.webauthn.webauthn
    _enable_usbtoken

My main use case is fido2/u2f support in webpages (through I also use ssh and gpg less often).

When I try to log into any fido2/u2f protected account e.g. my github account, I login normally and click on 'use security key', then firefox pops up a small window saying github wants to authenticate using a registered security key but it cannot find the yubikey. It is as if the yubikey or the usb port is dead - forefox just hangs there waiting for the key.

Dmesg reports the key insertion OK and other tools recognise the yubikey and can use it but firefox fails.


DMESG RECOGNISES
dmesg reports that the key is found and I can use my short press to make the yubikey insert a OTP

Code:
ugen0.7: <Yubico YubiKey OTP+FIDO+CCID> at usbus0
ukbd0 on uhub0
ukbd0: <Yubico YubiKey OTP+FIDO+CCID, class 0/0, rev 2.00/5.27, addr 14> on usbus0
kbd2 at ukbd0
uhid0 on uhub0
uhid0: <Yubico YubiKey OTP+FIDO+CCID, class 0/0, rev 2.00/5.27, addr 14> on usbus0

YKINFO PASSES
ykinfo -s reports the yubikey serial number with the Yubikey 5

YUBICO-PIV-TOOL WORKS
Yubico's PIV tool works fine recognising the yubikey

GPG PASSES
gpg --card-status reads the yubikey fine and I can fetch my public key from the gpg/card> prompt and it reads and fetches key. I can encrypt and decrypt messages with the yubikey (reads pin and touch before decrypting).


FAILING - ALL YUBICO CLIENTS and the YKCHALRESP
If I try to run any of the gui clients or run ykchalresp from the command line they either abort quietly or complain there is no valid yubikey

Any ideas would be greatly appreciated.

Ian

PS
CF MY LINUX BOX
This all works fine on my linux box with both of the yubikey keys tried (one security and on 5)
 
Top