Solved Using Yubikey OTP with HID with Yubikey FIDO2 (ed25519-sk) for SSH does not work properly

R

Relictrix

Hi,

Last weekend I tried to setup a Yubikey. When I started with setting up a static password, first I reset OTP, FIDO, I noticed that the long press of the Yubikey did not work. After checking on internet, I found on the Yubikey site (https://developers.yubico.com/yubikey-manager/, section: FreeBSD) some information on how to setup HID. Without really knowing what i was doing after a reboot and following changes:

When using FreeBSD 13 or higher, you can switch to the more modern hidraw(4) driver. This allows YubiKey Manager to access OTP HID in a non-exclusive way, so that the key will still function as a USB keyboard:

Code: 
sysrc kld_list+="hidraw hkbd"
cat >>/boot/loader.conf<<EOF
hw.usb.usbhid.enable="1"
hw.usb.quirk.0="0x1050 0x0010 0 0xffff UQ_KBD_IGNORE"  # YKS_OTP
hw.usb.quirk.1="0x1050 0x0110 0 0xffff UQ_KBD_IGNORE"  # NEO_OTP
hw.usb.quirk.2="0x1050 0x0111 0 0xffff UQ_KBD_IGNORE"  # NEO_OTP_CCID
hw.usb.quirk.3="0x1050 0x0114 0 0xffff UQ_KBD_IGNORE"  # NEO_OTP_FIDO
hw.usb.quirk.4="0x1050 0x0116 0 0xffff UQ_KBD_IGNORE"  # NEO_OTP_FIDO_CCID
hw.usb.quirk.5="0x1050 0x0401 0 0xffff UQ_KBD_IGNORE"  # YK4_OTP
hw.usb.quirk.6="0x1050 0x0403 0 0xffff UQ_KBD_IGNORE"  # YK4_OTP_FIDO
hw.usb.quirk.7="0x1050 0x0405 0 0xffff UQ_KBD_IGNORE"  # YK4_OTP_CCID
hw.usb.quirk.8="0x1050 0x0407 0 0xffff UQ_KBD_IGNORE"  # YK4_OTP_FIDO_CCID
hw.usb.quirk.9="0x1050 0x0410 0 0xffff UQ_KBD_IGNORE"  # YKP_OTP_FIDO
EOF

After the reboot, the Yubikey long press was working, also some ykman commands that previously were not showing any data where working normally.

Next I wanted to setup FIDO2 for SSH (I refer to : https://forums.freebsd.org/threads/...-2-on-2-vms-password-is-still-prompted.87715/) in the step: ssh-keygen -t ed25519-sk, I kept on having the error: Key enrollment failed: invalid format. With debug information it refers to ssh-sk-helper that fails.

What I noticed is that when setting the sysctl hw.usb.usbhid.enable="0" and removing and reinserting the Yubikey, the command: ssh-keygen -t ed25519-sk works fine. (The physical server has latest OS and patches installed, all applications are on the latest quarterly version) I still don't know why but doing the same on a VM I don't have this issue. The physical server has a lot less ports installed , is more lean.

Could anybody help me out ...

Best Regards,
 
Last edited by a moderator:
Maybe it will be fixed for 13.2-RELEASE, see

PR 265528
PR 263995

TLDR: Using the newer hidraw driver will make fido2 webauthn not working.
But on 13.2-BETA3 we have report that it is working for ssh-sk
Romain Tartière said:
I just updated my FreeBSD 13.1-RELEASE to 13.2-BETA3 and can now enjoy working ed25519-sk <3 Thanks a lot for fixing this!
Click to expand...
 
Hi,

Sorry to reopen this thread again. Some weeks ago, I have setup ed25519-sk but this time on a real physical server. There the tool was not asking to tap my key, instead a prompt occurred. Even after doing the trick above to disable/enable: sysctl hw.usb.usbhid.enable="0", it was not working. When I have time I will try to test again some other ways in different order. I found it strange as those servers are very lean, just plain OS. I don't want to go ahead with installing things until this key is fully working. Latest OSes are installed, yubikey is fully working, ykman too, other command tools as well , which was not on the previous FreeBSD 13.1.

Best Regards,

R
 
Hi,

After a clean install on a physical machine (FreeBSD 13.2 with latest patch), here the behavior I noticed:
  • When sysctl hw.usb.usbhid.enable="1". Neither fido2-token -L, nor ykman fido info provides any input, but tapping the key gives a static password.
  • When sysctl hw.usb.usbhid.enable="0", and I unplug and plug the key again. Both fido2-token and ykman provide the correct information but I cannot tap the key anymore.
SSH does not seem to know there is a Yubikey and searches in the certificates so there is also something not working as it should.

The information in fido2-token -L matches with this line of /dev/uhid1:
hw.usb.quirk.8="0x1050 0x0407 0 0xffff UQ_KBD_IGNORE" # YK4_OTP_FIDO_CCID

It does not seem to detect the key and goes to interactive mode = keyboard password prompt.

Tomorrow I will try out some other new ideas.

Best Regards,
 
Hi,

Follow up:
Yesterday I did not want to regenerate my private key + public key normally these steps were fairly easy and I did that well. However after testing a few things that did not worked, I decided to regenerate my private key and public key again. I don't know why technically this has impact but now it works even after a reboot.

It's a bit juggling around with the sysctl hw.usb.usbhid.enable="1" or "0", because if part of the password for the private key file is inside the static password of yubikey you first need to switch it to 1, unplug it and plug (then you are in the 1 mode). Then use the static password but before hitting ENTER, switch the parameter back to "0" (unplug, plug) so the key can be found.

Final conclusion is that the workaround that exists to switch the sysctl hw.usb.usbhid.enable="1" or "0" makes it possible to use the FIDO and STATIC PASSWORD feature of the Yubikey. And although I don't understand the reason behind it, by creating new keys (ssh-keygen -t ed25519-sk) on the FreeBSD 13.2 it all worked.

Best Regards,
 
You must log in or register to reply here.
Back
Top