Hi,
Last weekend I tried to setup a Yubikey. When I started with setting up a static password, first I reset OTP, FIDO, I noticed that the long press of the Yubikey did not work. After checking on internet, I found on the Yubikey site (https://developers.yubico.com/yubikey-manager/, section: FreeBSD) some information on how to setup HID. Without really knowing what i was doing after a reboot and following changes:
When using FreeBSD 13 or higher, you can switch to the more modern hidraw(4) driver. This allows YubiKey Manager to access OTP HID in a non-exclusive way, so that the key will still function as a USB keyboard:
After the reboot, the Yubikey long press was working, also some ykman commands that previously were not showing any data where working normally.
Next I wanted to setup FIDO2 for SSH (I refer to : https://forums.freebsd.org/threads/...-2-on-2-vms-password-is-still-prompted.87715/) in the step:
What I noticed is that when setting the
Could anybody help me out ...
Best Regards,
Last weekend I tried to setup a Yubikey. When I started with setting up a static password, first I reset OTP, FIDO, I noticed that the long press of the Yubikey did not work. After checking on internet, I found on the Yubikey site (https://developers.yubico.com/yubikey-manager/, section: FreeBSD) some information on how to setup HID. Without really knowing what i was doing after a reboot and following changes:
When using FreeBSD 13 or higher, you can switch to the more modern hidraw(4) driver. This allows YubiKey Manager to access OTP HID in a non-exclusive way, so that the key will still function as a USB keyboard:
Code:
sysrc kld_list+="hidraw hkbd"
cat >>/boot/loader.conf<<EOF
hw.usb.usbhid.enable="1"
hw.usb.quirk.0="0x1050 0x0010 0 0xffff UQ_KBD_IGNORE" # YKS_OTP
hw.usb.quirk.1="0x1050 0x0110 0 0xffff UQ_KBD_IGNORE" # NEO_OTP
hw.usb.quirk.2="0x1050 0x0111 0 0xffff UQ_KBD_IGNORE" # NEO_OTP_CCID
hw.usb.quirk.3="0x1050 0x0114 0 0xffff UQ_KBD_IGNORE" # NEO_OTP_FIDO
hw.usb.quirk.4="0x1050 0x0116 0 0xffff UQ_KBD_IGNORE" # NEO_OTP_FIDO_CCID
hw.usb.quirk.5="0x1050 0x0401 0 0xffff UQ_KBD_IGNORE" # YK4_OTP
hw.usb.quirk.6="0x1050 0x0403 0 0xffff UQ_KBD_IGNORE" # YK4_OTP_FIDO
hw.usb.quirk.7="0x1050 0x0405 0 0xffff UQ_KBD_IGNORE" # YK4_OTP_CCID
hw.usb.quirk.8="0x1050 0x0407 0 0xffff UQ_KBD_IGNORE" # YK4_OTP_FIDO_CCID
hw.usb.quirk.9="0x1050 0x0410 0 0xffff UQ_KBD_IGNORE" # YKP_OTP_FIDO
EOF
After the reboot, the Yubikey long press was working, also some ykman commands that previously were not showing any data where working normally.
Next I wanted to setup FIDO2 for SSH (I refer to : https://forums.freebsd.org/threads/...-2-on-2-vms-password-is-still-prompted.87715/) in the step:
ssh-keygen -t ed25519-sk
, I kept on having the error: Key enrollment failed: invalid format
. With debug information it refers to ssh-sk-helper that fails. What I noticed is that when setting the
sysctl hw.usb.usbhid.enable="0"
and removing and reinserting the Yubikey, the command: ssh-keygen -t ed25519-sk
works fine. (The physical server has latest OS and patches installed, all applications are on the latest quarterly version) I still don't know why but doing the same on a VM I don't have this issue. The physical server has a lot less ports installed , is more lean.Could anybody help me out ...
Best Regards,
Last edited by a moderator: