From owner-freebsd-stable@freebsd.org Thu Sep 6 11:48:21 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52B6FFF855C for ; Thu, 6 Sep 2018 11:48:21 +0000 (UTC) (envelope-from zeising+freebsd@daemonic.se) Received: from mail.daemonic.se (mail.daemonic.se [176.58.89.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C79CE72C2C for ; Thu, 6 Sep 2018 11:48:20 +0000 (UTC) (envelope-from zeising+freebsd@daemonic.se) Received: from cid.daemonic.se (localhost [IPv6:::1]) by mail.daemonic.se (Postfix) with ESMTP id 425f306QbkzDhgL; Thu, 6 Sep 2018 11:48:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=daemonic.se; h= content-transfer-encoding:content-language:content-type :content-type:in-reply-to:mime-version:user-agent:date:date :message-id:from:from:references:subject:subject:received :received; s=20151023; t=1536234492; bh=NdWDzJpeSKCSa8BHD/9kjES2 Lqmp2igvF2jE3gAu8CE=; b=sz4AlBkHbnU7GQAyGXqv0huC4zJZ0dajE9bDAAsV TcCeSl9z6NXmfXdsmQSEE4uIDS/a8l4XHpDby2wQQwE27IsfNH5x9ovjK9yw5f57 VTgx0x7Tlg04hX8Sl4l58YVMzN44c+vFQDGTzJUlM7BvQVtGtr72V0pEdGQQfmD6 rxo= X-Virus-Scanned: amavisd-new at daemonic.se Received: from mail.daemonic.se ([IPv6:::1]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256) by cid.daemonic.se (mailscanner.daemonic.se [IPv6:::1]) (amavisd-new, port 10587) with ESMTPS id HdUb9vyF1Zei; Thu, 6 Sep 2018 11:48:12 +0000 (UTC) Received: from garnet.daemonic.se (host-95-192-14-231.mobileonline.telia.com [95.192.14.231]) by mail.daemonic.se (Postfix) with ESMTPSA id 425f2z5nnyzDhFd; Thu, 6 Sep 2018 11:48:11 +0000 (UTC) Subject: Re: Yubico Security Keys To: Robert Ames , "O'Connor, Daniel" Cc: "freebsd-stable@freebsd.org" References: <1AEEDB86-DF6B-433B-A413-452F105D9A53@dons.net.au> <7DA3F074-12CF-43C4-A514-19651112EE42@dons.net.au> From: Niclas Zeising Message-ID: <5a1e0391-86b6-070c-24db-18529f379bc6@daemonic.se> Date: Thu, 6 Sep 2018 13:48:10 +0200 User-Agent: Mutt/1.5.21 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2018 11:48:21 -0000 On 09/05/18 20:34, Robert Ames wrote: > On Wed, Sep 05, 2018 at 01:00:20PM +0930, O'Connor, Daniel wrote: >>> On 5 Sep 2018, at 12:43, Robert Ames wrote: >>>>> On 5 Sep 2018, at 08:33, Robert Ames wrote: >>>>> FreeBSD sees the device: >>>>> >>>>> Sep 4 17:25:13 freebsd kernel: ugen1.4: at usbus1 >>>>> Sep 4 17:25:13 freebsd kernel: uhid0 on uhub4 >>>>> Sep 4 17:25:13 freebsd kernel: uhid0: on usbus1 >>>>> >>>>> So should this just work out of the box or is there something I'm >>>>> missing? >>>> >>>> Hi Robert, >>>> I don't have any Yubikeys but have you tried checking the permissions of /dev/uhid0* and /dev/ugen1.4 (which will be a symlink to usb/1.4.0) ? >>>> You can chmod them for now and then if that works have a devd conf or devfs rule which sets the permissions appropriately when the device is connected. >>>> >>>> If permissions are the problem it would be nice to see if the error message can be improved too :) >>>> >>>> -- >>>> Daniel O'Connor >>> >>> I had done a manual chmod 777 /dev/usb/1.4.0 but had overlooked /dev/uhid0. >>> Once I did a chmod 777 on that it worked. Thank you. Any suggestions on the >>> best way to add a devd conf or devfs rule for this thing? >> >> Add this to /etc/devfs.conf.. >> [root=100] >> add path 'uhid*' group users mode 660 >> >> (Assuming your user is in the 'users' group - adjust to taste, devfs(8) has the details) >> >> And this to /etc/rc.conf.. >> devfs_system_ruleset="root" >> >> Then do.. >> sudo service devfs restart >> >> And unplug/replug the key. >> >> -- >> Daniel O'Connor > > Yes, that works (using /etc/devfs.rules). Thanks. I also got it to work > using /etc/devd.conf > > # Yubico Security Key > attach 100 { > match "vendor" "0x1050"; > match "product" "0x0120"; > device-name "uhid[0-9]+"; > action "/usr/sbin/chown robert /dev/$device-name"; > }; > > running "usbconfig dump_device_desc" to get the vendor and product ids. > I didn't have to touch /dev/ugen1.4 or /dev/usb/1.4.0. Not sure which is > the more correct way to do this. But they both work. > > So things now work great on the Yubico demo site. Sadly I cannot get it > to work in Google. Google doesn't respond when I press the gold disc > during the registration process. There is a port, security/u2f-devd [0] that sets up devd rules for use with yubico and other devices. That works great for me. Install it and follow the instructions. [0] https://www.freshports.org/security/u2f-devd/ Regards -- Niclas