yubikey-manager
yubikey-manager copied to clipboard
Yubico
How to configure OpenBSD to allow ykman to run as unprivileged user?
-
YubiKey Manager (ykman) version: 3.1.1 Libraries: libykpers 1.20.0 libusb 1.0.23
-
How was it installed?:
pkg_add yubikey-manager -
Operating system and version:
OpenBSD 6.9 GENERIC.MP#3 amd64 -
YubiKey model and version:
Yubikey 5C -
Bug description summary:
This isn't a bug, but a request for help with configuration. I was able to detect & configure my yubikey as root, however, I can't detect, read, or configure my yubikey as an unprivileged user.
Steps to reproduce
$ ykman info
Expected result
$ ykman info
Device type: YubiKey 5C
Serial number: XXXXXXXX
Firmware version: 5.2.6
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP+FIDO+CCID
Applications
OTP Enabled
FIDO U2F Enabled
OpenPGP Enabled
PIV Enabled
OATH Enabled
FIDO2 Enabled
Actual results and logs
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try 'ykman -h' for help.
Error: No YubiKey detected!
Other info
pscsd is running.
# rcctl ls started | grep pcscd
pcscd
I'm sure there are some permissions I need to add somewhere, but I'm not sure exactly what's necessary. I tried using ktrace to figure out what devices were being opened and read, and then adding group read/write permissions on those devices, but it didn't resolve my issue - I still wasn't able to read/configure the yubikey as an unprivileged user.
I need to be able to at least detect and read the yubikey as a normal user so I can use it with my password manager keepassxc. Using doas or sudo doesn't seem to help in this scenario, because when run that way, keepassxc can't connect to my unprivileged user's DISPLAY.
Can you try running ykman --diagnose info, as both root and unprivileged user? Maybe that could help determine what the problem is.
On another note you could also try using sudo -E, as that should preserve environment variables (including DISPLAY) for the sudo-ed command.
FYI, there's no sudo on OpenBSD by default anymore (and I won't be installing it). I can use doas and I believe I can preserve environment variables - but one at a time, not the entire user environment. Do you happen to have a list of what might be needed besides DISPLAY?
I'll try ykman --diagnose info when I get home tonight.
As usual, things are just different on OpenBSD.
# ykman --diagnose info
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try 'ykman -h' for help.
Error: No such option: --diagnose
I was able to run 'ykman' with elevated perms using 'doas'. It turns out there's a 'keepenv' option and using that got me past the DISPLAY issue when trying to run 'yubikey-personalization-GUI', however it still failed b/c it isn't able to execute correctly under 'doas' because Qt can't load the platform plug-in 'xcb' when run this way.
Ah, my mistake - version 3.1.1 is way before --diagnose was added. Please try ykman --log-level debug info instead. Is there any way you can try a newer version?
Also, ykman doesn't use Qt. Are you talking about the GUI (yubikey-manager-qt), or both the CLI and GUI?
Regarding Qt. Both my password manager, which needs to read the Yubikey, and the yubikey-personalization-gui use Qt.
This uses pcscd to communicate with the actual hardware. You probably need to grant yourself permission to read-write to its socket. On my system, that's in /run/pcscd/pcscd.comm. Probably adding yourself to whatever group owns that is enough.
This uses
pcscdto communicate with the actual hardware. You probably need to grant yourself permission to read-write to its socket. On my system, that's in/run/pcscd/pcscd.comm. Probably adding yourself to whatever group owns that is enough.
Thanks, I will give this a try next time I get a chance.
Things might have changed over time, but I wanted to leave a note here about how I resolved the issue. I had to set g+rw permissions on the USB device and ensure that my user was added to the operator group (or wheel).
