# FreeBSD and u2f devices



## iandstanley (May 27, 2021)

Hi

REPURPOSING A HAND-ME-DOWN A CHEAPO LAPTOP
Having spent a *long time* in penguinland I have been getting back to FreeBSD with a cheap acer laptop a friend gave me. (Windows 10 was now too big for it to update itself on. lol). I first tried my trusty debian but couldn't get the bootloader to work. 

So I decided to see if I could get FreeBSD to install on it. Over the years I drifted away from BSD due to a series of laptops where I couldn't get networking/sound/periphials working due to a bunch of cheaper laptops. I was surpised to find how much easier FreeBSD has become over the years. Thankyou all for your hard work.

Anyway this tiny non-removeable 32gb drive laptop I plan to use mainly for writing and email; spending about half of my time outside of X for a distraction free environment.

The system is mostly setup thanks to the great guides in the handbook and soem useful posts in the forums. 

However, I have found a couple of problems that I cannot resolve and was wondering if anybody could give me any pointers to what I have missed.

I have been trying to get my Yubikeys working with FreeBSD 13.0-RELEASE 

I've managed to get the keys working partially but not with the main functions I use the keys for regularly (u2f account protection of websites). Despite the keys being recognised by the system and are even useable by some programs, other programs like Yubico's own gui tools just fail. Neither can I use u2f in firefox to access any of my web accounts.

I've installed from pkg repo for simplicity.

*SETUP*
So far I have installed: 

u2f-devd and libu2f-host
and followed instructions I found on the forums for adding user to u2f group and restarting devd.

libyubikey
and yubico-piv-tool, yubikey-agent, yubikey-manager-qt, yubikey-personalization-gui, pam_yubico all ready for when it is working.
pcsc-lite, opensc
I'm running openssh-portable 8.4, gpg 2.2.27


*PROBLEM*
I am having problems 

authenticating using u2f into website under firefox 88 (default pkg install)
running Yubico's tools
*FIREFOX* 
I have also enabled firefox's u2f and webauthn support in about:config. The following are all set to _true_

security.webauth.u2f
security.webauthn.webauthn
security.webauthn.webauthn
_enable_usbtoken

My main use case is fido2/u2f support in webpages (through I also use ssh and gpg less often).

When I try to log into any fido2/u2f protected account e.g. my github account, I login normally and click on 'use security key', then firefox pops up a small window saying github wants to authenticate using a registered security key but it cannot find the yubikey. It is as if the yubikey or the usb port is dead - forefox just hangs there waiting for the key.

Dmesg reports the key insertion OK and other tools recognise the yubikey and can use it but firefox fails.


*DMESG RECOGNISES*
dmesg reports that the key is found and I can use my short press to make the yubikey insert a OTP


```
ugen0.7: <Yubico YubiKey OTP+FIDO+CCID> at usbus0
ukbd0 on uhub0
ukbd0: <Yubico YubiKey OTP+FIDO+CCID, class 0/0, rev 2.00/5.27, addr 14> on usbus0
kbd2 at ukbd0
uhid0 on uhub0
uhid0: <Yubico YubiKey OTP+FIDO+CCID, class 0/0, rev 2.00/5.27, addr 14> on usbus0
```

*YKINFO PASSES*
ykinfo -s reports the yubikey serial number with the Yubikey 5 

*YUBICO-PIV-TOOL WORKS*
Yubico's PIV tool works fine recognising the yubikey

*GPG PASSES*
gpg --card-status reads the yubikey fine and I can fetch my public key from the gpg/card> prompt and it reads and fetches key. I can encrypt and decrypt messages with the yubikey (reads pin and touch before decrypting).


*FAILING - ALL YUBICO CLIENTS and the YKCHALRESP*
If I try to run any of the gui clients or run ykchalresp from the command line they either abort quietly or complain there is no valid yubikey

Any ideas would be greatly appreciated.

Ian

PS 
CF MY LINUX BOX
This all works fine on my linux box with both of the yubikey keys tried (one security and on 5)


----------



## daemonhorn (Sep 17, 2022)

Not positive without running through all the configuration, but I suspect either one or both of the config items below:

You are potentially having USB contentions with too many processes polling the USB Yubikey device at the same time.
Make sure pcsc-lite's pcscd is enabled and running:  `service pcscd enable && service pcscd start`
Make GnuPG and pcscd collaborate to work together as documented by Ludovic Rousseau https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html:

CLI argument from the documentation for GnuPG:​`--disable-ccid` or use the config file approach:​​By default, you can configure GnuPG scdaemon configuration in `~/.gnupg/scdaemon.conf` and it should contain the line:​`disable-ccid`​​restart scdaemon process so that it uses the new option.​
Confirm local user has been successfully added to new u2f group to allow access to usb device mappings created by u2f-dev package.  (replace <user> with your actual username in command below, then remove/re-insert your yubikey) 
`pw group mod u2f -m <user>`
Verify with `ls -alF /dev/uhid* &&  pw groupshow u2f` and confirm applicable device has the group u2f, and  has read/write bits set, and that the u2f group includes desired username.

​Good Luck.
​


----------

