yubico / python-yubico Goto Github PK

On my M1 Mac Mini I get the following Problem Report, what additional information is needed?

Process:               Python [2222]
Path:                  /Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.8/Resources/Python.app/Contents/MacOS/Python
Identifier:            Python
Version:               ???
Code Type:             X86-64 (Translated)
Parent Process:        mbfloagent [1185]
Responsible:           mbfloagent [1185]
User ID:               501

Date/Time:             2021-03-15 12:07:08.228 -0700
OS Version:            macOS 11.2.3 (20D91)
Report Version:        12
Anonymous UUID:        165D94D1-395F-7764-31E7-77DC6D520AF4


Time Awake Since Boot: 360 seconds

System Integrity Protection: enabled

Crashed Thread:        0

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    DYLD, [0x1] Library missing

Application Specific Information:
dyld: launch, loading dependent libraries

Dyld Error Message:
  dyld: Using shared cache: 1C99695B-39A1-3CF1-BCD1-AB8BF015FD98
Library not loaded: /Library/Frameworks/Python.framework/Versions/3.8/Python
  Referenced from: /Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.8/Resources/Python.app/Contents/MacOS/Python
  Reason: image not found

Binary Images:
       0x1041d0000 -        0x1041d0fff + (0) <A89E016E-52A7-3CC7-A797-C913CA1EADB6> 
       0x2044b6000 -        0x204551fff  dyld (832.7.3) <0D4EA85F-7E30-338B-9215-314A5A5539B6> /usr/lib/dyld
    0x7ffdffda2000 -     0x7ffdffe15fff +runtime (203.30) <C98E75A6-BDC8-3D5C-B95B-6422005E96D8> /Library/Apple/*/runtime
    0x7fff203cd000 -     0x7fff20868fff  com.apple.CoreFoundation (6.9 - 1774.101) <46680730-F553-3297-B602-7A4372447F83> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

Model: Macmini9,1, BootROM 6723.81.1, proc 8:4:4 processors, 8 GB, SMC 
Graphics: kHW_AppleM1Item, Apple M1, spdisplays_builtin
Memory Module: lp_ddr4
AirPort: spairport_wireless_card_type_airport_extreme, wl0: Dec 31 2020 21:39:03 version 18.20.222.20.7.8.104 FWID 01-1b2645bc
Bluetooth: Version 8.0.3d9, 3 services, 27 devices, 1 incoming serial ports
Network Service: Ethernet, Ethernet, en0
PCI Card: pci1b73,1100, sppci_usbxhci, Thunderbolt@6,0,0
PCI Card: pci1b73,1100, sppci_usbxhci, Thunderbolt@5,0,0
PCI Card: pci1b21,1242, sppci_usbxhci, Thunderbolt@4,0,0
PCI Card: ethernet, sppci_ethernet, Thunderbolt@3,0,0
USB Device: USB 3.1 Bus
USB Device: USB 3.1 Bus
USB Device: USB 3.0 Bus
USB Device: USB Receiver
USB Device: Keyboard Hub
USB Device: Apple Keyboard
USB Device: USB 3.0 Bus
USB Device: CalDigit Thunderbolt 3 Audio
USB Device: USB 3.0 Bus
USB Device: Card Reader
USB Device: USB 3.1 Bus
Thunderbolt Bus: Mac mini, Apple Inc.
Thunderbolt Bus: Mac mini, Apple Inc.
Thunderbolt Device: TS3 Plus, CalDigit, Inc., 1, 44.1

This issue (Yubico/yubikey-personalization#38) is also present in python-yubico.
When challenge_response is used too quickly, a timeout occurs which leaves the yubikey unusable until it's unplugged and plugged back in.

While doing this: yk.challenge_response('foo',slot=2) over and over, after 5 to 10 tries this happens:

Traceback (most recent call last):
File "", line 1, in
File "build/bdist.linux-x86_64/egg/yubico/yubikey_usb_hid.py", line 214, in challenge_response
File "build/bdist.linux-x86_64/egg/yubico/yubikey_usb_hid.py", line 273, in _challenge_response
File "build/bdist.linux-x86_64/egg/yubico/yubikey_usb_hid.py", line 340, in _write
File "build/bdist.linux-x86_64/egg/yubico/yubikey_usb_hid.py", line 381, in _waitfor_clear
File "build/bdist.linux-x86_64/egg/yubico/yubikey_usb_hid.py", line 410, in _waitfor
yubico.yubikey.YubiKeyTimeout: <YubiKeyTimeout instance at 0x7fe8ac622d70: Timed out waiting for YubiKey to clear status 0x80>

This does not happen with the ykchalresp utility which uses the C library.

setup.py lists nose >= 1.0 as a requirement for setup. But this is not actually a requirement as it is just used for tests. Either remove it, or move it to tests_require.

The problem with the current requirement is that it doesn't work well with Linux package management systems. In particular, the version requirement of nose prevents the use of this package on older systems.

I'm having a hard time finding the documentation for this library.
Either it's non existent or it's tricky to find, in which case it should either be created (readthedocs would be neat) or attached as a link to the repo's readme IMO.

I'm working on a Python3 script where I monitor if a specific YubiKey is connected. To do this I run a pyudev monitor that looks for any hidraw device(like keyboards, mice, and YubiKeys) and then calls the yubico.find_yubikey() function. The idea is that I don't want to poll every few seconds, but first wait for hid connectivity. The issue is that when i do so, the YubiKey immediately reconnects, resulting in an endless loop.

For me it doesn't always happen, to trigger this behaviour I sometimes have to plug one key in and out a few times, or when i plug in multiple ones it seems to trigger more often. I included the code and the result this had for me below.

Please correct me if this is problem is not a result of the Yubico library.

I tested this with the following specs:
YubiKey: 4.2.6 and 4.2.6 Nano (both with vendor id 1050 and product id 407)
OS: Debian Buster (10.3) and Raspbian Buster (10.3)
Python version: 3.7.3
pyudev version: python3-pyudev_0.21.0-1
Yubico version: python3-yubico_1.3.3-0.2

Code:

#!/usr/bin/env python3
import pyudev, yubico
from usb.core import USBError

def get_yubikey_serial() -> int:
    try:
        YK = yubico.find_yubikey()
        serial = YK.serial() 
        print('yubikey connected, serial= %i' % serial)
        del YK
        return serial
    except yubico.yubico_exception.YubicoError as e:
        print('no yubikey connected')
        return 0
    except USBError as e:
        print('get_yubikey_serial() threw: ' + str(e))
        return 1

context = pyudev.Context()
monitor = pyudev.Monitor.from_netlink(context)
monitor.filter_by('hidraw') 
lastdevice = 'hidraw-2'

for device in iter(monitor.poll, None):
    if device.sys_name[:6] == 'hidraw':
        if abs(int(device.sys_name[6:]) - int(lastdevice[6:])) == 1 : continue
        lastdevice = device.sys_name
        get_yubikey_serial()

Output:

yubikey connected, serial= 4130312
yubikey connected, serial= 4130312
yubikey connected, serial= 4130312
yubikey connected, serial= 4130312
yubikey connected, serial= 4130312
yubikey connected, serial= 4130312
get_yubikey_serial() threw: [Errno 32] Pipe error
get_yubikey_serial() threw: [Errno 32] Pipe error
no yubikey connected
no yubikey connected
no yubikey connected
no yubikey connected
no yubikey connected
no yubikey connected

I was trying to work with FreeIPA and YubiKey on CentOS 7, but the ipa otptoken-add-yubikey command was exploding. I tracked it down to being this module that has the actual issues.

Using python-yubico 1.3.1:

[root@ipa-yubikey-test ~]# python
Python 2.7.5 (default, Nov 20 2015, 02:00:19)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> import yubico
>>> yubikey = yubico.find_yubikey(debug=False)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/yubico/yubikey.py", line 53, in find_key
    hid_device = YubiKeyHIDDevice(debug, skip)
  File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 123, in __init__
    if not self._open(skip):
  File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 317, in _open
    usb_device = self._get_usb_device(skip)
  File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 367, in _get_usb_device
    find_all=True, idVendor=YUBICO_VID)]
  File "/usr/lib/python2.7/site-packages/usb/core.py", line 864, in find
    raise ValueError('No backend available')
ValueError: No backend available
>>>

The YubiKey (Standard) is definitely there:

[ 1955.426313] usb 2-2.2: USB disconnect, device number 7
[ 2489.666237] usb 2-2.2: new low-speed USB device number 8 using uhci_hcd
[ 2489.758404] usb 2-2.2: New USB device found, idVendor=1050, idProduct=0010
[ 2489.758407] usb 2-2.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2489.758408] usb 2-2.2: Product: Yubico Yubikey II
[ 2489.758409] usb 2-2.2: Manufacturer: Yubico
[ 2489.766705] input: Yubico Yubico Yubikey II as /devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-2/2-2.2/2-2.2:1.0/input/input8
[ 2489.818727] hid-generic 0003:1050:0010.0005: input,hidraw1: USB HID v1.11 Keyboard [Yubico Yubico Yubikey II] on usb-0000:02:00.0-2.2/input0

Also:

[root@ipa-yubikey-test ~]# lsusb | grep Yubikey
Bus 002 Device 008: ID 1050:0010 Yubico.com Yubikey

This is extremely frustrating!

As far as I can see, this is the only Python package supporting the HMAC-SHA1 challenge-response introduced in Yubikeys 2.2. However, the yubikey packages available on PyPI are only for regular OTP.

Please note that a yubico package (deprecated) and yubico-client (successor of the former) already exists on PyPI, but this is not developed by Yubico!

It would be really nice to have this official library on PyPI as well!

The example code results in circular import error and is never able to check for the presence of a key.

How can one trust in the security of security product when even the example code does not work?

Exception has occurred: AttributeError
partially initialized module 'yubico' has no attribute 'find_yubikey' (most likely due to a circular import)

Using the exact example code:

`
#!/usr/bin/env python
""" Get version of connected YubiKey. """

import sys
import yubico

try:
yubikey = yubico.find_yubikey(debug=False)
print("Version: {}".format(yubikey.version()))
except yubico.yubico_exception.YubicoError as e:
print("ERROR: {}".format(e.reason))
sys.exit(1)
`

Version Info

python --version
Python 3.10.4

pip show python-yubico
Name: python-yubico
Version: 1.3.3
Summary: Python code for talking to Yubico's YubiKeys
Home-page: https://github.com/Yubico/python-yubico
Author: Dain Nilsson
Author-email: [email protected]
License: BSD 2 clause
Location: d:\python\envs\py10\lib\site-packages
Requires: pyusb
Required-by:

pip show pyusb
Name: pyusb
Version: 1.2.1
Summary: Python USB access module
Home-page: https://pyusb.github.io/pyusb
Author: Jonas Malaco
Author-email: [email protected]
License: UNKNOWN
Location: d:\python\envs\py10\lib\site-packages
Requires:
Required-by: python-yubico

See: http://www.mail-archive.com/[email protected]/msg1290387.html

Hello,
I would like to port python-yubico to Python 3, keeping compatibility with Python 2 (preferably 2.6+). Would you be interested in the patches? Anything special I should be aware of?

It seems that most of the work will be breaking circular imports, and figuring out what's text strings and what's bytestrings.

as this project is working with the head version and it doesn't have anything new,

I think it's better to push a py3 problem free version on pypi rather than everyone coming here for head version

Below is a copy&paste from the Debian BTS - you can find the Debian bug here:
#1018597

Your package still uses nose 1, which is an obsolete testing framework for
Python, dead and unmaintained since 2015 2.

If you received this bug report, it means that your package either has a
build-dependency on python3-nose or uses that package in debian/tests/control.
If that is not the case, please reply and CC me explicitly.

Please port your package to one of the alternatives: nose2 4, pytest 5
or unittest from Python standard library 6.

There is a script called nose2pytest 7 which can assist with migrating from
nose to pytest.

This mass bug filing was discussed on debian-devel in 8.

Hi,

after calling find_yubikey() it is needed to replug the yubikey to get e.g. slot1 configured for HOTP working again. Without replug a button press does simply nothing.

Is there any method i can call to "reset" the yubikey so that no replug is needed?

regards
the2nd

Issues when trying to detect a Yubikey Series 5 key:

File "Python39\lib\site-packages\yubico\yubikey_usb_hid.py", line 191, in _read
self._debug("Failed reading %i bytes (got %i) from USB HID YubiKey.\n"
TypeError: %i format: a number is required, not array.array

after removing that line I also get this issue:
YubiKeyHIDDevice: detachKernelDriver not supported!
YubiKeyHIDDevice: Failed reading 8 bytes (got array('B', [0, 5, 4, 3, 3, 11, 6])) from USB HID YubiKey.
ERROR: Failed reading from USB HID YubiKey

code attempted to be run:
Python
`
import sys
import yubico

try:
yubikey = yubico.find_yubikey(debug=True)
print("Version: {}".format(yubikey.version()))
except yubico.yubico_exception.YubicoError as e:
print("ERROR: {}".format(e.reason))
sys.exit(1)
`

Hi,

is there a possibility to switch the NFC NDEF function to slot 2 with this library like with the tool ykpersonalize -2 -tTEXT?

Best Regards
Axel Hoffmann

Hi,

is there a possibility to set the flag for the oath-id like with the ykpersonalize tool:
ykpersonalize -1 -ooath-hotp -ooath-id.

Best Regards
Axel Hoffmann

import yubico; yubico.find_yubikey()
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.7/site-packages/yubico/yubikey.py", line 242, in find_key
raise YubiKeyError('No YubiKey found')
yubico.yubikey.YubiKeyError: <YubiKeyError instance at 0x7f120235ce60: No YubiKey found>

Adding the new PIDs to /usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py results in a discovered device, but a new error:

import yubico; yubico.find_yubikey()
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.7/site-packages/yubico/yubikey.py", line 229, in find_key
YK = YubiKeyUSBHID(debug=debug, skip=skip)
File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 141, in init
if not self._open(skip):
File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 440, in _open
self._usb_handle.setConfiguration(1)
File "/usr/lib/python2.7/site-packages/usb/legacy.py", line 253, in setConfiguration
self.dev.set_configuration(configuration)
File "/usr/lib/python2.7/site-packages/usb/core.py", line 799, in set_configuration
self._ctx.managed_set_configuration(self, configuration)
File "/usr/lib/python2.7/site-packages/usb/core.py", line 128, in managed_set_configuration
self.backend.set_configuration(self.handle, cfg.bConfigurationValue)
File "/usr/lib/python2.7/site-packages/usb/backend/libusb1.py", line 730, in set_configuration
_check(self.lib.libusb_set_configuration(dev_handle.handle, config_value))
File "/usr/lib/python2.7/site-packages/usb/backend/libusb1.py", line 552, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 16] Resource busy

No problems are observed on older yubikeys. lsusb output is:
idVendor 0x1050 Yubico.com
idProduct 0x0116
bcdDevice 3.32
iManufacturer 1 Yubico
iProduct 2 Yubikey NEO OTP+U2F+CCID
iSerial 0
bNumConfigurations 1

The below link is returning a 404 error causing build errors on Arch's python-yubico AUR package.

https://files.pythonhosted.org/packages/source/p/python-yubico/python-yubico-1.3.3.tar.gz.asc

The README file should contain the name of the license used (The BSD 2-Clause License) and be formatted in AsciiDoc.

A symlink, README.adoc, should be created to point to the README so that GitHub renders it correctly. This symlink should not be included in any release tars.

When I call challenge_reponse on a yubikey object the results look quite different to those obtained from the ykchalresp binary. Example:
Results from shell command ykchalresp hello: ca299ea0ea9e5c76b197a322c60909e302a54ae9
Whereas the following code:

yubikey = yubico.find_yubikey(debug = False)
resp = yubikey.challenge_response("hello")

results in: \xca)\x9e\xa0\xea\x9e\\v\xb1\x97\xa3"\xc6\t\t\xe3\x02\xa5J\xe9
If I put the results through the hexdump utility function:

yubico.yubico_util.hexdump(resp)

then I get: 0000 ca 29 9e a0 ea 9e 5c 76\n0008 b1 97 a3 22 c6 09 09 e3\n0010 02 a5 4a e9\n
which is still not what I want.
Surely there is some way to get results from python the same as those from the shell command?

$ sudo python -c 'import yubico; yubico.find_yubikey()'
Password:
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/Users/jacob/.virtualenvs/hkyubi/lib/python2.7/site-packages/yubico/yubikey.py", line 229, in find_key
    YK = YubiKeyUSBHID(debug=debug, skip=skip)
  File "/Users/jacob/.virtualenvs/hkyubi/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 141, in __init__
    if not self._open(skip):
  File "/Users/jacob/.virtualenvs/hkyubi/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 441, in _open
    self._usb_handle.claimInterface(self._usb_int)
  File "/Users/jacob/.virtualenvs/hkyubi/lib/python2.7/site-packages/usb/legacy.py", line 230, in claimInterface
    util.claim_interface(self.dev, if_num)
  File "/Users/jacob/.virtualenvs/hkyubi/lib/python2.7/site-packages/usb/util.py", line 191, in claim_interface
    device._ctx.managed_claim_interface(device, interface)
  File "/Users/jacob/.virtualenvs/hkyubi/lib/python2.7/site-packages/usb/core.py", line 112, in managed_claim_interface
    self.backend.claim_interface(self.handle, i)
  File "/Users/jacob/.virtualenvs/hkyubi/lib/python2.7/site-packages/usb/backend/libusb1.py", line 758, in claim_interface
    _check(self.lib.libusb_claim_interface(dev_handle.handle, intf))
  File "/Users/jacob/.virtualenvs/hkyubi/lib/python2.7/site-packages/usb/backend/libusb1.py", line 571, in _check
    raise USBError(_str_error[ret], ret, _libusb_errno[ret])
usb.core.USBError: [Errno 13] Access denied (insufficient permissions)

This is on OS X 10.9 ("Mavericks"), which I believe is important (I've found a few issues related to libusb on 10.9 that sound similar)

I'm running libusb-1.0.18 installed from Homebrew, PyUSB 1.0.0b1 installed from PyPI, and python-yubico 1.2. also installed from PyPI.

Hi,
I am currently implementing yubikey support (HMAC-SHA1) in OTPme (www.otpme.org). My current implementation works well with the OTPme PAM module if the connected yubikey has at least one slot configured for HMAC-SHA1. But when i call the serial() method with a yubikey that has no slot configured for HMA-SHA1 i always get a timeout when trying to get the serial:

Code:
YK = yubico.find_yubikey(debug=debug)
print("Version : %s " % YK.version())
print("Serial : %i" % YK.serial())

ERROR: Timed out waiting for YubiKey to set status 0x40

Is this by design or a bug?

My intention is to get the yubikey serial to identify it and decide if i should try challenge/response with the connected yubikey or not. It would be great if the serial() method would work independently of the slot configuration to prevent a delay when logging in with a yubikey connected that does not have HMAC-SHA1 configured (e.g. to login via HOTP).

regards
the2nd

The Pyusb webpage http://pyusb.berlios.de/ linked in the installation instructions is unavailable.

In the graphical YubiKey Personalization Tool there is an option in OATH-HOTP advanced to omit the token identifier. I uncheck this box in my use case which is YubiKey as an OTP token in FreeIPA. However, the option to configure the HOTP mode via this project does not seem to allow proceeding without either a 6 or 8 character ID. Am I reading it wrong or is there a workaround?

Is it support FIDO U2F Security Keys ?

If not, how can I use FIDO U2F Security Keys to authenticate my own app ?

Hi,

is there a possibility to clear a Yubikey slot with this library like the function of the cli tool ykpersonalize -1 -z?

Best Regards
Axel Hoffmann

The following program fails with a timeout with my recently bought Yubikey 4. HMAC-SHA1 challenge-response works fine.

import sys
import yubico

# Look for and initialize the YubiKey
try:
    YK = yubico.find_yubikey()
    # Do challenge-response
    secret = b'Sample'
    print("Sending challenge : %s\n" % repr(secret))

    response = YK.challenge_response(secret, mode="OTP", slot=1)
except yubico.yubico_exception.YubicoError as inst:
    print("ERROR: %s" % inst.reason)
    sys.exit(1)

print("Response :\n%s\n" % yubico.yubico_util.hexdump(response))

This function is not portable, so it should only be used on unix-like systems which has it. It causes problems on Windows for example, see forum post here:

http://forum.yubico.com/viewtopic.php?f=16&t=956

Hi,

is it possible to reboot a yubikey via a python call just like it does when its re plugged?

the reason for asking this is because i've implemented a OTPme token type that uses the ssh agent interface of gpg-agent (using yubikeys gpg applet in this case) to allow OTPme logins using standard ssh keys. that works great with my yubikey for PAM logins but when doing e.g. a KDE screen unlock i want to make sure that the yubikey requires the PIN (that is passed from my PAM module to gpg-agent) to sign any ssh message, even if the user has not re plugged its yubikey. my current workaround is to restart gpg-agent on screen unlock but that brings in a annoying delay.

i hope this is the right place to ask this question as i found no mailing list ....

Hi,

is there a possibility to set the USB mode of the Yubikey Neo with the library? Or is there another Python library which can do that?

Thank you

Best Regards
Axel Hoffmann

As can be seen in https://bugs.debian.org/965059 , it would be useful for Linux distributions to tag a new upstream release.

time.mktime expects a time tuple in localtime, but gets one in GTM, which produces the wrong timestamp. Use time.time() instead.