WARNING: No OTP HID backend available. OTP protocols will not function

[shibumi]

• YubiKey Manager (ykman) version: 5.0.1
• How was it installed?: Arch Linux package repository
• Operating system and version: Arch Linux, Kernel: 5.15.89-16172-g8db7d2810659
• YubiKey model and version: YubiKey 5 NFC, Firmware 5.1.2
• Bug description summary: Cannot connect to Yubikey

My Setup is a little bit special. I have replaced the default Debian Crostini Container on a Chromebook with a custom Arch Linux container, briefly following this tutorial here: https://shibumi.dev/posts/install-arch-linux-on-chromeos/

At first, even the smartcard feature does not work. I managed to fix this via this scdaemon.conf:

reader-port Yubico YubiKey
ipcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid

And these polkit changes:

cat << EOF >  /etc/polkit-1/rules.d/99-pcscd.rules
polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_card" &&
                subject.isInGroup("wheel")) {
                return polkit.Result.YES;
        }
});
polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
                subject.isInGroup("wheel")) {
                return polkit.Result.YES;
        }
});
EOF

With these changes and a fresh pcscd restart, at least the smartcard features do work. When I run ykman info, I get the following information:

❯ ykman info  
WARNING: No OTP HID backend available. OTP protocols will not function.
ERROR: Unable to list devices for connection
Device type: YubiKey 5 NFC
Serial number: XXXXXX
Firmware version: 5.1.2
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.

Applications    USB             NFC          
OTP             Enabled         Enabled
FIDO U2F        Enabled         Enabled
FIDO2           Enabled         Enabled
OATH            Enabled         Enabled
PIV             Enabled         Enabled
OpenPGP         Enabled         Enabled
YubiHSM Auth    Not available   Not available

More diagnostics:

❯ echo $TTY
/dev/pts/1
❯ ykman --diagnose
ykman:            5.0.1
Python:           3.10.10 (main, Mar  5 2023, 22:26:53) [GCC 12.2.1 20230201]
Platform:         linux
Arch:             x86_64
System date:      2023-03-19
Running as admin: False
Detected PC/SC readers:
  Yubico YubiKey OTP+FIDO+CCID 00 00: Success

Detected YubiKeys over PC/SC:
  ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 00 00'):
    Management:
      Raw Info: 2b0102023f0302023f02040094446304010105030501020602000007010f0801000d02023b0e02023b0a0100
      DeviceInfo:
        config:     
          enabled_capabilities:      
            USB: OTP|U2F|FIDO2|OATH|PIV|OPENPGP: 0x23f
            NFC: OTP|U2F|FIDO2|OATH|PIV|OPENPGP: 0x23b

          auto_eject_timeout:         0
          challenge_response_timeout: 15
          device_flags:               0

        serial:      XXXXXX
        version:     5.1.2
        form_factor: Keychain (USB-A)
        supported_capabilities:
          USB: OTP|U2F|FIDO2|OATH|PIV|OPENPGP: 0x23f
          NFC: OTP|U2F|FIDO2|OATH|PIV|OPENPGP: 0x23b

        is_locked:   False
        is_fips:     False
        is_sky:      False

      Name: YubiKey 5 NFC

    PIV:
      PIV version:              5.1.2
      PIN tries remaining:      3
      Management key algorithm: 3
      CHUID: No data available
      CCC:   No data available

    OATH:
      Oath version:       5.1.2
      Password protected: False

    OpenPGP:
      OpenPGP version:            2.1
      Application version:        5.1.2
      PIN tries remaining:        3
      Reset code tries remaining: 0
      Admin PIN tries remaining:  3
      Require PIN for signature:  Once
      Touch policies:            
        Signature key:      On
        Encryption key:     On
        Authentication key: On

HID OTP backend failure: UnboundLocalError("local variable 'hidraw' referenced before assignment")
Detected YubiKeys over HID FIDO:

End of diagnostics

I have also created these rules here:

❯ cat /etc/udev/rules.d/*
ACTION!="add|change", GOTO="u2f_end"

#KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", TAG+="uaccess"
ATTRS{idVendor}=="1050", GROUP="plugdev", MODE="0660"


LABEL="u2f_end"
ACTION!="add|change", GOTO="yubico_end"

# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \
    ENV{ID_SECURITY_TOKEN}="1"

LABEL="yubico_end"
# Yubico YubiKey
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410", TAG+="uaccess"

# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"

# Happlink (formerly Plug-Up) Security KEY
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"

#  Neowave Keydo and Keydo AES
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess"

# HyperSecu HyperFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess"

# Feitian ePass FIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b", TAG+="uaccess"

# JaCarta U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="24dc", ATTRS{idProduct}=="0101", TAG+="uaccess"

# U2F Zero
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="uaccess"

# VASCO SeccureClick
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1a44", ATTRS{idProduct}=="00bb", TAG+="uaccess"

LABEL="u2f_end"

I am not sure if all of these rules are really needed...

[dainnilsson]

I'm not too familiar with Crostini, but I did some Googling and found some comments that seem to indicate that hidraw might not be functional on Crostini, which is required for the OTP configuration functionality.

[slatian]

I don't know Crostini, but installing libfido2 (and a reboot) has fixed the issue for me on real hardware (as in not containerized) without any additional configuration, I hope that helps.

[evgnomon]

ykman info
>>>>>WARNING: No OTP HID backend available. OTP protocols will not function.
>>>>>ERROR: Unable to list devices for connection
Device type: YubiKey 5C NFC
Firmware version: 5.4.3
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.

Applications    USB     NFC
Yubico OTP      Enabled Enabled
FIDO U2F        Enabled Enabled
FIDO2           Enabled Enabled
OATH            Enabled Enabled
PIV             Enabled Enabled
OpenPGP         Enabled Enabled
YubiHSM Auth    Enabled Enabled

using WSL2 Ubuntu jammy.

The device is not useful in there:

pamu2fcfg > ~/.config/Yubico/u2f_keys
No U2F device available, please insert one now, you have 14 seconds

Just attached the YubiKey using:

PS C:\Windows\system32> usbipd attach --wsl --busid 2-6