Solved: Re: Not able to passthrough a Yubikey

yurtesen · ‎11-11-2020

I plugged in the key and it is available in USB devices

Bus 001 Device 004: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
Bus 001 Device 003: ID 0bda:0329 Realtek Semiconductor Corp.
Bus 001 Device 002: ID 0424:2660 Standard Microsystems Corp. Hub
Bus 002 Device 001: ID 0e0f:8002 VMware, Inc. Root Hub
Bus 001 Device 001: ID 0e0f:8003 VMware, Inc. Root Hub

and

 lsusb -s 1:4 -v

Bus 001 Device 004: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x1050 Yubico.com
  idProduct          0x0407 Yubikey 4 OTP+U2F+CCID
  bcdDevice            5.27
  iManufacturer           1 Yubico
  iProduct                2 YubiKey OTP+FIDO+CCID
  iSerial                 0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          150
    bNumInterfaces          3
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0x80
      (Bus Powered)
    MaxPower               30mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      1 Keyboard
      iInterface              0
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.10
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      71
         Report Descriptors:
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval              10
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 No Subclass
      bInterfaceProtocol      0 None
      iInterface              0
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.10
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      34
         Report Descriptors:
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               2
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               2
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass        11 Chip/SmartCard
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      ChipCard Interface Descriptor:
        bLength                54
        bDescriptorType        33
        bcdCCID              1.00
        nMaxSlotIndex           0
        bVoltageSupport         7  5.0V 3.0V 1.8V
        dwProtocols             2  T=1
        dwDefaultClock       4000
        dwMaxiumumClock      4000
        bNumClockSupported      0
        dwDataRate         307200 bps
        dwMaxDataRate      307200 bps
        bNumDataRatesSupp.      0
        dwMaxIFSD            3062
        dwSyncProtocols  00000000
        dwMechanical     00000000
        dwFeatures       000400FE
          Auto configuration based on ATR
          Auto activation on insert
          Auto voltage selection
          Auto clock change
          Auto baud rate change
          Auto parameter negotation made by CCID
          Short and extended APDU level exchange
        dwMaxCCIDMsgLen      3072
        bClassGetResponse    echo
        bClassEnvelope       echo
        wlcdLayout           none
        bPINSupport             0
        bMaxCCIDBusySlots       1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval              32
Device Status:     0x0000
  (Bus Powered)

But the esxcli does not list it:

~] esxcli hardware usb passthrough device list
Bus  Dev  VendorId  ProductId  Enabled  Can Connect to VM  Name
---  ---  --------  ---------  -------  -----------------  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1    3    bda       329           true  yes                Realtek Semiconductor Corp.

I restarted usbarbitrator and hostd results are same.

Why would this be happening?

Thanks!

yurtesen · ‎11-12-2020

@bluefirestormthanks for the link, but as you can see VMWARE did not even recognize the drive in passthrough device list. So it can't even attempt to connect to VM, therefore VMX settings are sort of useless.

Yubikey has several USB modes. [OTP|U2F|OPGP|PIV|OATH|FIDO2]. I found out that if OTP, U2F or FIDO2 are enabled then the key does not appear in passthrough device list. I did not try every combination, but disabling these 3 fixed the issue partly at least...

Now I see:

] esxcli hardware usb passthrough device list
Bus  Dev  VendorId  ProductId  Enabled  Can Connect to VM  Name
---  ---  --------  ---------  -------  -----------------  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1    4    1050      404           true  yes                Yubico.com Yubikey 4 CCID
1    3    bda       329           true  yes                Realtek Semiconductor Corp.

So next step is to connect it to a VM. If that doesn't work, then the link you provided may be of some use.

Update:

Connecting device to VM requires:

usb.generic.allowCCID = "TRUE"

View solution in original post

bluefirestorm · ‎11-11-2020

Try the steps outlined here

https://kb.vmware.com/s/article/55789

YubiKey technology is not much different from smart cards.

yurtesen · ‎11-12-2020

@bluefirestormthanks for the link, but as you can see VMWARE did not even recognize the drive in passthrough device list. So it can't even attempt to connect to VM, therefore VMX settings are sort of useless.

Yubikey has several USB modes. [OTP|U2F|OPGP|PIV|OATH|FIDO2]. I found out that if OTP, U2F or FIDO2 are enabled then the key does not appear in passthrough device list. I did not try every combination, but disabling these 3 fixed the issue partly at least...

Now I see:

] esxcli hardware usb passthrough device list
Bus  Dev  VendorId  ProductId  Enabled  Can Connect to VM  Name
---  ---  --------  ---------  -------  -----------------  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1    4    1050      404           true  yes                Yubico.com Yubikey 4 CCID
1    3    bda       329           true  yes                Realtek Semiconductor Corp.

So next step is to connect it to a VM. If that doesn't work, then the link you provided may be of some use.

Update:

Connecting device to VM requires:

usb.generic.allowCCID = "TRUE"

yurtesen · ‎11-12-2020

@bluefirestormthanks again, I also needed to set

usb.generic.allowCCID = "TRUE"

to be able to connect the yubikey to VM

bluefirestorm · ‎11-12-2020

I didn't pay attention earlier to the details of the lsusb -s 1:4 -v output. It looks like it is a compound device and two of them are classified as Human Interface Device (HID).

You could try adding these 3 lines to the vmx configuration file aside from the allowCCID and see if it resolves the issue with OTP, U2F or FIDO2 modes. Just be careful with the allowHID="TRUE" as it will make keyboard/mouse also available for connection.

usb.generic.allowHID = "TRUE"
usb.generic.allowLastHID = "TRUE"
usb.ccid.disable = "TRUE"

yurtesen · ‎12-27-2020

@bluefirestormunfortunately I am not able to debug issue anymore on this hardware. However aren't those set in VM config? How can those settings help if I can't see the device globally in device list?

esxcli hardware usb passthrough device list

That said... I think (I am not 100% sure now) I had those settings in my VM config at some point. I enabled everything from several different instructions I found online. I guess it really does not work if the device is not in the passthrough device list.

andyneff · ‎04-26-2022

@bluefirestorm we just recently went through this. And here is what we discovered

https://support.yubico.com/hc/en-us/articles/360016614920-YubiKey-USB-ID-Values us a full list of the PIDs

I personally tried 404 to 407, and 405-407 all had the the HID interface descriptor. So even without otp, the u2f was an HID class.

As long as it was an HID device, I was not able to get it to show up in the

esxcli hardware usb passthrough device list

and I was not able to add it as a usb device in ESXi. Only 404 (CCID only) worked.

According to my notes, we were able to get this to work in VMware Fusion (Not ESXi):

usb.generic.allowHID = "TRUE"
usb.generic.allowLastHID = "TRUE"
# and sometimes
usb.quirks.device0 = "0x1050:0x0407 allow"

However, adding to the same to the .vmx files in ESXi did not work.

This would not be enough, as it was never listed in "esxcli hardware usb passthrough device list", so even if the VM allowed it, its not there to be allowed. So I tried following directions from here: https://blog.rylander.io/2020/06/26/Passthrough-USB-Keyboard-and-Mouse-to-VM-using-ESXi-V7/

However, I never got it to show up in "esxcli hardware usb passthrough device list", and was also unable to add it as a USB Device.

Summary:

In addition to all the other setting mentioned, I also edited /etc/vmware/config

usb.quirks.device0 = "0x1050:0x0407 allow"

I wasn't sure if that needed a reboot, so I rebooted ESXi, no dice

I then edited /bootbank/boot.cfg and changed the kernelopt line to

kernelopt=autoPartition=FALSE CONFIG./USB/quirks=0x1050:0x0407::0xffff:UQ_KBD_IGNORE

I wasn't sure if that needed a reboot, so I rebooted ESXi, no dice

and I repeated for 0x0406 and 0x0405, and none of them worked. In the end I could only get CCID only mode to work. Any way I can get this to work without disabling OTP/U2F mode?

andyneff · ‎04-27-2022

I reached out to Yubico, and they got back very quickly to me with a solution!

It turns out I was trying too many things, and screwing something up because of it. Here is All you need to get the yubikey working in ESXi with OTP and U2F enabled alongside CCID.

1. Edit /etc/vmware/config

usb.quirks.device0 = "0x1050:0x0407 allow"

2. Edit /bootbank/boot.cfg and changed the kernelopt line to

kernelopt=autoPartition=FALSE CONFIG./USB/quirks=0x1050:0x0407::0xffff:UQ_KBD_IGNORE

Both of these settings do require a reboot. So I would change both of them and restart the ESXi server once

Now, once you reboot, the yubikey will not show up in the "esxcli hardware usb passthrough device list", however the yubikey is indeed available when you go to the ESXi or vCenter Web interface.

Right click VM
Edit Settings.
ESXi: Add other device ➡ USB Device. vCenter: Add new device ➡ Host USB Device
Scroll down to the newly added USB device, and make sure Yubikey is selected
You should now have a fancy yubikey in ESXi

As far as my tests show me now, "usb.generic.allowCCID" is not needed for Yubikeys in this mode with these settings.

Braiins · ‎09-25-2023

working ! thanks