search

Nitrokey / pynitrokey

Python client for Nitrokey devices
Apache License 2.0
93 stars 28 forks source link

nk3 isn't recognized any more after firmware update #381

Closed PureTryOut closed 1 year ago

PureTryOut commented 1 year ago

I've recently used pynitrokey (0.4.36) to update the firmware of my nk3 (just nitropy nk3 update). At the time it seems to have updated successfully and pynitrokey reported the updated version with nitropy nk3 version.

However now a few weeks later the device isn't recognized any more. nitropy list doesn't list it and I can't use it to authenticate websites with FIDO any more either. dmesg does show the device being recognized by the kernel:

[  155.585788] usb 1-8: USB disconnect, device number 4
[  157.307200] usb 1-8: new full-speed USB device number 8 using xhci_hcd
[  157.449406] usb 1-8: New USB device found, idVendor=20a0, idProduct=42b2, bcdDevice= 1.03
[  157.449409] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[  157.449411] usb 1-8: Product: Nitrokey 3
[  157.449412] usb 1-8: Manufacturer: Nitrokey
[  157.453423] hid-generic 0003:20A0:42B2.0005: hiddev96,hidraw0: USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-0000:00:14.0-8/input1
[  157.453697] cdc_acm 1-8:1.2: ttyACM0: USB ACM device

Is my device broken now? :thinking:

robin-nitrokey commented 1 year ago

Can you please share the nitropy log file for a nitropy nk3 list call? You should find it in /tmp. If you don’t want to share it publicly, you can also send it to robin@nitrokey.com.

PureTryOut commented 1 year ago 
405        INFO pynitrokey.cli Timestamp: 2023-05-01 13:04:21.252728
405        INFO pynitrokey.cli OS: uname_result(system='Linux', node='spaceblade', release='6.1.26-0-lts', version='#1-Alpine SMP PREEMPT_DYNAMIC Thu, 27 Apr 2023 06:35:14 +0000', machine='x86_64')
405        INFO pynitrokey.cli Python version: 3.11.3
410        INFO pynitrokey.cli pynitrokey version: 0.4.36
411        INFO pynitrokey.cli cryptography version: 40.0.2
412        INFO pynitrokey.cli ecdsa version: 0.18.0
412        INFO pynitrokey.cli fido2 version: 1.1.1
413        INFO pynitrokey.cli pyusb version: 1.2.1
413        INFO pynitrokey.cli spsdk version: 1.10.0
964        INFO  libusbsio Loading SIO library: /usr/lib/python3.11/site-packages/libusbsio/bin/linux_x86_64/libusbsio.so
965        INFO  libusbsio HID enumeration[140643498097376]: initialized
965       DEBUG  libusbsio HID enumeration[140643498097376]: device #0: HP Basic USB Keyboard
966       DEBUG  libusbsio HID enumeration[140643498097376]: device #1: HIDI2CBridge
966       DEBUG  libusbsio HID enumeration[140643498097376]: device #2: Nitrokey 3
966       DEBUG  libusbsio HID enumeration[140643498097376]: device #3: 2.4G Mouse
966        INFO  libusbsio HID enumeration[140643498097376]: finished, total 4 devices
969       DEBUG fido2.hid.linux Failed opening device /dev/hidraw0
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
                   ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'
969       DEBUG fido2.hid.linux Failed opening device /dev/hidraw3
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
                   ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/dev/hidraw3'
970       DEBUG fido2.hid.linux Failed opening device /dev/hidraw2
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
                   ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/dev/hidraw2'
970       DEBUG fido2.hid.linux Failed opening device /dev/hidraw1
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
                   ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
970       DEBUG       root print: Critical error:
970       DEBUG       root print: No Nitrokey 3 device found
970       DEBUG       root listing all connected devices:
970       DEBUG       root :: 'Nitrokey FIDO2' keys
970       DEBUG       root :: 'Nitrokey Start' keys:
982       DEBUG       root :: 'Nitrokey 3' keys
983        INFO  libusbsio HID enumeration[140643498098192]: initialized
983       DEBUG  libusbsio HID enumeration[140643498098192]: device #0: HP Basic USB Keyboard
983       DEBUG  libusbsio HID enumeration[140643498098192]: device #1: HIDI2CBridge
983       DEBUG  libusbsio HID enumeration[140643498098192]: device #2: Nitrokey 3
983       DEBUG  libusbsio HID enumeration[140643498098192]: device #3: 2.4G Mouse
983        INFO  libusbsio HID enumeration[140643498098192]: finished, total 4 devices
985       DEBUG       root print: --------------------------------------------------------------------------------
985       DEBUG       root print: Critical error occurred, exiting now
985       DEBUG       root print: Unexpected? Is this a bug? Would you like to get support/help?
985       DEBUG       root print: - You can report issues at: https://support.nitrokey.com/
985       DEBUG       root print: - Writing an e-mail to support@nitrokey.com is also possible
985       DEBUG       root print: - Please attach the log: '/tmp/nitropy.log.rvop7x92' with any support/help request!
985       DEBUG       root print: - Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

That permission error is interesting :thinking: Are there some udev rules somewhere that can help with that? Not sure why this wasn't a problem before though.

robin-nitrokey commented 1 year ago

Yes, this looks like a permissions issue. Please check this guide: https://docs.nitrokey.com/software/nitropy/linux/udev

PureTryOut commented 1 year ago

Ah yes they're shipped by libnitrokey. I suppose that is the problem, I had that installed previously for my old Nitrokey Pro but since it broke down and I moved to the Nitrokey 3 I uninstalled that application.

Since these udev rules are necessary for the Nitrokey 3 but libnitrokey isn't, these rules should probably be shipped as part of this repository as well.

robin-nitrokey commented 1 year ago

Shipping udev rules with a Python package is not really possible as far as I know, but package maintainers for distributions can of course include the rules in their package.

robin-nitrokey commented 1 year ago

Also see this issue for discussions on how to handle this problem: https://github.com/Nitrokey/pynitrokey/issues/366 Feel free to add your suggestions there.

PureTryOut commented 1 year ago

but package maintainers for distributions can of course include the rules in their package.

I am a package maintainer :wink: And I rather not source them from a different repo if it can be prevented as it requires keeping track of multiple versions in a single package.

That's why I'd prefer them in this repo, they'll be part of the same tagged releases as pynitrokey.

robin-nitrokey commented 1 year ago

Yeah, including them in this repository makes sense to me. @szszszsz What do you think?

robin-nitrokey commented 1 year ago

I’ve created https://github.com/Nitrokey/pynitrokey/issues/386 for including the udev rules.