aveenismail
commented
3 months ago None of the yubico-piv-tool commands should require root access. What is the error you get when running it on Ubuntu 24.04?
Open lspiehler opened 3 months ago
aveenismail
commented
3 months ago None of the yubico-piv-tool commands should require root access. What is the error you get when running it on Ubuntu 24.04?
lspiehler
commented
3 months ago When running as a normal user, the "yubico-piv-tool -astatus" returns the following output
Failed to connect to yubikey. Try removing and reconnecting the device.
I'm seeing these errors in /var/log/syslog
2024-08-16T11:51:14.364338+00:00 iot-hsm24 pcscd[2729]: 00000000 auth.c:143:IsClientAuthorized() Process 3770 (user: 1001) is NOT authorized for action: access_pcsc 2024-08-16T11:51:14.364396+00:00 iot-hsm24 pcscd[2729]: 00000097 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client
I was able to create a polkit rule to allow the user that needs access like this
user=myuser
cat << EOF > /usr/share/polkit-1/rules.d/sssd-pcsc.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
subject.user == "$user") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "$user") {
return polkit.Result.YES;
}
});
EOF
systemctl restart polkitI am now able to run the yubico-piv-tool commands as the user specified in the rule. I'm curious about your thoughts on this as a solution/workaround. Thanks!
joanandk
commented
3 months ago @lspiehler With Gentoo, I had to start the pcscd service to do operations as a user. Could you check if pcscd service is started?
The command "yubico-piv-tool -astatus" runs successfully as a non-root user on Ubuntu 20.04. On Ubuntu 24.04, I can only get it to work as root. What permissions are required for a non-root user to run yubico-piv-tool on Ubuntu 24.04?