Closed svpi11 closed 2 months ago
svpi11
commented
2 months ago Little update: I just did a little apt update/upgrade this morning (some linux-headers) and at my surprise it works fine now since then... Didn't change anything more ahah... I close the issue, but don't know exactly yet what was the problem there...
derekchoate
commented
3 weeks ago Seems access is controlled via polkit now...
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
So, I created a group called "ykusers" and assigned appropriate users, then finally created a rule to grant access to users in that group
/usr/share/polkit-1/rules.d/ykman-users.rules
polkit.addRule(function(action, subject) { if (subject.isInGroup("ykusers")) { return polkit.Result.YES; } })
- YubiKey Manager (ykman) version:
YubiKey Manager (ykman) version: 5.5.1
- How was it installed?:
Both on apt (ykman, scdaemon, pcscd, and all packages adviced to), and then when the problem appeared, tried also via pip install (as recommended in the doc). Same problem
- Operating system and version:
Everything was working fine for years. Updated yesterday my server from Ubuntu Server 22.04 LTS to 24.04 LTS, cannot access the Yubikey anymore.
- YubiKey model and version:
Device type: YubiKey 5 Nano Serial number: myserial Firmware version: 5.4.3 Form factor: Nano (USB-A) Enabled USB interfaces: OTP, FIDO, CCID
- Bug description summary:
Since the upgrade, PCSC daemon apparently doesn't authorize me to access the yubikey anymore.
Steps to reproduce
Upgrade to 24.04, applied less changes as possible during the upgrade (N option). Now the same yubikey and server and cannot connect anymore.
Expected result Connect to my yubikey data throw 24.04 LTS
Actual results and logs
Here is the result of
ykman info:WARNING: PC/SC not available. Smart card (CCID) protocols will not function. ERROR: Unable to list devices for connection Device type: YubiKey 5 Nano Serial number: myserial Firmware version: 5.4.3 Form factor: Nano (USB-A) Enabled USB interfaces: OTP, FIDO, CCID
Applications Yubico OTP Enabled FIDO U2F Enabled FIDO2 Enabled OATH Enabled PIV Enabled OpenPGP Enabled YubiHSM Auth Enabled
Here of
gpg --card-status: ubuntu@serveur:~$ gpg --card-status gpg: selecting card failed: Aucun périphérique de ce type gpg: la carte OpenPGP n'est pas disponible : Aucun périphérique de ce typeSo apparently the problem comes from PC/SC and permissions. I tried to add rules specifications as in the doc ( exact 2 sames files). Updates rules, still same result. Here are the logs of PC/SC daemon:
ubuntu@serveur:~$ sudo systemctl status pcscd ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: enabled) Active: active (running) since Wed 2024-07-24 20:03:40 CEST; 1min 37s ago TriggeredBy: ● pcscd.socket Docs: man:pcscd(8) Main PID: 6595 (pcscd) Tasks: 8 (limit: 9385) Memory: 1.7M (peak: 2.6M) CPU: 85ms CGroup: /system.slice/pcscd.service └─6595 /usr/sbin/pcscd --foreground --auto-exit
juil. 24 20:03:41 serveur pcscd[6595]: 00131311 auth.c:143:IsClientAuthorized() Process 6451 (user: 1000) is NOT authorized for action: access_pcsc juil. 24 20:03:41 serveur pcscd[6595]: 00000121 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client juil. 24 20:04:39 serveur pcscd[6595]: 58269185 auth.c:143:IsClientAuthorized() Process 7809 (user: 1000) is NOT authorized for action: access_pcsc juil. 24 20:04:39 serveur pcscd[6595]: 00000140 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client juil. 24 20:04:39 serveur pcscd[6595]: 00116773 auth.c:143:IsClientAuthorized() Process 7809 (user: 1000) is NOT authorized for action: access_pcsc juil. 24 20:04:39 serveur pcscd[6595]: 00000178 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client