KyleMercer
commented
3 weeks ago Upgraded to ykman v5.5.1 with no change in behavior.
Open KyleMercer opened 4 weeks ago
KyleMercer
commented
3 weeks ago Upgraded to ykman v5.5.1 with no change in behavior.
dainnilsson
commented
3 weeks ago Can you try running something else that uses pcscd, such as for example pcsc_scan (https://pcsc-tools.apdu.fr/)? It sounds like your user doesn't have permission to access smart cards.
KyleMercer
commented
3 weeks ago @dainnilsson Thanks for getting back to me. I figured the same thing, a permissions related issue, as it goes away when sudo is used. The problem is that I haven't been able to find where I need to adjust the permissions to make this work. I am trying to implement the Smallstep certificate authority solution using the Yuibikey to store the keys. (https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey)
I have tried adding a rules file for udev and that did not resolve the issue.
As you suggested I tried pcsc_scan and it did not work ("Access Denied" message) until I ran with sudo.
There is nothing special about this Ubuntu installation and I have confirmed the results are the same regardless if I use the Raspberry Pi OS Installer on my RPi 5; as well as the Canonical installer on an Intel based PC. The default user permissions for access to PC/SC are different in 24.04 LTS than in 22.10 it appears as the original article was built on a RPi 4 using Ubuntu 22.10.
Going back to the statement found on the Yubico documentation website "For smart card based applications, or when accessing a YubiKey over NFC, the access is done via pcscd, the PC/SC Smart Card Daemon. It’s usually enough to have pcscd installed and running for this to work." does not appear to be the case for Ubuntu 24.04.01 LTS as it seems an adjustment to user permissions is required. Unfortunately I am not sure where the adjustment needs to be made and have spent weeks trying to figure out where the problem lies.
diegoara96
commented
2 weeks ago I have the same problem, just today I upgraded to ubuntu 24.04 and it has stopped working without root permissions.
WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: Unable to list devices for connection
See #624 for another issue that looks like it might be the same cause. There are some things in there you can check with your pcscd daemon.
KyleMercer
commented
2 weeks ago After a couple more hours of banging my head against the wall, I think I have found a solution.
First thing I have discovered is it would seem any rules added to /etc/udev/rules.d DO NOT seem to be considered with respect to polkit. By restarting the polkit service the only directories mentioned in journalctl are /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d
If I modify /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy so that the <allow_any>no</allow_any> statements are yes, then reboot the device, I am able to run ykman as my standard user. This is not an ideal situation as it defeats the purpose of securing pcscd.
Instead, I created a group called yubico and added my user to it. This allows me to configure who I will grant access to pcscd in the future. I then created a new rule file in /etc/polkit-1/rules.d named 67-yubikey.rules with the following:
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
subject.isInGroup("yubico")) {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.isInGroup("yubico")) {
return polkit.Result.YES;
}
});
Once I rebooted the user could now run ykman without any error.
Note that both the group name and the rule file name were arbitrary for the purposes of finding a workable solution.
diegoara96
commented
1 week ago I can confirm that with the changes suggested by @KyleMercer the device is working again.
When trying to use ykman info, ykman piv or other ykman functions the following error message appears:
WARNING: PC/SC not available. Smart card (CCID) protocols will not function. ERROR: No YubiKey detected!
pcscd service is installed and running on Ubuntu.
Error appears only when user executes ykman. When sudo ykman is used by the same user the application behaves normally with no error.
This issue only occurs with Ubuntu 24 and does not occur on Ubuntu 22. Unfortunately hardware I am using only runs on 24.04 (Raspberry Pi 5). When exact same configuration is used on older hardware (Raspbery Pi 3) running on Ubuntu 22, ykman will execute without sudo.
It should be noted that same behavior is seen with ykman and Ubuntu 24.04 on Intel based system as well.
When I consult https://developers.yubico.com/yubikey-manager/Device_Permissions.html or https://github.com/Yubico/yubikey-manager/blob/main/doc/Device_Permissions.adoc the following statement is made: