KyleMercer
commented
3 months ago Upgraded to ykman v5.5.1 with no change in behavior.
Open KyleMercer opened 3 months ago
KyleMercer
commented
3 months ago Upgraded to ykman v5.5.1 with no change in behavior.
dainnilsson
commented
3 months ago Can you try running something else that uses pcscd, such as for example pcsc_scan (https://pcsc-tools.apdu.fr/)? It sounds like your user doesn't have permission to access smart cards.
KyleMercer
commented
3 months ago @dainnilsson Thanks for getting back to me. I figured the same thing, a permissions related issue, as it goes away when sudo is used. The problem is that I haven't been able to find where I need to adjust the permissions to make this work. I am trying to implement the Smallstep certificate authority solution using the Yuibikey to store the keys. (https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey)
I have tried adding a rules file for udev and that did not resolve the issue.
As you suggested I tried pcsc_scan and it did not work ("Access Denied" message) until I ran with sudo.
There is nothing special about this Ubuntu installation and I have confirmed the results are the same regardless if I use the Raspberry Pi OS Installer on my RPi 5; as well as the Canonical installer on an Intel based PC. The default user permissions for access to PC/SC are different in 24.04 LTS than in 22.10 it appears as the original article was built on a RPi 4 using Ubuntu 22.10.
Going back to the statement found on the Yubico documentation website "For smart card based applications, or when accessing a YubiKey over NFC, the access is done via pcscd, the PC/SC Smart Card Daemon. It’s usually enough to have pcscd installed and running for this to work." does not appear to be the case for Ubuntu 24.04.01 LTS as it seems an adjustment to user permissions is required. Unfortunately I am not sure where the adjustment needs to be made and have spent weeks trying to figure out where the problem lies.
diegoara96
commented
2 months ago I have the same problem, just today I upgraded to ubuntu 24.04 and it has stopped working without root permissions.
WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: Unable to list devices for connection
See #624 for another issue that looks like it might be the same cause. There are some things in there you can check with your pcscd daemon.
KyleMercer
commented
2 months ago After a couple more hours of banging my head against the wall, I think I have found a solution.
First thing I have discovered is it would seem any rules added to /etc/udev/rules.d DO NOT seem to be considered with respect to polkit. By restarting the polkit service the only directories mentioned in journalctl are /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d
If I modify /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy so that the <allow_any>no</allow_any> statements are yes, then reboot the device, I am able to run ykman as my standard user. This is not an ideal situation as it defeats the purpose of securing pcscd.
Instead, I created a group called yubico and added my user to it. This allows me to configure who I will grant access to pcscd in the future. I then created a new rule file in /etc/polkit-1/rules.d named 67-yubikey.rules with the following:
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
subject.isInGroup("yubico")) {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.isInGroup("yubico")) {
return polkit.Result.YES;
}
});
Once I rebooted the user could now run ykman without any error.
Note that both the group name and the rule file name were arbitrary for the purposes of finding a workable solution.
diegoara96
commented
2 months ago I can confirm that with the changes suggested by @KyleMercer the device is working again.
talhaHavadar
commented
1 week ago Even after the changes in mentioned by @KyleMercer here I am getting the error from ssh-keygen but ykman is working.
❯ ssh-keygen -t ed25519-sk -C yubikey -v
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 0 device(s) detected
debug1: ssh_sk_enroll: failed to find sk
debug1: sshsk_enroll: provider "internal" failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: main: reply len 8
debug1: client_converse: helper returned error -60
Key enrollment failed: device not foundwhen you do it with sudo it works so we need to tweak a little more I guess
talhaHavadar
commented
1 week ago Ok, I did a bit of investigation and find out that these "udev" rules are removed from libu2f-udev package because of the following reason:
Package: libu2f-udev
Architecture: all
Multi-Arch: foreign
Section: oldlibs
Depends: ${misc:Depends}, udev (>= 244)
Description: Universal 2nd Factor (U2F) — transitional package
Libu2f is a package for doing Universal 2nd Factor (U2F) host communication
and has functionality for the Registration and Authentication operations.
.
This package is not necessary anymore, and can be safely removed: since udev
v244, U2F devices are autodetected without needing 3rd party udev rules.I checked udev version I have on my raspberry pi and it is v255 but it doesn't really autodetect so I just downloaded these u2f.rules and copied as below to udev rules directory:
wget https://raw.githubusercontent.com/Yubico/libfido2/refs/heads/main/udev/70-u2f.rules
sudo cp 70-u2f.rules /etc/udev/rules.d
sudo rebootI didn't check why udev v255 is not really autodetecting but this is the solution I found.
When trying to use ykman info, ykman piv or other ykman functions the following error message appears:
WARNING: PC/SC not available. Smart card (CCID) protocols will not function. ERROR: No YubiKey detected!
pcscd service is installed and running on Ubuntu.
Error appears only when user executes ykman. When sudo ykman is used by the same user the application behaves normally with no error.
This issue only occurs with Ubuntu 24 and does not occur on Ubuntu 22. Unfortunately hardware I am using only runs on 24.04 (Raspberry Pi 5). When exact same configuration is used on older hardware (Raspbery Pi 3) running on Ubuntu 22, ykman will execute without sudo.
It should be noted that same behavior is seen with ykman and Ubuntu 24.04 on Intel based system as well.
When I consult https://developers.yubico.com/yubikey-manager/Device_Permissions.html or https://github.com/Yubico/yubikey-manager/blob/main/doc/Device_Permissions.adoc the following statement is made: