Open zeratax opened 7 years ago
I can see this is an old issue, but none of udev rules are working for me too. I'm also running Arch linux, and I have yubikey 4 with firmware version 4.3.7
I tried this test udev rule, just to make sure if its triggering correctly.
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", MODE="0666", GROUP="scard", RUN+="/usr/bin/touch /home/BlurryFlurry/testubikey"
And it does. It creates the test file in my home directory, but doesn't seems like MODE=0666 part working (or I'm not really sure what is really going on)
~ gpg --card-status
gpg: error getting version from 'scdaemon': No SmartCard daemon gpg: OpenPGP card not available: No SmartCard daemon
Is there a daemon running that could use PIV applet on the Yubikey? Is there anything in the scdaemon.log?
Because GnuPG foolishly insists on opening the token in Exclusive mode, rather than in Shared.
ok I couldn't find a scdaemon.log file so I added these lines to /home/blurryflurry/.gnupg/scdaemon.conf
log-file /home/blurryflurry/scdaemon.log
debug-level guru
also into gpg-agent.conf
log-file /home/blurryflurry/gpg-agent.log
then again after running these commands:
gpg-connect-agent RELOADAGENT /bye
gpg --card-status
still gives the same error and it created only the gpg-agent.log file, but no scdaemon.log
and gpg-agent.log file have this
SIGHUP received - re-reading configuration and flushing cache
can't connect to the SCdaemon: End of file
Found something!
Every time I execute the command gpg --card-status
journalctl -xa logs this error:
Sep 01 16:42:16 my-pc gpg-agent[11122]: scdaemon[22027]: pcsc_list_readers failed:
unknown PC/SC error code (0x8010002e)
I finally found the solution.
I commented out these lines from .gnupg/scdaemon.conf
#csc-driver /usr/lib/libpcsclite.so
#disable-ccid
and executed
gpg-conf --kill gpg-agent
gpg-agent RELOADAGENT /bye
hope this would help to anyone
I did not realize you had "disable_ccid" there. With that line uncommented, AFAIK you shouldn't be able to use either OpenPGP or PIV with any token, including Yibikey.
Glad your found a solution.
You might want to try with csc_driver uncommented and report the results here.
I'm on Debian. The ykman python tool worked by going through the smartcard daemon pcscd. But the yubikey-personalization-gui failed with "unknown error". Digging in a bit the error is actually permission denied trying to access (what I think is) the ccid usb device in /dev/bus/usb.
I looked into how systemd is managing granting access to hardware to the logged in user and came up with this udev rule I added as.
/etc/udev/rules.d/70-yubikey-ccid.rules
# Yubico YubiKey
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410", TAG+="uaccess"
Which worked for me.
A correct udev rule for the yubikey parts should be installed by libykpers-1-1 on debian (as /lib/udev/rules.d/69-yubikey.rules), for smartcard parts there might be additional udev rules installed by other software (gnupg/scdaemon for instance).
Looks like someone else found this bug and a fix is pending https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924787
I've read about lots of udev rules to access the yubikey without root, but none of them worked for me and it also feels very unsecure to have 4 of them currently. I'm running on Arch Linux, I have the yubikey neo with firmware version 3.4.9