Can't use without root - Unknown error occured

[zeratax]

I've read about lots of udev rules to access the yubikey without root, but none of them worked for me and it also feels very unsecure to have 4 of them currently. I'm running on Arch Linux, I have the yubikey neo with firmware version 3.4.9

[BlurryFlurry]

I can see this is an old issue, but none of udev rules are working for me too. I'm also running Arch linux, and I have yubikey 4 with firmware version 4.3.7

I tried this test udev rule, just to make sure if its triggering correctly. SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", MODE="0666", GROUP="scard", RUN+="/usr/bin/touch /home/BlurryFlurry/testubikey"

And it does. It creates the test file in my home directory, but doesn't seems like MODE=0666 part working (or I'm not really sure what is really going on) ~ gpg --card-status gpg: error getting version from 'scdaemon': No SmartCard daemon gpg: OpenPGP card not available: No SmartCard daemon

[mouse07410]

Is there a daemon running that could use PIV applet on the Yubikey? Is there anything in the scdaemon.log?

Because GnuPG foolishly insists on opening the token in Exclusive mode, rather than in Shared.

[BlurryFlurry]

ok I couldn't find a scdaemon.log file so I added these lines to /home/blurryflurry/.gnupg/scdaemon.conf log-file /home/blurryflurry/scdaemon.log debug-level guru also into gpg-agent.conf log-file /home/blurryflurry/gpg-agent.log then again after running these commands: gpg-connect-agent RELOADAGENT /bye gpg --card-status still gives the same error and it created only the gpg-agent.log file, but no scdaemon.log

and gpg-agent.log file have this SIGHUP received - re-reading configuration and flushing cache can't connect to the SCdaemon: End of file

[BlurryFlurry]

Found something! Every time I execute the command gpg --card-status journalctl -xa logs this error: Sep 01 16:42:16 my-pc gpg-agent[11122]: scdaemon[22027]: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)

[BlurryFlurry]

I finally found the solution. I commented out these lines from .gnupg/scdaemon.conf #csc-driver /usr/lib/libpcsclite.so #disable-ccid

and executed gpg-conf --kill gpg-agent gpg-agent RELOADAGENT /bye

hope this would help to anyone

[mouse07410]

I did not realize you had "disable_ccid" there. With that line uncommented, AFAIK you shouldn't be able to use either OpenPGP or PIV with any token, including Yibikey.

Glad your found a solution.

You might want to try with csc_driver uncommented and report the results here.

[detrout]

I'm on Debian. The ykman python tool worked by going through the smartcard daemon pcscd. But the yubikey-personalization-gui failed with "unknown error". Digging in a bit the error is actually permission denied trying to access (what I think is) the ccid usb device in /dev/bus/usb.

I looked into how systemd is managing granting access to hardware to the logged in user and came up with this udev rule I added as.

/etc/udev/rules.d/70-yubikey-ccid.rules

# Yubico YubiKey
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410", TAG+="uaccess"

Which worked for me.

[klali]

A correct udev rule for the yubikey parts should be installed by libykpers-1-1 on debian (as /lib/udev/rules.d/69-yubikey.rules), for smartcard parts there might be additional udev rules installed by other software (gnupg/scdaemon for instance).

[detrout]

Looks like someone else found this bug and a fix is pending https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924787