nick2432
commented
5 months ago can i work on this?
Open rubyFeedback opened 6 months ago
nick2432
commented
5 months ago can i work on this?
dainnilsson
commented
5 months ago @nick2432 what would you have in mind here? This issue can potentially have many different root causes.
trinitronx
commented
3 months ago yubico says access denied though and I have no idea what to do next.
@rubyFeedback: Maybe try looking into what udev rules are applied to the yubikey? You want to search for vendor ID 1050, usually in the default system location. For example:
$ grep -rin 1050 /usr/lib/udev/rules.d/*.rules
/usr/lib/udev/rules.d/69-yubikey.rules:7:ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \So, an ArchLinux-based distro has this system file:
/usr/lib/udev/rules.d/69-yubikey.rules:
ACTION!="add|change", GOTO="yubico_end"
# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.
# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \
ENV{ID_SECURITY_TOKEN}="1"
LABEL="yubico_end"
This file was placed by the yubikey-personalization package, from the extra repository:
$ pacman -Fx /usr/lib/udev/rules.d/69-yubikey.rules
usr/lib/udev/rules.d/69-yubikey.rules is owned by extra/yubikey-personalization 1.20.0-4Depending on your system, there may or may not be a proper udev rule for the Yubikey device. Basically, what you want is to have one installed so your user is allowed to use the USB device. On modern systems, this is usually accomplished by either:
udev rule includes either ENV{ID_SECURITY_TOKEN}="1" (which another rule uses to set TAG+="uaccess"), or itself sets TAG+="uaccess".plugdev, input, etc...)So, for next steps it's likely that you'll want to check those things.
Sorry if I file this on the wrong repository; I just googled for yubico-authenticator and this project turned up first.
This page shows us how to start pcscd via systemd:
https://support.yubico.com/hc/en-us/articles/360016649039-Installing-Yubico-Software-on-Linux
That kind of works:
So pcscd is running, kind of, I think, as ps ax shows it.
yubico says access denied though and I have no idea what to do next.
Output on the commandline is:
I have two requests:
1) could the above webpage (or an alternative one, that also gets linked into the above), explain what to do in such a case? It is ok to re-redirect towards a FAQ or another page, but just so that it is mentioned and people can find it. I am horrible at finding things these days, so websites containing useful information are VERY much appreciatedion.
2) but, even more importantly, could it be made more clear what we can do now? I have no idea how to work with pcscd, never used it before, but I kind of need it to get yubico-authenticator to work. The GUI it presents starts up fine, so that part works, but it then says "failed to open smartcard connection" or so, and now I am stuck. Perhaps the GUI itself could even offer help how to resolve this; or it could auto-solve it (no idea how the smartcard daemon works).
Of course if this could be auto-solved this would be even better, perhaps the GUI could have an option for that (e. g. to re-start the daemon from within yubico, that would be great). I am fine solving this without the GUI too, but right now I lack the information how to do so. Obviously both pcscd and yubico-authenticator work in principle, so I need to find out where the "access denied" situation is the issue (I am the superuser right now, so I am very much confused how there can be any access denied error. How can that happen? I mean, I am in full control of this desktop machine at home so no idea about that error.)
Anyway, thanks for reading this.