search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.75k stars 1.44k forks source link

Certain actions remove Yubikey #10077

Closed christoph-blessing closed 5 months ago

christoph-blessing commented 9 months ago

Overview

I have set up a udev rule to lock my screen when removing the Yubikey. Certain KeepassXC actions (unlock/lock database, refresh keys) lock my screen now.

Steps to Reproduce

  1. Create file with path /etc/udev/rules.d/80-yubikey-action.rules and following content: 
    ACTION=="remove", ENV{ID_VENDOR}=="Yubico", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", RUN+="/usr/bin/loginctl lock-sessions"
  2. Open KeepassXC
  3. Refresh available security keys

Expected Behavior

Session lock does not get triggered.

Actual Behavior

Session lock gets triggered.

Context

Yubikey 5 NFC Firmware version: 5.2.4

KeePassXC - Version 2.7.6 Revision: dd21def

Qt 5.15.11 Debugging mode is disabled.

Operating system: Arch Linux CPU architecture: x86_64 Kernel: linux 6.6.3-arch1-1

Enabled extensions:

Cryptographic libraries:

Operating System: Linux Desktop Env: Bspwm Windowing System: X11

droidmonkey commented 9 months ago

This could be because we access the yubikey using raw usb (required for challenge response). Nothing we can do about that. You'll have to figure out another trigger to use to lock your workstation.

droidmonkey commented 9 months ago

Can you replicate the issue and share the output of: sudo udevadm monitor -u ?

christoph-blessing commented 9 months ago

Hi thanks for the quick response. I replicated the issue by pressing the "Refresh" button which locked my workstation which I then unlocked again using the key. Here is the output of the command you mentioned for that sequence of events:

monitor will print the received events for:
UDEV - the event which udev sends out after rule processing

UDEV  [62077.412015] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::numlock (leds)
UDEV  [62077.412665] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::numlock (leds)
UDEV  [62077.421868] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::capslock (leds)
UDEV  [62077.422709] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::capslock (leds)
UDEV  [62077.442279] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::scrolllock (leds)
UDEV  [62077.443096] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::scrolllock (leds)
UDEV  [62077.443779] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::compose (leds)
UDEV  [62077.479083] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::kana (leds)
UDEV  [62077.479886] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::kana (leds)
UDEV  [62077.506006] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/event17 (input)
UDEV  [62077.546860] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/hidraw/hidraw1 (hidraw)
UDEV  [62077.553195] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25 (input)
UDEV  [62077.553933] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011 (hid)
UDEV  [62077.554560] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011 (hid)
UDEV  [62077.555302] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV  [62078.735608] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012 (hid)
UDEV  [62078.792167] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26 (input)
UDEV  [62078.794118] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::numlock (leds)
UDEV  [62078.794704] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::scrolllock (leds)
UDEV  [62078.795367] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::capslock (leds)
UDEV  [62078.796320] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::scrolllock (leds)
UDEV  [62078.796421] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::capslock (leds)
UDEV  [62078.796472] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::compose (leds)
UDEV  [62078.797204] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::kana (leds)
UDEV  [62078.797245] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::numlock (leds)
UDEV  [62078.797674] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/hidraw/hidraw1 (hidraw)
UDEV  [62078.799057] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::kana (leds)
UDEV  [62078.842488] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/event17 (input)
UDEV  [62078.843721] bind     /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012 (hid)
UDEV  [62078.845102] bind     /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
droidmonkey commented 9 months ago

Looks like the hid component of the yubikey is removed. I assume that is when the screen lock happens. 

UDEV  [62077.553933] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011 (hid)
UDEV  [62077.554560] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011 (hid)
UDEV  [62077.555302] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)

Does the same thing happen when you program the yubikey using ykman?

What does the udev trace look like on a manual unplug?

christoph-blessing commented 9 months ago

I have not encountered this problem when using ykman so far. Let me know if you want me to try any ykman commands.

Here is the log of a manual unplug:

monitor will print the received events for:
UDEV - the event which udev sends out after rule processing

UDEV  [964.888684] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::numlock (leds)
UDEV  [964.889358] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::numlock (leds)
UDEV  [964.898670] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::capslock (leds)
UDEV  [964.899410] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::capslock (leds)
UDEV  [964.921690] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::scrolllock (leds)
UDEV  [964.922463] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::compose (leds)
UDEV  [964.922489] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::scrolllock (leds)
UDEV  [964.955304] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::kana (leds)
UDEV  [964.956946] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::kana (leds)
UDEV  [964.999826] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/event3 (input)
UDEV  [965.017743] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/hidraw/hidraw0 (hidraw)
UDEV  [965.023609] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22 (input)
UDEV  [965.024219] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D (hid)
UDEV  [965.024766] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D (hid)
UDEV  [965.025464] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV  [965.025940] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV  [965.077789] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.000E/hidraw/hidraw1 (hidraw)
UDEV  [965.077832] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/usbmisc/hiddev0 (usbmisc)
UDEV  [965.078499] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.000E (hid)
UDEV  [965.078532] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.2 (usb)
UDEV  [965.078985] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.000E (hid)
UDEV  [965.079019] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.2 (usb)
UDEV  [965.079591] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1 (usb)
UDEV  [965.080032] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1 (usb)
UDEV  [965.103182] unbind   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4 (usb)
UDEV  [965.103733] remove   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4 (usb)
UDEV  [967.848889] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4 (usb)
UDEV  [967.850116] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.2 (usb)
UDEV  [967.850390] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV  [967.850516] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1 (usb)
UDEV  [967.851437] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.0010 (hid)
UDEV  [967.851928] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F (hid)
UDEV  [967.852486] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/usbmisc/hiddev0 (usbmisc)
UDEV  [967.854520] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23 (input)
UDEV  [967.856417] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::capslock (leds)
UDEV  [967.856460] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::numlock (leds)
UDEV  [967.856494] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::scrolllock (leds)
UDEV  [967.857605] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.0010/hidraw/hidraw1 (hidraw)
UDEV  [967.858102] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::capslock (leds)
UDEV  [967.858349] bind     /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.0010 (hid)
UDEV  [967.858384] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::compose (leds)
UDEV  [967.858410] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::kana (leds)
UDEV  [967.858673] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/hidraw/hidraw0 (hidraw)
UDEV  [967.858938] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::numlock (leds)
UDEV  [967.858971] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::scrolllock (leds)
UDEV  [967.859221] bind     /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1 (usb)
UDEV  [967.859437] change   /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::kana (leds)
UDEV  [967.918537] add      /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/event3 (input)
UDEV  [967.920515] bind     /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F (hid)
UDEV  [967.921839] bind     /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV  [967.935368] bind     /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4 (usb)
droidmonkey commented 9 months ago

The only actions we do on all access attempts with the yubikey is to "open" the interface to it with libusb, send commands and receive data, then "close" the interface. That should not trigger a remove action with udev unless the yubikey itself is sending that signal or udev is misconfigured in some way to interpret libusb closing as a remove operation. Also, we are using the standard yubikey libraries (slightly modified to allow for more keys vid/pid) to access the yubikey.

christoph-blessing commented 9 months ago

Okay thanks for the help. Let me know if you have any ideas for further troubleshooting.

droidmonkey commented 9 months ago

Trying the ykman command to register a challenge response slot would simulate the actions we do to actually do challenge response. Be careful not to overwrite your current slot for KeePassXC!

christoph-blessing commented 9 months ago

ykman otp chalresp --generate 1 does not trigger the screen lock and udevadm does not record any events.

droidmonkey commented 9 months ago

Interesting, will have to try and debug this one.

ozkutuk commented 5 months ago

I have the exact same udev rule and I have also been facing the same issue after updating KeePassXC to 2.7.7.

christoph-blessing commented 5 months ago

Recently I switched from Arch to NixOS and I am encountering the same issue there as well.

droidmonkey commented 5 months ago

I'm fairly sure there is nothing much we can do about this. It appears that yubikey removes an interface during the challenge-response sequence. We are using the yubikey libraries to conduct challenge-response, I'm fairly certain this is happening on the device side and not the software side.

ozkutuk commented 5 months ago

I see. That's unfortunate, though understandable. Thanks for the explanation.

pipelight commented 5 months ago

Found something while conducting @christoph-blessing debuging protcol.

The actual documentation tells to match against those environment variables. 

ACTION=="remove",
ENV{ID_BUS}=="usb",
ENV{ID_MODEL_ID}=="0407",
ENV{ID_VENDOR_ID}=="1050",
ENV{ID_VENDOR}=="Yubico",

But when comparing the outputs of udevadm while unpluging the yubikey and while using keepassxc, both trigger a removal of the device hidraw,hid and input that do match against the upper settings.

udevadm monitor --udev --environment
UDEV  [xxx.xxx] remove /a/path (input)
ACTION=remove
ID_MODEL_ID=0407
ID_VENDOR=Yubico
ID_VENDOR_ID=1050
ID_REVISION=XXX
ID_TYPE=hid

A manual removal of the yubikey, howevers triggers additional events, but with less env which to match against.

UDEV  [xxx.xxx] remove /a/path (usb)
ACTION=remove
SUBSYSTEM=usb
PRODUCT=1050/407/XXX

A fix is to modify the udev rule like below and replace the XXX with what udevadm displays.

ACTION=="remove",\
ENV{SUBSYSTEM}=="usb",\
ENV{PRODUCT}=="1050/407/XXX",\

Thanks a lot for the previous debugging on this issue.

Surely, there is a cleaner workaround, but still this one worked for me. It just remains to be tested by you too.

PS: I don't know meat about udev, but the matching pattern sounds consequently more permissive due to less env and thus may imply security concerns, depending on what runs when a matching but unexpected key is unplug.

pipelight commented 5 months ago

That does sounds more of an issue with the yubikey documentation and its system wide configuration rather than an issue with our favorite password manager.

christoph-blessing commented 5 months ago

It works for me as well, @pipelight. Thanks for getting that daily annoyance figured out for us. :)

droidmonkey commented 5 months ago

Awesome news!