Closed christoph-blessing closed 5 months ago
This could be because we access the yubikey using raw usb (required for challenge response). Nothing we can do about that. You'll have to figure out another trigger to use to lock your workstation.
Can you replicate the issue and share the output of: sudo udevadm monitor -u
?
Hi thanks for the quick response. I replicated the issue by pressing the "Refresh" button which locked my workstation which I then unlocked again using the key. Here is the output of the command you mentioned for that sequence of events:
monitor will print the received events for:
UDEV - the event which udev sends out after rule processing
UDEV [62077.412015] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::numlock (leds)
UDEV [62077.412665] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::numlock (leds)
UDEV [62077.421868] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::capslock (leds)
UDEV [62077.422709] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::capslock (leds)
UDEV [62077.442279] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::scrolllock (leds)
UDEV [62077.443096] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::scrolllock (leds)
UDEV [62077.443779] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::compose (leds)
UDEV [62077.479083] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::kana (leds)
UDEV [62077.479886] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/input25::kana (leds)
UDEV [62077.506006] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25/event17 (input)
UDEV [62077.546860] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/hidraw/hidraw1 (hidraw)
UDEV [62077.553195] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011/input/input25 (input)
UDEV [62077.553933] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011 (hid)
UDEV [62077.554560] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011 (hid)
UDEV [62077.555302] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV [62078.735608] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012 (hid)
UDEV [62078.792167] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26 (input)
UDEV [62078.794118] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::numlock (leds)
UDEV [62078.794704] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::scrolllock (leds)
UDEV [62078.795367] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::capslock (leds)
UDEV [62078.796320] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::scrolllock (leds)
UDEV [62078.796421] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::capslock (leds)
UDEV [62078.796472] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::compose (leds)
UDEV [62078.797204] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::kana (leds)
UDEV [62078.797245] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::numlock (leds)
UDEV [62078.797674] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/hidraw/hidraw1 (hidraw)
UDEV [62078.799057] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/input26::kana (leds)
UDEV [62078.842488] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012/input/input26/event17 (input)
UDEV [62078.843721] bind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0012 (hid)
UDEV [62078.845102] bind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
Looks like the hid component of the yubikey is removed. I assume that is when the screen lock happens.
UDEV [62077.553933] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011 (hid)
UDEV [62077.554560] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.0011 (hid)
UDEV [62077.555302] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
Does the same thing happen when you program the yubikey using ykman?
What does the udev trace look like on a manual unplug?
I have not encountered this problem when using ykman so far. Let me know if you want me to try any ykman commands.
Here is the log of a manual unplug:
monitor will print the received events for:
UDEV - the event which udev sends out after rule processing
UDEV [964.888684] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::numlock (leds)
UDEV [964.889358] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::numlock (leds)
UDEV [964.898670] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::capslock (leds)
UDEV [964.899410] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::capslock (leds)
UDEV [964.921690] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::scrolllock (leds)
UDEV [964.922463] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::compose (leds)
UDEV [964.922489] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::scrolllock (leds)
UDEV [964.955304] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::kana (leds)
UDEV [964.956946] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/input22::kana (leds)
UDEV [964.999826] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22/event3 (input)
UDEV [965.017743] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/hidraw/hidraw0 (hidraw)
UDEV [965.023609] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D/input/input22 (input)
UDEV [965.024219] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D (hid)
UDEV [965.024766] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000D (hid)
UDEV [965.025464] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV [965.025940] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV [965.077789] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.000E/hidraw/hidraw1 (hidraw)
UDEV [965.077832] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/usbmisc/hiddev0 (usbmisc)
UDEV [965.078499] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.000E (hid)
UDEV [965.078532] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.2 (usb)
UDEV [965.078985] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.000E (hid)
UDEV [965.079019] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.2 (usb)
UDEV [965.079591] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1 (usb)
UDEV [965.080032] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1 (usb)
UDEV [965.103182] unbind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4 (usb)
UDEV [965.103733] remove /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4 (usb)
UDEV [967.848889] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4 (usb)
UDEV [967.850116] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.2 (usb)
UDEV [967.850390] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV [967.850516] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1 (usb)
UDEV [967.851437] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.0010 (hid)
UDEV [967.851928] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F (hid)
UDEV [967.852486] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/usbmisc/hiddev0 (usbmisc)
UDEV [967.854520] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23 (input)
UDEV [967.856417] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::capslock (leds)
UDEV [967.856460] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::numlock (leds)
UDEV [967.856494] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::scrolllock (leds)
UDEV [967.857605] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.0010/hidraw/hidraw1 (hidraw)
UDEV [967.858102] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::capslock (leds)
UDEV [967.858349] bind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1/0003:1050:0407.0010 (hid)
UDEV [967.858384] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::compose (leds)
UDEV [967.858410] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::kana (leds)
UDEV [967.858673] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/hidraw/hidraw0 (hidraw)
UDEV [967.858938] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::numlock (leds)
UDEV [967.858971] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::scrolllock (leds)
UDEV [967.859221] bind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.1 (usb)
UDEV [967.859437] change /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/input23::kana (leds)
UDEV [967.918537] add /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F/input/input23/event3 (input)
UDEV [967.920515] bind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0/0003:1050:0407.000F (hid)
UDEV [967.921839] bind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4/1-4:1.0 (usb)
UDEV [967.935368] bind /devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.1/usb1/1-4 (usb)
The only actions we do on all access attempts with the yubikey is to "open" the interface to it with libusb, send commands and receive data, then "close" the interface. That should not trigger a remove action with udev unless the yubikey itself is sending that signal or udev is misconfigured in some way to interpret libusb closing as a remove operation. Also, we are using the standard yubikey libraries (slightly modified to allow for more keys vid/pid) to access the yubikey.
Okay thanks for the help. Let me know if you have any ideas for further troubleshooting.
Trying the ykman command to register a challenge response slot would simulate the actions we do to actually do challenge response. Be careful not to overwrite your current slot for KeePassXC!
ykman otp chalresp --generate 1
does not trigger the screen lock and udevadm
does not record any events.
Interesting, will have to try and debug this one.
I have the exact same udev rule and I have also been facing the same issue after updating KeePassXC to 2.7.7.
Recently I switched from Arch to NixOS and I am encountering the same issue there as well.
I'm fairly sure there is nothing much we can do about this. It appears that yubikey removes an interface during the challenge-response sequence. We are using the yubikey libraries to conduct challenge-response, I'm fairly certain this is happening on the device side and not the software side.
I see. That's unfortunate, though understandable. Thanks for the explanation.
Found something while conducting @christoph-blessing debuging protcol.
The actual documentation tells to match against those environment variables.
ACTION=="remove",
ENV{ID_BUS}=="usb",
ENV{ID_MODEL_ID}=="0407",
ENV{ID_VENDOR_ID}=="1050",
ENV{ID_VENDOR}=="Yubico",
But when comparing the outputs of udevadm while unpluging the yubikey and while using keepassxc, both trigger a removal of the device hidraw,hid and input that do match against the upper settings.
udevadm monitor --udev --environment
UDEV [xxx.xxx] remove /a/path (input)
ACTION=remove
ID_MODEL_ID=0407
ID_VENDOR=Yubico
ID_VENDOR_ID=1050
ID_REVISION=XXX
ID_TYPE=hid
A manual removal of the yubikey, howevers triggers additional events, but with less env which to match against.
UDEV [xxx.xxx] remove /a/path (usb)
ACTION=remove
SUBSYSTEM=usb
PRODUCT=1050/407/XXX
A fix is to modify the udev rule like below and replace the XXX with what udevadm displays.
ACTION=="remove",\
ENV{SUBSYSTEM}=="usb",\
ENV{PRODUCT}=="1050/407/XXX",\
Thanks a lot for the previous debugging on this issue.
Surely, there is a cleaner workaround, but still this one worked for me. It just remains to be tested by you too.
PS: I don't know meat about udev, but the matching pattern sounds consequently more permissive due to less env and thus may imply security concerns, depending on what runs when a matching but unexpected key is unplug.
That does sounds more of an issue with the yubikey documentation and its system wide configuration rather than an issue with our favorite password manager.
It works for me as well, @pipelight. Thanks for getting that daily annoyance figured out for us. :)
Awesome news!
Overview
I have set up a udev rule to lock my screen when removing the Yubikey. Certain KeepassXC actions (unlock/lock database, refresh keys) lock my screen now.
Steps to Reproduce
/etc/udev/rules.d/80-yubikey-action.rules
and following content:Expected Behavior
Session lock does not get triggered.
Actual Behavior
Session lock gets triggered.
Context
Yubikey 5 NFC Firmware version: 5.2.4
KeePassXC - Version 2.7.6 Revision: dd21def
Qt 5.15.11 Debugging mode is disabled.
Operating system: Arch Linux CPU architecture: x86_64 Kernel: linux 6.6.3-arch1-1
Enabled extensions:
Cryptographic libraries:
Operating System: Linux Desktop Env: Bspwm Windowing System: X11