Closed originaltrini0 closed 1 month ago
Thanks for opening an issue about this @originaltrini0. I know we have a lot of users running their CAs in this configuration, with a Yubikey. So, I'm surprised that you're encountering an issue with it. I think you said you'd be getting a Nitrokey soon to test it with? Could you give that a try and update this when you do, to see if we can narrow things down a bit?
@tashian: I now have a test setup with a NitroKey HSM2. The process of configuring it with Step-CA is very different from what is documented in the "Tiny CA" blog post (as it should be). Since I've taken a different path, my original reason for opening this issue has been negated. Thanks
For those that find this with google, i found the op's solution to this in the discord channel: He read this article: https://www.redhat.com/en/blog/controlling-access-smart-cards (mentions how to get the correct name used in the rule and change it for ie NitroHSM) and created his solution:
cat /etc/polkit-1/rules.d/step-ca.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "step") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' &&
subject.user == "step") {
return polkit.Result.YES; }
});
This solved it for me after a reboot. Another path to put the rule file in is under /usr/share/polkit-1/rules.d/
Thanks @NocFlame. Note that this is only needed for Ubuntu 24.04 LTS. My blog post was written against Ubuntu 22.10. I intend to test and update the post again soon, and I will incorporate this Polkit rule.
Steps to Reproduce
While following directions to build a stand-alone CA at this link, I am encountering a blocker while starting the CA.
When starting a CA that was previously initialized, I am receiving the following output: $ step-ca $(step path)/config/ca.json ... connecting to pscs: access was denied because of a security violation
$ echo $? 2
Your Environment
OS - Operating System: Ubuntu 24.04 LTS Kernel: Linux 6.8.0-1007-raspi Architecture: arm64
step-ca
Version - Smallstep CA/0.27.1 (linux/arm64) Release Date: 2024-07-15 02:27 UTCSmallstep CLI/0.27.1 (linux/arm) Release Date: 2024-07-12T06:53:27Z
pcsc-lite $ pcscd --version pcsc-lite version 2.0.3. Copyright (C) 1999-2002 by David Corcoran corcoran@musclecard.com. Copyright (C) 2001-2022 by Ludovic Rousseau ludovic.rousseau@free.fr. Copyright (C) 2003-2004 by Damien Sauveron sauveron@labri.fr. Report bugs to pcsclite-muscle@lists.infradead.org. Enabled features: Linux aarch64-unknown-linux-gnu libsystemd serial usb libudev polkit usbdropdir=/usr/lib/pcsc/drivers ipcdir=/run/pcscd filter configdir=/etc/reader.conf.d MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16
Yubikey Manager YubiKey Manager (ykman) version: 5.2.1
Yubikeys Yubikey 5 Nano (firmware 5.7.1) Yubikey 5 NFC (firmware 5.7.1)
Expected Behavior
I'm expecting output similar to what is documented at this link:
step-ca /etc/step-ca/config/ca.json 2020/12/08 14:17:06 Serving HTTPS on :443 ...
Actual Behavior
$ step-ca /etc/step-ca/config/ca.json badger 2024/07/15 11:34:25 INFO: All 1 tables opened in 2ms badger 2024/07/15 11:34:25 INFO: Replaying file id: 0 at offset: 2995 badger 2024/07/15 11:34:25 INFO: Replay took: 187.165µs connecting to pscs: access was denied because of a security violation
$ echo $? 2
Additional Context
This is just a footnote to say that I've tried changing Yubikey's PIN, PUK, and management key and leaving them at default values after a reset. Either way, the results are the same.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).