-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ykman requires sudo #630
Comments
Upgraded to ykman v5.5.1 with no change in behavior. |
Can you try running something else that uses pcscd, such as for example |
@dainnilsson Thanks for getting back to me. I figured the same thing, a permissions related issue, as it goes away when sudo is used. The problem is that I haven't been able to find where I need to adjust the permissions to make this work. I am trying to implement the Smallstep certificate authority solution using the Yuibikey to store the keys. (https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey) I have tried adding a rules file for udev and that did not resolve the issue. As you suggested I tried pcsc_scan and it did not work ("Access Denied" message) until I ran with sudo. There is nothing special about this Ubuntu installation and I have confirmed the results are the same regardless if I use the Raspberry Pi OS Installer on my RPi 5; as well as the Canonical installer on an Intel based PC. The default user permissions for access to PC/SC are different in 24.04 LTS than in 22.10 it appears as the original article was built on a RPi 4 using Ubuntu 22.10. Going back to the statement found on the Yubico documentation website "For smart card based applications, or when accessing a YubiKey over NFC, the access is done via pcscd, the PC/SC Smart Card Daemon. It’s usually enough to have pcscd installed and running for this to work." does not appear to be the case for Ubuntu 24.04.01 LTS as it seems an adjustment to user permissions is required. Unfortunately I am not sure where the adjustment needs to be made and have spent weeks trying to figure out where the problem lies. |
I have the same problem, just today I upgraded to ubuntu 24.04 and it has stopped working without root permissions.
|
See #624 for another issue that looks like it might be the same cause. There are some things in there you can check with your pcscd daemon. |
After a couple more hours of banging my head against the wall, I think I have found a solution. First thing I have discovered is it would seem any rules added to /etc/udev/rules.d DO NOT seem to be considered with respect to polkit. By restarting the polkit service the only directories mentioned in journalctl are /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d If I modify /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy so that the Instead, I created a group called yubico and added my user to it. This allows me to configure who I will grant access to pcscd in the future. I then created a new rule file in /etc/polkit-1/rules.d named 67-yubikey.rules with the following:
Once I rebooted the user could now run ykman without any error. Note that both the group name and the rule file name were arbitrary for the purposes of finding a workable solution. |
I can confirm that with the changes suggested by @KyleMercer the device is working again. |
Even after the changes in mentioned by @KyleMercer here I am getting the error from ssh-keygen but
when you do it with sudo it works so we need to tweak a little more I guess |
Ok, I did a bit of investigation and find out that these "udev" rules are removed from libu2f-udev package because of the following reason:
I checked udev version I have on my raspberry pi and it is v255 but it doesn't really autodetect so I just downloaded these u2f.rules and copied as below to udev rules directory:
I didn't check why udev v255 is not really autodetecting but this is the solution I found. |
When trying to use ykman info, ykman piv or other ykman functions the following error message appears:
WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: No YubiKey detected!
pcscd service is installed and running on Ubuntu.
Error appears only when user executes ykman. When sudo ykman is used by the same user the application behaves normally with no error.
This issue only occurs with Ubuntu 24 and does not occur on Ubuntu 22. Unfortunately hardware I am using only runs on 24.04 (Raspberry Pi 5). When exact same configuration is used on older hardware (Raspbery Pi 3) running on Ubuntu 22, ykman will execute without sudo.
It should be noted that same behavior is seen with ykman and Ubuntu 24.04 on Intel based system as well.
When I consult https://developers.yubico.com/yubikey-manager/Device_Permissions.html or https://github.com/Yubico/yubikey-manager/blob/main/doc/Device_Permissions.adoc the following statement is made:
The text was updated successfully, but these errors were encountered: