Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ykman requires sudo #630

Open
KyleMercer opened this issue Aug 16, 2024 · 9 comments
Open

ykman requires sudo #630

KyleMercer opened this issue Aug 16, 2024 · 9 comments

Comments

@KyleMercer
Copy link

KyleMercer commented Aug 16, 2024

  • YubiKey Manager (ykman) version: 5.2.1
  • How was it installed?: apt
  • Operating system and version: Ubuntu 24.04 LTS
  • YubiKey model and version: Multiple (5, 4 and NEO)
  • Bug description summary:

When trying to use ykman info, ykman piv or other ykman functions the following error message appears:

WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: No YubiKey detected!

pcscd service is installed and running on Ubuntu.

Error appears only when user executes ykman. When sudo ykman is used by the same user the application behaves normally with no error.

This issue only occurs with Ubuntu 24 and does not occur on Ubuntu 22. Unfortunately hardware I am using only runs on 24.04 (Raspberry Pi 5). When exact same configuration is used on older hardware (Raspbery Pi 3) running on Ubuntu 22, ykman will execute without sudo.

It should be noted that same behavior is seen with ykman and Ubuntu 24.04 on Intel based system as well.

When I consult https://developers.yubico.com/yubikey-manager/Device_Permissions.html or https://github.com/Yubico/yubikey-manager/blob/main/doc/Device_Permissions.adoc the following statement is made:

For smart card based applications, or when accessing a YubiKey over NFC, the access is done via pcscd, the PC/SC Smart Card Daemon. It’s usually enough to have pcscd installed and running for this to work.

Smart card access is required for the piv, oath, openpgp, and hsmauth commands, as well as for any command issued over NFC.

@KyleMercer
Copy link
Author

Upgraded to ykman v5.5.1 with no change in behavior.

@dainnilsson
Copy link
Member

Can you try running something else that uses pcscd, such as for example pcsc_scan (https://pcsc-tools.apdu.fr/)? It sounds like your user doesn't have permission to access smart cards.

@KyleMercer
Copy link
Author

@dainnilsson Thanks for getting back to me. I figured the same thing, a permissions related issue, as it goes away when sudo is used. The problem is that I haven't been able to find where I need to adjust the permissions to make this work. I am trying to implement the Smallstep certificate authority solution using the Yuibikey to store the keys. (https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey)

I have tried adding a rules file for udev and that did not resolve the issue.

As you suggested I tried pcsc_scan and it did not work ("Access Denied" message) until I ran with sudo.

There is nothing special about this Ubuntu installation and I have confirmed the results are the same regardless if I use the Raspberry Pi OS Installer on my RPi 5; as well as the Canonical installer on an Intel based PC. The default user permissions for access to PC/SC are different in 24.04 LTS than in 22.10 it appears as the original article was built on a RPi 4 using Ubuntu 22.10.

Going back to the statement found on the Yubico documentation website "For smart card based applications, or when accessing a YubiKey over NFC, the access is done via pcscd, the PC/SC Smart Card Daemon. It’s usually enough to have pcscd installed and running for this to work." does not appear to be the case for Ubuntu 24.04.01 LTS as it seems an adjustment to user permissions is required. Unfortunately I am not sure where the adjustment needs to be made and have spent weeks trying to figure out where the problem lies.

@diegoara96
Copy link

I have the same problem, just today I upgraded to ubuntu 24.04 and it has stopped working without root permissions.

WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: Unable to list devices for connection

@dainnilsson
Copy link
Member

See #624 for another issue that looks like it might be the same cause. There are some things in there you can check with your pcscd daemon.

@KyleMercer
Copy link
Author

KyleMercer commented Aug 29, 2024

After a couple more hours of banging my head against the wall, I think I have found a solution.

First thing I have discovered is it would seem any rules added to /etc/udev/rules.d DO NOT seem to be considered with respect to polkit. By restarting the polkit service the only directories mentioned in journalctl are /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d

If I modify /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy so that the <allow_any>no</allow_any> statements are yes, then reboot the device, I am able to run ykman as my standard user. This is not an ideal situation as it defeats the purpose of securing pcscd.

Instead, I created a group called yubico and added my user to it. This allows me to configure who I will grant access to pcscd in the future. I then created a new rule file in /etc/polkit-1/rules.d named 67-yubikey.rules with the following:

polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_card" &&
                subject.isInGroup("yubico")) {
                return polkit.Result.YES;
        }
});
polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
                subject.isInGroup("yubico")) {
                return polkit.Result.YES;
        }
});

Once I rebooted the user could now run ykman without any error.

Note that both the group name and the rule file name were arbitrary for the purposes of finding a workable solution.

@diegoara96
Copy link

I can confirm that with the changes suggested by @KyleMercer the device is working again.

@talhaHavadar
Copy link

talhaHavadar commented Nov 14, 2024

Even after the changes in mentioned by @KyleMercer here I am getting the error from ssh-keygen but ykman is working.

❯ ssh-keygen -t ed25519-sk -C yubikey -v
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sk_probe: 0 device(s) detected
debug1: ssh_sk_enroll: failed to find sk
debug1: sshsk_enroll: provider "internal" failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: main: reply len 8
debug1: client_converse: helper returned error -60
Key enrollment failed: device not found

when you do it with sudo it works so we need to tweak a little more I guess

@talhaHavadar
Copy link

Ok, I did a bit of investigation and find out that these "udev" rules are removed from libu2f-udev package because of the following reason:

Package: libu2f-udev
Architecture: all
Multi-Arch: foreign
Section: oldlibs
Depends: ${misc:Depends}, udev (>= 244)
Description: Universal 2nd Factor (U2F) — transitional package
 Libu2f is a package for doing Universal 2nd Factor (U2F) host communication
 and has functionality for the Registration and Authentication operations.
 .
 This package is not necessary anymore, and can be safely removed: since udev
 v244, U2F devices are autodetected without needing 3rd party udev rules.

I checked udev version I have on my raspberry pi and it is v255 but it doesn't really autodetect so I just downloaded these u2f.rules and copied as below to udev rules directory:

wget https://raw.githubusercontent.com/Yubico/libfido2/refs/heads/main/udev/70-u2f.rules
sudo cp 70-u2f.rules /etc/udev/rules.d
sudo reboot

I didn't check why udev v255 is not really autodetecting but this is the solution I found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants