| View previous topic :: View next topic |
| Author |
Message |
fklama
n00b
Joined: 13 Apr 2004
Posts: 32
Location: Germany
|
 Posted: Wed Mar 09, 2016 5:26 pm Post subject: [SOLVED] Smartcard only works as root? |
 |
|
I've recently bought a YubiKey4, and while getting the FIDO U2P and OATH-SHA1 to work
wasn't trivial (some udev hacking needed), it now works well.
However, I'd also like to use the OpenPGP SmartCard feature, while running
'gpg --card-status' as root, outputs info about the Key, running it as my regular user just
gets me "gpg: OpenPGP card not available: Not supported".
/var/log/messages on card insertion:
| Code: |
Mar 8 11:25:44 XMG kernel: usb 3-2: new full-speed USB device number 61 using xhci_hcd
Mar 8 11:25:44 XMG kernel: usb 3-2: New USB device found, idVendor=1050, idProduct=0407
Mar 8 11:25:44 XMG kernel: usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Mar 8 11:25:44 XMG kernel: usb 3-2: Product: Yubikey 4 OTP+U2F+CCID
Mar 8 11:25:44 XMG kernel: usb 3-2: Manufacturer: Yubico
Mar 8 11:25:44 XMG kernel: usb 3-2: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
Mar 8 11:25:44 XMG kernel: input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb3/3-2/3-2:1.0/0003:1050:0407.04DF/input/input1249
Mar 8 11:25:44 XMG kernel: hid-generic 0003:1050:0407.04DF: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-2/input0
Mar 8 11:25:44 XMG kernel: hid-generic 0003:1050:0407.04E0: hiddev0,hidraw5: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-2/input1
|
/etc/udev/rules.d/70-u2f.rules content:
| Code: |
ACTION!="add|change", GOTO="u2f_end"
# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", GROUP="plugdev", MODE="0660"
LABEL="u2f_end"
|
/etc/udev/rules.d/gnupg.rules content:
| Code: |
ACTION!="add|change", GOTO="gpg_end"
# Yubico YubiKey
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="1050" , GROUP="plugdev", MODE="0660"
LABEL="gpg_end"
|
My user is a member of the group plugdev.
Any help in getting this to work is appreciated.
Edit: Made an error with the paths, they are udev rules, nothing to do with pam.
Last edited by fklama on Thu Mar 10, 2016 8:33 pm; edited 2 times in total |
|
| Back to top |
|
 |
Tatsh
Apprentice
Joined: 22 Jul 2007
Posts: 187
|
| Posted: Wed Mar 09, 2016 5:42 pm Post subject: |
|
|
| Have you tried newgrp or restarting your session? |
|
| Back to top |
|
|
fklama
n00b
Joined: 13 Apr 2004
Posts: 32
Location: Germany
|
| Posted: Wed Mar 09, 2016 6:07 pm Post subject: |
|
|
| Yes, I did. In fact, just to make sure, I've even rebooted my machine. |
|
| Back to top |
|
|
fklama
n00b
Joined: 13 Apr 2004
Posts: 32
Location: Germany
|
| Posted: Thu Mar 10, 2016 1:00 pm Post subject: |
|
|
Is there some way that I can check which device gpg is trying to use?
To me this seems to be a problem with access rights, since I can easily access the card as root.
I assume that some more udev hacking is needed. |
|
| Back to top |
|
|
py-ro
Veteran
Joined: 24 Sep 2002
Posts: 1734
Location: Velbert
|
| Posted: Thu Mar 10, 2016 2:45 pm Post subject: |
|
|
Normaly you don't need to change udev rules changes for the yubikeys.
Are you in the "pcscd" group? |
|
| Back to top |
|
|
fklama
n00b
Joined: 13 Apr 2004
Posts: 32
Location: Germany
|
| Posted: Thu Mar 10, 2016 3:15 pm Post subject: |
|
|
@py-ro: Thanks for the suggestion, I was not. I am now, unfortunately this didn't change anything.
| Code: |
➜ ~ % su - fklama
Testing for gpg-agent
No Agent, starting...
GPG_AGENT_INFO=/tmp/gpg-KLchJU/S.gpg-agent:31531:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/tmp/gpg-D2CGeF/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
SSH_AGENT_PID=31531; export SSH_AGENT_PID;
➜ ~ % groups
wheel audio video games bumblebee pcscd openct plugdev scanner vlock fklama
➜ ~ % gpg --card-status
gpg: OpenPGP card not available: Not supported
|
|
|
| Back to top |
|
|
py-ro
Veteran
Joined: 24 Sep 2002
Posts: 1734
Location: Velbert
|
| Posted: Thu Mar 10, 2016 3:19 pm Post subject: |
|
|
| If you accessed the "card" as root, you need to replug it atleast. Also make a new user Session, su alone won't work well for "reasons". |
|
| Back to top |
|
|
fklama
n00b
Joined: 13 Apr 2004
Posts: 32
Location: Germany
|
| Posted: Thu Mar 10, 2016 4:28 pm Post subject: |
|
|
@py-ro: I always replug my key whenever I try this. I've just tried a fresh login and still no luck.
I've just tried it on a Debian machine, as the user, it works there, without any problems.
This is really frustrating. I like Gentoo, and a recent problem I had with GFX drivers just stopping
to work with Debian has just shown me why I use Gentoo. But I wish these things would just work. |
|
| Back to top |
|
|
fklama
n00b
Joined: 13 Apr 2004
Posts: 32
Location: Germany
|
| Posted: Thu Mar 10, 2016 8:33 pm Post subject: |
|
|
Solved it, I ran gpg --card-edit as root and found the device it was using,
and found that I need to add my user to the usb group. Now it works.
It also seems I need to issue a:
| Code: |
gpg-connect-agent RELOADAGENT /bye
|
after reconnecting my YubiKey, or gpg won't recognize it again. |
|
| Back to top |
|
|
|
Networking & Security
