Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Smartcard only works as root?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
fklama
n00b
n00b


Joined: 13 Apr 2004
Posts: 32
Location: Germany

PostPosted: Wed Mar 09, 2016 5:26 pm    Post subject: [SOLVED] Smartcard only works as root? Reply with quote

I've recently bought a YubiKey4, and while getting the FIDO U2P and OATH-SHA1 to work
wasn't trivial (some udev hacking needed), it now works well.

However, I'd also like to use the OpenPGP SmartCard feature, while running
'gpg --card-status' as root, outputs info about the Key, running it as my regular user just
gets me "gpg: OpenPGP card not available: Not supported".

/var/log/messages on card insertion:
Code:

Mar  8 11:25:44 XMG kernel: usb 3-2: new full-speed USB device number 61 using xhci_hcd
Mar  8 11:25:44 XMG kernel: usb 3-2: New USB device found, idVendor=1050, idProduct=0407
Mar  8 11:25:44 XMG kernel: usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Mar  8 11:25:44 XMG kernel: usb 3-2: Product: Yubikey 4 OTP+U2F+CCID
Mar  8 11:25:44 XMG kernel: usb 3-2: Manufacturer: Yubico
Mar  8 11:25:44 XMG kernel: usb 3-2: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
Mar  8 11:25:44 XMG kernel: input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb3/3-2/3-2:1.0/0003:1050:0407.04DF/input/input1249
Mar  8 11:25:44 XMG kernel: hid-generic 0003:1050:0407.04DF: input,hidraw4: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-2/input0
Mar  8 11:25:44 XMG kernel: hid-generic 0003:1050:0407.04E0: hiddev0,hidraw5: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-2/input1


/etc/udev/rules.d/70-u2f.rules content:
Code:

ACTION!="add|change", GOTO="u2f_end"
# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", GROUP="plugdev", MODE="0660"
LABEL="u2f_end"


/etc/udev/rules.d/gnupg.rules content:
Code:

ACTION!="add|change", GOTO="gpg_end"
# Yubico YubiKey
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="1050" , GROUP="plugdev", MODE="0660"
LABEL="gpg_end"


My user is a member of the group plugdev.
Any help in getting this to work is appreciated.

Edit: Made an error with the paths, they are udev rules, nothing to do with pam.


Last edited by fklama on Thu Mar 10, 2016 8:33 pm; edited 2 times in total
Back to top
View user's profile Send private message
Tatsh
Apprentice
Apprentice


Joined: 22 Jul 2007
Posts: 179

PostPosted: Wed Mar 09, 2016 5:42 pm    Post subject: Reply with quote

Have you tried newgrp or restarting your session?
Back to top
View user's profile Send private message
fklama
n00b
n00b


Joined: 13 Apr 2004
Posts: 32
Location: Germany

PostPosted: Wed Mar 09, 2016 6:07 pm    Post subject: Reply with quote

Yes, I did. In fact, just to make sure, I've even rebooted my machine.
Back to top
View user's profile Send private message
fklama
n00b
n00b


Joined: 13 Apr 2004
Posts: 32
Location: Germany

PostPosted: Thu Mar 10, 2016 1:00 pm    Post subject: Reply with quote

Is there some way that I can check which device gpg is trying to use?
To me this seems to be a problem with access rights, since I can easily access the card as root.

I assume that some more udev hacking is needed.
Back to top
View user's profile Send private message
py-ro
Veteran
Veteran


Joined: 24 Sep 2002
Posts: 1733
Location: St. Wendel

PostPosted: Thu Mar 10, 2016 2:45 pm    Post subject: Reply with quote

Normaly you don't need to change udev rules changes for the yubikeys.

Are you in the "pcscd" group?
Back to top
View user's profile Send private message
fklama
n00b
n00b


Joined: 13 Apr 2004
Posts: 32
Location: Germany

PostPosted: Thu Mar 10, 2016 3:15 pm    Post subject: Reply with quote

@py-ro: Thanks for the suggestion, I was not. I am now, unfortunately this didn't change anything.

Code:

➜ ~ % su - fklama     
Testing for gpg-agent
No Agent, starting...
GPG_AGENT_INFO=/tmp/gpg-KLchJU/S.gpg-agent:31531:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/tmp/gpg-D2CGeF/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
SSH_AGENT_PID=31531; export SSH_AGENT_PID;
➜ ~ % groups           
wheel audio video games bumblebee pcscd openct plugdev scanner vlock fklama
➜ ~ % gpg --card-status
gpg: OpenPGP card not available: Not supported
Back to top
View user's profile Send private message
py-ro
Veteran
Veteran


Joined: 24 Sep 2002
Posts: 1733
Location: St. Wendel

PostPosted: Thu Mar 10, 2016 3:19 pm    Post subject: Reply with quote

If you accessed the "card" as root, you need to replug it atleast. Also make a new user Session, su alone won't work well for "reasons".
Back to top
View user's profile Send private message
fklama
n00b
n00b


Joined: 13 Apr 2004
Posts: 32
Location: Germany

PostPosted: Thu Mar 10, 2016 4:28 pm    Post subject: Reply with quote

@py-ro: I always replug my key whenever I try this. I've just tried a fresh login and still no luck.

I've just tried it on a Debian machine, as the user, it works there, without any problems.
This is really frustrating. I like Gentoo, and a recent problem I had with GFX drivers just stopping
to work with Debian has just shown me why I use Gentoo. But I wish these things would just work.
Back to top
View user's profile Send private message
fklama
n00b
n00b


Joined: 13 Apr 2004
Posts: 32
Location: Germany

PostPosted: Thu Mar 10, 2016 8:33 pm    Post subject: Reply with quote

Solved it, I ran gpg --card-edit as root and found the device it was using,
and found that I need to add my user to the usb group. Now it works.

It also seems I need to issue a:
Code:

gpg-connect-agent RELOADAGENT /bye

after reconnecting my YubiKey, or gpg won't recognize it again.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum