Created attachment 582484 [details] log of pcscd from syslog/ running as pcscd As long as /etc/init.d/pcscd contains the line to switch user to pcscd:pcscd none of the yubikey-tools can be used anymore: error connecting to the reader. Running pcscd in foreground and debugging as root makes device(s) available again. Also commenting out the line in init.d-script solves all problems. This affects all tools like yubikey-manager/ ykman, also GUI as well as basic pcsc_scan.
Created attachment 582486 [details] pcscd doing the same while running as root
Portage 2.3.66 (python 3.6.5-final-0, default/linux/amd64/17.0/desktop, gcc-8.3.0, glibc-2.29-r2, 4.19.44-gentoo-sec x86_64) ================================================================= System uname: Linux-4.19.44-gentoo-sec-x86_64-AMD_A8-4500M_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.6 KiB Mem: 7337424 total, 4801468 free KiB Swap: 4194300 total, 4194300 free Timestamp of repository gentoo: Fri, 05 Jul 2019 18:30:01 +0000 Head commit of repository gentoo: d0c7c0d158f7e13c2ca13517785291bb51644ce2 sh bash 4.4_p23-r1 ld GNU ld (Gentoo 2.31.1 p7) 2.31.1 distcc 3.3.2 x86_64-pc-linux-gnu [disabled] app-shells/bash: 4.4_p23-r1::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.28.2-r1::gentoo dev-lang/python: 2.7.15::gentoo, 3.6.5::gentoo dev-util/cmake: 3.14.3::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/openrc: 0.41.2::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.16.1-r1::gentoo sys-devel/binutils: 2.31.1-r6::gentoo sys-devel/gcc: 8.3.0-r1::gentoo sys-devel/gcc-config: 2.0::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 4.14-r1::gentoo (virtual/os-headers) sys-libs/glibc: 2.29-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-max-age: 24 sync-rsync-verify-jobs: 1 sync-rsync-verify-metamanifest: yes tlp location: /var/lib/layman/tlp masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.3/ext-active/ /etc/php/cgi-php7.3/ext-active/ /etc/php/cli-php7.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet-build=y" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-march=athlon64 -O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=athlon64 -O2 -pipe" GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/" LANG="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_BINHOST="http://biostar.voelkizetti.net/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi alsa amd64 apache2 berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit crypt cups curl cxx dbus dri dts dvd dvdr emboss encode exif fam flac fortran gdbm gif glamor gpg gpm gtk iconv ipv6 jack java jpeg lcms ldap libnotify libtirpc lm_sensors mad mms mng mp3 mp4 mpeg multilib mysql mysqli ncurses nls nptl ogg opengl openmp openssl pam pango pcre pdf pkcs11 png policykit postgres ppds qt5 readline sdl seccomp spell sqlite ssl startup-notification svg tcpd threads tiff truetype udev udisks unicode upower usb v4l vdpau vorbis wavpack wxwidgets x264 xattr xcb xinerama xml xv xvid zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="access_compat alias auth_basic authn_file authz_core authz_host autoindex cache dav dbus dir expires filter hal headers include log_config mime mime_magic negotiation proxy proxy_ajp ratelimit rewrite socache_shmcb unique_id unixd" APACHE2_MPMS="worker" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="synaptics libinput" KERNEL="linux" L10N="de en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24" USERLAND="GNU" VIDEO_CARDS="radeon r600" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
A simple command like requesting key's status: yubico-piv-tool -v 1000 -a status fails with error: SCardListReaders failed, rc=8010002e. I also tried to put pcscd into group plugdev, in use for U2F-feature with non-root access to no avail.
As far as I can see this is standard CCID reader, if pcscd has problems to access it it may be a dup of bug#618738.
It definitely works fine with gpg as standard CCID/ SmartCard. But all the other Yubic-tools use pcsc for communication and hiccup. Reading works sometimes (1 out of 5) and writing always fails. (Whereas gpg's keytocard works fine, as well as using the keys afterwards.) This is lsusb -v -d 1050:0407 Bus 005 Device 004: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1050 Yubico.com idProduct 0x0407 Yubikey 4 OTP+U2F+CCID bcdDevice 4.37 iManufacturer 1 Yubico iProduct 2 Yubikey 4 OTP+U2F+CCID iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0096 bNumInterfaces 3 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 30mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 3 Human Interface Device bInterfaceSubClass 1 Boot Interface Subclass bInterfaceProtocol 1 Keyboard iInterface 0 HID Device Descriptor: bLength 9 bDescriptorType 33 bcdHID 1.10 bCountryCode 0 Not supported bNumDescriptors 1 bDescriptorType 34 Report wDescriptorLength 71 Report Descriptors: ** UNAVAILABLE ** Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 10 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 3 Human Interface Device bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 HID Device Descriptor: bLength 9 bDescriptorType 33 bcdHID 1.10 bCountryCode 0 Not supported bNumDescriptors 1 bDescriptorType 34 Report wDescriptorLength 34 Report Descriptors: ** UNAVAILABLE ** Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 2 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x84 EP 4 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 2 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 2 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 11 Chip/SmartCard bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 ChipCard Interface Descriptor: bLength 54 bDescriptorType 33 bcdCCID 1.00 nMaxSlotIndex 0 bVoltageSupport 7 5.0V 3.0V 1.8V dwProtocols 2 T=1 dwDefaultClock 4000 dwMaxiumumClock 4000 bNumClockSupported 0 dwDataRate 307200 bps dwMaxDataRate 307200 bps bNumDataRatesSupp. 0 dwMaxIFSD 2038 dwSyncProtocols 00000000 dwMechanical 00000000 dwFeatures 000400FE Auto configuration based on ATR Auto activation on insert Auto voltage selection Auto clock change Auto baud rate change Auto parameter negotiation made by CCID Short and extended APDU level exchange dwMaxCCIDMsgLen 3072 bClassGetResponse echo bClassEnvelope echo wlcdLayout none bPINSupport 0 bMaxCCIDBusySlots 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 32 can't get device qualifier: Resource temporarily unavailable can't get debug descriptor: Resource temporarily unavailable Device Status: 0x0000 (Bus Powered) This is udevadm --info of device' path: P: /devices/pci0000:00/0000:00:12.0/usb5/5-1/5-1:1.0/0003:1050:0407.0005/input/input15 E: DEVPATH=/devices/pci0000:00/0000:00:12.0/usb5/5-1/5-1:1.0/0003:1050:0407.0005/input/input15 E: EV=120013 E: ID_BUS=usb E: ID_FOR_SEAT=input-pci-0000_00_12_0-usb-0_1_1_0 E: ID_INPUT=1 E: ID_INPUT_KEY=1 E: ID_INPUT_KEYBOARD=1 E: ID_MODEL=Yubikey_4_OTP+U2F+CCID E: ID_MODEL_ENC=Yubikey\x204\x20OTP+U2F+CCID E: ID_MODEL_ID=0407 E: ID_PATH=pci-0000:00:12.0-usb-0:1:1.0 E: ID_PATH_TAG=pci-0000_00_12_0-usb-0_1_1_0 E: ID_REVISION=0437 E: ID_SECURITY_TOKEN=1 E: ID_SERIAL=Yubico_Yubikey_4_OTP+U2F+CCID E: ID_TYPE=hid E: ID_USB_DRIVER=usbhid E: ID_USB_INTERFACES=:030101:030000:0b0000: E: ID_USB_INTERFACE_NUM=00 E: ID_VENDOR=Yubico E: ID_VENDOR_ENC=Yubico E: ID_VENDOR_ID=1050 E: KEY=e080ffdf01cfffff fffffffffffffffe E: LED=1f E: MODALIAS=input:b0003v1050p0407e0110-e0,1,4,11,14,k77,7D,7E,7F,ram4,l0,1,2,3,4,sfw E: MSC=10 E: NAME="Yubico Yubikey 4 OTP+U2F+CCID" E: PHYS="usb-0000:00:12.0-1/input0" E: PRODUCT=3/1050/407/110 E: PROP=0 E: SUBSYSTEM=input E: TAGS=:seat: E: UNIQ="" E: USEC_INITIALIZED=9723253230 I also added an attachement of udevadm monitor -p while plugging in the Yubikey. There's a lot of rules being triggered and I'm not an expert but it looks as if some of them are duplicates.
Created attachment 582676 [details] output of udevadm monitor -p
For: UDEV [10593.605386] add /devices/pci0000:00/0000:00:12.0/usb5/5-1 (usb) I do see: PCSCD=1 This should be the interface that is being used by pcscd as far as I understand. In bug#618738 this setting is overridden by udev itself causing actual permissions not set by the pcsc udev rule, you can see the result by ls -l the usb device. I do not see input15, I do see input17 but am not sure that is related to pcscd, and if it does, the udev rule should set PCSCD=1 so that it will get the correct permissions.
I think I had the same problem, and fixed it by making the user "pcscd" part of the "usb" group. Without the group, the daemon does not have permission to access the reader (or the Yubikey stick). Running 'usermod -a -G usb pcscd' fixed this problem for me.
(In reply to Jan Seeger from comment #8) > I think I had the same problem, and fixed it by making the user "pcscd" part > of the "usb" group. Without the group, the daemon does not have permission > to access the reader (or the Yubikey stick). > > Running 'usermod -a -G usb pcscd' fixed this problem for me. that is.
(In reply to Mikle Kolyada from comment #9) > (In reply to Jan Seeger from comment #8) > > I think I had the same problem, and fixed it by making the user "pcscd" part > > of the "usb" group. Without the group, the daemon does not have permission > > to access the reader (or the Yubikey stick). > > > > Running 'usermod -a -G usb pcscd' fixed this problem for me. > > that is. or also add regular user ti the usb group.
