You are not logged in.

Pages: 1

#1 2019-03-08 22:29:01

jamincollins
Member
Registered: 2019-03-08
Posts: 4

yubikey not fully accessible unless hotplugged

I'm trying to track down why my YubiKey isn't accessible if I have it plugged in when I start my system.  If I hotplug it any time after boot up everything seems to work fine.

After boot, with Yubikey plugged in during boot:

$ lsusb | grep -i yubi
Bus 001 Device 002: ID 1050:0405 Yubico.com Yubikey 4 OTP+CCID
$ ykman info
Device type: YubiKey 4
Serial number: xxxxxxx
Firmware version: 4.3.3
Enabled USB interfaces: OTP+CCID

Applications
OTP     	Enabled      	
FIDO U2F	Disabled     	
OpenPGP 	Enabled      	
PIV     	Enabled      	
OATH    	Enabled      	
FIDO2   	Not available	
$ gpg --card-status 
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
$ systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
   Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
   Active: active (running) since Fri 2019-03-08 15:10:55 MST; 8min ago
     Docs: man:pcscd(8)
 Main PID: 3986 (pcscd)
    Tasks: 6 (limit: 4915)
   Memory: 4.2M
   CGroup: /system.slice/pcscd.service
           └─3986 /usr/bin/pcscd --foreground --auto-exit

Mar 08 15:10:55 odin systemd[1]: Started PC/SC Smart Card Daemon.
Mar 08 15:10:55 odin pcscd[3986]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
Mar 08 15:10:55 odin pcscd[3986]: 00000444 readerfactory.c:1106:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0405:libudev:0>
Mar 08 15:10:55 odin pcscd[3986]: 00000067 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+CCID init failed.

Hotplug the Yubikey.

$ systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
   Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
   Active: active (running) since Fri 2019-03-08 15:10:55 MST; 10min ago
     Docs: man:pcscd(8)
 Main PID: 3986 (pcscd)
    Tasks: 4 (limit: 4915)
   Memory: 4.1M
   CGroup: /system.slice/pcscd.service
           └─3986 /usr/bin/pcscd --foreground --auto-exit

Mar 08 15:10:55 odin systemd[1]: Started PC/SC Smart Card Daemon.
Mar 08 15:10:55 odin pcscd[3986]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
Mar 08 15:10:55 odin pcscd[3986]: 00000444 readerfactory.c:1106:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0405:libudev:0>
Mar 08 15:10:55 odin pcscd[3986]: 00000067 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+CCID init failed.
Mar 08 15:21:27 odin pcscd[3986]: 99999999 ccid_usb.c:859:WriteUSB() write failed (1/2): -4 LIBUSB_ERROR_NO_DEVICE
$ gpg --card-status
Reader ...........: Yubico YubiKey OTP CCID 00 00
Application ID ...: D2760001240102010006054786970000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx
Name of cardholder: Jamin Collins
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: xxxxxxxxxxxxx
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 2
Signature counter : 0
Signature key ....: 790F 93AF 9EA2 094C F6C6  639A B34D D2DB 3C6D 23DD
      created ....: 2019-02-27 16:14:08
Encryption key....: 79E4 5861 023A 856A D307  CE30 B026 F8C8 AE5E B440
      created ....: 2019-02-27 16:15:11
Authentication key: 3391 EA2F DE57 62B9 23C5  2E40 1FD0 9EC3 44DC 158A
      created ....: 2019-02-27 16:15:54
General key info..: sub  rsa4096/0xB34DD2DB3C6D23DD 2019-02-27 Jamin Collins <xxxxxxxxx>
sec#  rsa4096/0xF8E527C6A59B0834  created: 2019-02-27  expires: never     
ssb>  rsa4096/0xB34DD2DB3C6D23DD  created: 2019-02-27  expires: 2020-02-27
                                  card-no: 0006 05478697
ssb>  rsa4096/0xB026F8C8AE5EB440  created: 2019-02-27  expires: 2020-02-27
                                  card-no: 0006 05478697
ssb>  rsa4096/0x1FD09EC344DC158A  created: 2019-02-27  expires: 2020-02-27
                                  card-no: 0006 05478697

I've tested booting to a Ubuntu 18.10 Live CD and installing just the scdaemon and yubikey-manager packages and the card is fully seen even when connected on boot.

Any pointers on what I might have misconfigured would be most appreciated.

Offline

#2 2019-04-18 11:10:36

FrederickZh
Member
Registered: 2016-12-27
Posts: 14

Re: yubikey not fully accessible unless hotplugged

Do you happen to use KeePassXC as well? I have KeePassXC in my DE auto-start and I noticed this issue recently as well. Then I found this: https://github.com/keepassxreboot/keepassxc/issues/1215

If so and you don't use YubiKey challenge-response in KeePassXC, just rebuild the package with YubiKey disabled and it'd be fine.

I thought it was something wrong about gnupg/pcscd/ccid, but bugs in these projects which might cause this problem all seemed to have been fixed already. After playing around with their configurations and debug outputs for hours I found out that it didn't happen if I logged into TTY, so I realised it must have been some auto-start programs in DE. The only 2 that uses YubiKey I had in mind were Thunderbird and KeePassXC and it didn't take me long to pinpoint the cause this time. Sneaky...

Last edited by FrederickZh (2019-04-18 11:16:37)

Offline

#3 2019-12-20 13:54:41

xand
Member
Registered: 2015-01-11
Posts: 16

Re: yubikey not fully accessible unless hotplugged

Hello,
are there any updates on this?
I also have OP's issue, but don't use Keepass.

Offline

#4 2020-02-09 18:43:15

jgeer
Member
Registered: 2020-02-09
Posts: 1

Re: yubikey not fully accessible unless hotplugged

I have exactly the same problem. No KeepassXC installed.

Offline

#5 2021-02-13 14:34:14

TafkaMax
Member
Registered: 2020-09-07
Posts: 2

Re: yubikey not fully accessible unless hotplugged

Same problem here.

Offline

#6 2021-02-13 15:11:26

arti
Member
From: Tallinn, Estonia
Registered: 2016-03-24
Posts: 1
Website

Re: yubikey not fully accessible unless hotplugged

I think the problem here is that GnuPG by default tries to grab raw usb access to the yubkey and that will break anything that uses pcscd. I would recommend to follow GnuPG with pcscd and disable gnupg internal ccid driver and only use pcscd to access yubikey. If you still have problems with different programs trying to access the yubikey then you could try to follow the shared access part of the gnupg wiki.

NB: Remember to kill scdaemon after configuration changes.

Offline

#7 2021-02-15 17:40:02

Gar3r_2
Member
Registered: 2021-02-15
Posts: 1

Re: yubikey not fully accessible unless hotplugged

Maybe this can help
https://github.com/LudovicRousseau/PCSC/issues/65

Personally I am using acsccid because my yubikey was never accessible

yay -S acsccid
sudo systemctl enable pcscd.service
sudo systemctl start pcscd.service 
sudo systemctl status pcscd.service

https://github.com/Yubico/yubioath-desk … -238564528

Last edited by Gar3r_2 (2021-02-15 17:42:44)

Offline

Pages: 1

Board footer

Powered by FluxBB