You are not logged in.

#1 2023-01-24 17:17:15

bachtiar
Member
Registered: 2005-02-08
Posts: 60

[SOLVED] Attach USB device to systemd session without a seat

I'm running a headless QEMU/KVM guest with only VNC and SSH started at boot. Inside this box I have a USB device (specifically Yubikey) plugged into virtual USB bus.

The problem is that I cannot use this device unless my user is also logged in to the console (in systemd parlance, "seat0"). I see the device ln "lsusb" output, but when I try to use it I get "permission denied". In other words, if I see this:

# loginctl
SESSION  UID USER  SEAT  TTY 
      2 1000 myuser       
      4 1000 myuser seat0 tty1

then the USB devce works, whereas this

# loginctl
SESSION  UID USER  SEAT TTY
      2 1000 myuser      

doesn't.

I read that assignment of hardware devices to seats is managed inside the udev database, via settings on the devices. However, I cannot find any in-depth explanation how the systemd/udev magic works.

I want my device to be available to myuser inside VNC/SSH session without having myuser logged in to seat0. How can I do this?

Last edited by bachtiar (2023-01-25 08:19:46)

Offline

#2 2023-01-24 17:27:06

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,802
Website

Re: [SOLVED] Attach USB device to systemd session without a seat

bachtiar wrote:

but when I try to use it I get "permission denied"

How exactly do you "try to use it"?  How are you (attempting) to mount it?


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2023-01-24 19:12:05

bachtiar
Member
Registered: 2005-02-08
Posts: 60

Re: [SOLVED] Attach USB device to systemd session without a seat

Trilby wrote:

How exactly do you "try to use it"?  How are you (attempting) to mount it?

I use it through Yubikey tools (yubikey-manager, yubikey-personalization-gui etc.). In those tools I see either "access denied" or "YubiKey is not present". It's a smattcard-type device, so it's not supposed to be mounted.

Similarly, if I try to use WebAuthn in browser (Firefox running in VNC session) it works only if myuser is also logged in on a tty console. If not, Firefox acts as if there is no smartcard attached.

However, pcsc_scan shows the card regardless of myuser having an active console session:

# pcsc_scan
 Reader 0: Yubico YubiKey
  Event number: 0
  Card state: Card inserted, 

Last edited by bachtiar (2023-01-24 20:13:24)

Offline

#4 2023-01-25 08:17:00

bachtiar
Member
Registered: 2005-02-08
Posts: 60

Re: [SOLVED] Attach USB device to systemd session without a seat

Problem was solved by adding file /etc/udev/rules.d/70-yubikey.rules:

TAG=="security-device",GROUP="users"

And adding myuser to "users" group.

The hint was to look at

getfacl /dev/bus/usb/xxx/yyy

and

udevadm info --export-db

and

systemd-analyze cat-config udev/rules.d

Offline

Board footer

Powered by FluxBB