Due to the need to store GPG keys at work, and not wanting to store keys in cloud services or Git services, I purchased a Yubikey5 Nano version in February last year.
Overall I’m very satisfied with it. Although I did encounter some issues during use, I basically solved them with Google.
At the time I also planned to write a related troubleshooting tutorial, but unfortunately I kept putting it off. This article basically covers most issues you’ll encounter: https://mechanus.io/ke-neng-shi-zui-hao-de-yubikey-gpg-ssh-zhi-neng-qia-jiao-cheng/
This article mainly discusses the pitfalls of getting Yubikey and polkit tools to work together:
Reproduction
Environment: fedora 30 / 31 (encountered on two virtual machines)
After inserting the Yubikey, running gpg2 --card-status as a non-root user shows no device found, with the prompt:
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
Running journalctl -xe shows logs similar to the following:
pcscd[13141]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
pcscd[13141]: 00000071 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/006)
pcscd[13141]: 00000004 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
pcscd[13141]: 00004720 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
pcscd[13141]: 00000023 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/006)
pcscd[13141]: 00000004 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
pcscd[13141]: 00143849 auth.c:135:IsClientAuthorized() Process 13120 (user: 1000) is NOT authorized for action: access_pcsc
pcscd[13141]: 00000140 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Analysis
Carefully analyzing this log, you can see this is an exception call stack output, and the crux of the matter is that user: 1000 doesn’t have access_pcsc permission.
By reviewing the polkit documentation, we know that polkit is a permission management toolset designed to enable communication between low-priority processes (pcscd) and high-priority processes (drivers).
Solution
To grant permissions, you need to add a configuration file 051-org.debian.pcsc-lite.rules (filename can be customized, just needs to end with .rules) to the /etc/polkit-1/rules.d/ directory.
050 is the default rule, after 050 are custom rules, before 050 are supplements to the default rules
Configuration file as follows:
polkit.addRule(function(action, subject) {
// Here I granted access_pcsc permission to all users in the wheel group
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
// ditto ...
if (action.id == "org.debian.pcsc-lite.access_card" &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
Debugging Tips
The polkit configuration file syntax is very similar to JS. You can use polkit.log for debug output. Other methods and explanations are clearly described in the polkit documentation1.
During debugging, pay close attention to logs. If you see keywords like Error compiling script, it means there’s a compilation error and this change won’t take effect.
