Ubuntu: Can not read OpenPGP card as non-root?



Question:

Same OpenPGP card and reader setup were working fine on Ubuntu 11.04 Natty. After upgrading to Ocelet with a clean install I ran into the basically the same issue this guy posted about here.

To summarize card read operations such as

gpg --card-status  

Now only work with the sudo command.


Solution:1

Got some more juicy troubleshooting info on this problem. I installed Ubuntu 10.04.3 LTS on another system and configured the OpenPGP smartcard settings. It is working properly for my non-root user account. Naturally I wanted to check out the permissions on the usb device.

Under my normal account I first ran a gpg --card-edit to tie up the usb card reader device, then I ran sudo lsof -c gpg | grep usb to find the device file. This yielded noting so I ran sudo gpg --card-edit and got an error message!

seth@swk:~$ sudo gpg --card-edit  [sudo] password for seth:   gpg: WARNING: unsafe ownership on configuration file `/home/seth/.gnupg/gpg.conf'    gpg: detected reader `SCM SCR 3310 00 00'  gpg: pcsc_connect failed: sharing violation (0x8010000b)  gpg: apdu_send_simple(0) failed: locking failed  Please insert the card and hit return or enter 'c' to cancel: c  gpg: selecting openpgp failed: general error  gpg: OpenPGP card not available: general error  

Something else was tying up the usb card reader. Let's find out what:

sudo lsof | grep usb  

This yielded the nugget I was looking for.

pcscd     2362       root    5u      CHR              189,4      0t0       2194 /dev/bus/usb/001/005  

So apparently the pcscd service grabs the card reader device on behalf of the non-root user and relays gpg read/write requests to the card on a properly configured OpenPGP setup.

Let's take a look at the permissions of the device file.

seth@swk:~$ ls -l /dev/bus/usb/001/005  crw-rw-r-- 1 root root 189, 4 2011-10-18 11:49 /dev/bus/usb/001/005  

OK, now I think I'm getting closer. On the 11.10 system I remember the group was set to pcscd and not root. It looks like the problem might be with the pcscd package. I'll try configuring an 11.10 system with the same permissions and report back.

UPDATE: So I set the user and group permissions on the usb device of a fresh 11.10 Ocelot install to root and root. The command gpg --card-status still fails as non-root user. I'm guessing that this is a bug in the pcscd package for now.


Solution:2

I had a similar issue with a Yubikey Neo on Ubuntu 16.04. After restarting, I was able to run the following command to fix it.

ykpersonalize -m 82  

Yubikey has lots of docs on what this does. I don't know why I had to put the card back into this mode or what might change modes. I can't even tell you why it worked. If anyone knows why this might have worked then I'd be glad to update the answer with more details.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »