Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access denied error with pcscd and yubico-authenticator #1537

Open
rubyFeedback opened this issue Apr 27, 2024 · 4 comments
Open

Access denied error with pcscd and yubico-authenticator #1537

rubyFeedback opened this issue Apr 27, 2024 · 4 comments

Comments

@rubyFeedback
Copy link

Sorry if I file this on the wrong repository; I just googled for yubico-authenticator and this project
turned up first.

This page shows us how to start pcscd via systemd:

https://support.yubico.com/hc/en-us/articles/360016649039-Installing-Yubico-Software-on-Linux

That kind of works:

psax| grep pcscd
1368470 ?        Ssl    0:00 /usr/sbin/pcscd --foreground --auto-exit

So pcscd is running, kind of, I think, as ps ax shows it.

yubico says access denied though and I have no idea what to do next.

Output on the commandline is:

ValueError: Unsupported Connection type
11:11:32.252 [desktop.devices] INFO: USB state updated, unaccounted for: {}
11:11:32.262 [helper.helper.device] WARNING: Error opening connection
Traceback (most recent call last):
  File "helper/device.py", line 289, in ccid
  File "helper/device.py", line 273, in _create_connection
  File "ykman/device.py", line 257, in open_connection
ValueError: Unsupported Connection type
11:11:34.474 [helper.helper.device] WARNING: Unable to list readers
Traceback (most recent call last):
  File "helper/device.py", line 137, in list_children
  File "ykman/pcsc/__init__.py", line 169, in list_devices
  File "ykman/pcsc/__init__.py", line 157, in list_readers
  File "smartcard/System.py", line 41, in readers
  File "smartcard/reader/ReaderFactory.py", line 58, in readers
  File "smartcard/pcsc/PCSCReader.py", line 111, in readers
  File "smartcard/pcsc/PCSCContext.py", line 56, in __init__
  File "smartcard/pcsc/PCSCContext.py", line 70, in renewContext
  File "smartcard/pcsc/PCSCContext.py", line 40, in __init__
smartcard.pcsc.PCSCExceptions.EstablishContextException: Failed to establish context: Access denied. (0x8010006A)
11:11:37.044 [helper.helper.device] WARNING: Unable to list readers
Traceback (most recent call last):
  File "helper/device.py", line 137, in list_children
  File "ykman/pcsc/__init__.py", line 169, in list_devices
  File "ykman/pcsc/__init__.py", line 157, in list_readers
  File "smartcard/System.py", line 41, in readers
  File "smartcard/reader/ReaderFactory.py", line 58, in readers
  File "smartcard/pcsc/PCSCReader.py", line 111, in readers
  File "smartcard/pcsc/PCSCContext.py", line 56, in __init__
  File "smartcard/pcsc/PCSCContext.py", line 70, in renewContext
  File "smartcard/pcsc/PCSCContext.py", line 40, in __init__
smartcard.pcsc.PCSCExceptions.EstablishContextException: Failed to establish context: Access denied. (0x8010006A)
11:11:39.614 [helper.helper.device] WARNING: Unable to list readers
Traceback (most recent call last):
  File "helper/device.py", line 137, in list_children
  File "ykman/pcsc/__init__.py", line 169, in list_devices
  File "ykman/pcsc/__init__.py", line 157, in list_readers
  File "smartcard/System.py", line 41, in readers
  File "smartcard/reader/ReaderFactory.py", line 58, in readers
  File "smartcard/pcsc/PCSCReader.py", line 111, in readers
  File "smartcard/pcsc/PCSCContext.py", line 56, in __init__
  File "smartcard/pcsc/PCSCContext.py", line 70, in renewContext
  File "smartcard/pcsc/PCSCContext.py", line 40, in __init__
smartcard.pcsc.PCSCExceptions.EstablishContextException: Failed to establish context: Access denied. (0x8010006A)
11:11:42.301 [helper.helper.device] WARNING: Unable to list readers
Traceback (most recent call last):
  File "helper/device.py", line 137, in list_children
  File "ykman/pcsc/__init__.py", line 169, in list_devices
  File "ykman/pcsc/__init__.py", line 157, in list_readers
  File "smartcard/System.py", line 41, in readers
  File "smartcard/reader/ReaderFactory.py", line 58, in readers
  File "smartcard/pcsc/PCSCReader.py", line 111, in readers
  File "smartcard/pcsc/PCSCContext.py", line 56, in __init__
  File "smartcard/pcsc/PCSCContext.py", line 70, in renewContext
  File "smartcard/pcsc/PCSCContext.py", line 40, in __init__
smartcard.pcsc.PCSCExceptions.EstablishContextException: Failed to establish context: Access denied. (0x8010006A)
11:11:42.494 [helper.helper.device] WARNING: Unable to list readers
Traceback (most recent call last):
  File "helper/device.py", line 137, in list_children
  File "ykman/pcsc/__init__.py", line 169, in list_devices
  File "ykman/pcsc/__init__.py", line 157, in list_readers
  File "smartcard/System.py", line 41, in readers
  File "smartcard/reader/ReaderFactory.py", line 58, in readers
  File "smartcard/pcsc/PCSCReader.py", line 111, in readers
  File "smartcard/pcsc/PCSCContext.py", line 56, in __init__
  File "smartcard/pcsc/PCSCContext.py", line 70, in renewContext
  File "smartcard/pcsc/PCSCContext.py", line 40, in __init__
smartcard.pcsc.PCSCExceptions.EstablishContextException: Failed to establish context: Access denied. (0x8010006A)

I have two requests:

  1. could the above webpage (or an alternative one, that also gets linked into the above), explain what to do in such a case? It is ok to re-redirect towards a FAQ or another page, but just so that it is mentioned and people can find it. I am horrible at finding things these days, so websites containing useful information are VERY much appreciatedion.

  2. but, even more importantly, could it be made more clear what we can do now? I have no idea how to work with pcscd, never used it before, but I kind of need it to get yubico-authenticator to work. The GUI it presents starts up fine, so that part works, but it then says "failed to open smartcard connection" or so, and now I am stuck. Perhaps the GUI itself could even offer help how to resolve this; or it could auto-solve it (no idea how the smartcard daemon works).

Of course if this could be auto-solved this would be even better, perhaps the GUI could have an option for that (e. g. to re-start the daemon from within yubico, that would be great). I am fine solving this without the GUI too, but right now I lack the information how to do so. Obviously both pcscd and yubico-authenticator work in principle, so I need to find out where the "access denied" situation is the issue (I am the superuser right now, so I am very much confused how there can be any access denied error. How can that happen? I mean, I am in full control of this desktop machine at home so no idea about that error.)

Anyway, thanks for reading this.
@nick2432
Copy link

can i work on this?

@dainnilsson
Copy link
Member

@nick2432 what would you have in mind here? This issue can potentially have many different root causes.

@trinitronx
Copy link

trinitronx commented Aug 4, 2024
edited
Loading

yubico says access denied though and I have no idea what to do next.

@rubyFeedback: Maybe try looking into what udev rules are applied to the yubikey? You want to search for vendor ID 1050, usually in the default system location. For example:

$ grep -rin 1050  /usr/lib/udev/rules.d/*.rules
/usr/lib/udev/rules.d/69-yubikey.rules:7:ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \

So, an ArchLinux-based distro has this system file:

/usr/lib/udev/rules.d/69-yubikey.rules:

ACTION!="add|change", GOTO="yubico_end"

# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \
    ENV{ID_SECURITY_TOKEN}="1"

LABEL="yubico_end"

This file was placed by the yubikey-personalization package, from the extra repository:

$ pacman -Fx /usr/lib/udev/rules.d/69-yubikey.rules
usr/lib/udev/rules.d/69-yubikey.rules is owned by extra/yubikey-personalization 1.20.0-4

Depending on your system, there may or may not be a proper udev rule for the Yubikey device. Basically, what you want is to have one installed so your user is allowed to use the USB device. On modern systems, this is usually accomplished by either:

  1. The udev rule includes either ENV{ID_SECURITY_TOKEN}="1" (which another rule uses to set TAG+="uaccess"), or itself sets TAG+="uaccess".
  2. Being a part of a certain group (e.g. plugdev, input, etc...)

So, for next steps it's likely that you'll want to check those things.

@MrRinkana
Copy link

@rubyFeedback just to doublecheck, youre not running the yubikey authenticator flatpak? If you are, you have hit this: flathub/com.yubico.yubioath#90

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@trinitronx @dainnilsson @MrRinkana @rubyFeedback @nick2432