For those who have problems with integration of gpg and yubikey 4, this post is for you. Most problems come from idea, that gpg agent runs scdaemon, which prevents other processes to read yubikey usb device. Solution is to run pcscd and let only that handle all communication to yubikey. Now gpg commands like "gpg2 --card-status" can be run right after yubioath tool exited and there is no need to manually cleaning of scdaemon processes.
Here are configs, which are needed to run:
Modify file /etc/X11/xinit/xinitrc-common to contain last 2 lines:
$ tail /etc/X11/xinit/xinitrc-common
if [ "x$TMPDIR" != "x" ]; then
SSH_AGENT="/usr/bin/ssh-agent /bin/env TMPDIR=$TMPDIR"
else
SSH_AGENT="/usr/bin/ssh-agent"
fi
fi
SSH_AGENT="/usr/bin/gpg-agent --daemon --enable-ssh-support --homedir $HOME/.gnupg"; export SSH_AGENT;
SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
Make sure file $HOME/.gnupg/gpg.conf contains line use-agent:
$ tail -5 $HOME/.gnupg/gpg.conf
with-fingerprint
keyid-format 0xlong
use-agent
Create file .gnupg/scdaemon.conf (I have 2 readers in notebook):
$ cat $HOME/.gnupg/scdaemon.conf
reader-port "Yubico Yubikey 4 OTP+U2F+CCID 00 00"
reader-port "Yubico Yubikey 4 OTP+U2F+CCID 01 00"
pcsc-driver /usr/lib64/libpcsclite.so.1
card-timeout 5
disable-ccid
Create file .gnupg/scd-event and make it
executable. This will trigger when yubikey is removed from computer.
$ cat $HOME/.gnupg/scd-event
#!/bin/sh
state=$8
if [ "$state" = "NOCARD" ]; then
pkill -9 scdaemon
fi
Modify .gnupg/gpg-agent.conf to include ssh-support:
$ cat .gnupg/gpg-agent.conf
###+++--- GPGConf ---+++###
###+++--- GPGConf ---+++### Thu Mar 12 10:53:37 2015 CET
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.
default-cache-ttl-ssh 1209600
default-cache-ttl 1209600
max-cache-ttl 1209600
enable-ssh-support
pinentry-program /usr/bin/pinentry-qt
Now udev rules for local users access are defined in 2 files:
$ cat /etc/udev/rules.d/69-yubikey.rules
ACTION!="add|change", GOTO="yubico_end"
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \
ENV{ID_SECURITY_TOKEN}="1"
LABEL="yubico_end"
$ cat /etc/udev/rules.d/70-u2f.rules
ACTION!="add|change", GOTO="u2f_end"
# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"
# Alcor Micro Corp. AU9540 Smartcard Reader
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="058f", ATTRS{idProduct}=="9540", TAG+="uaccess"
# Happlink (formerly Plug-Up) Security KEY
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"
# Neowave Keydo and Keydo AES
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess"
# HyperSecu HyperFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0880", TAG+="uaccess"
LABEL="u2f_end"
Create file /etc/polkit-1/rules.d/99-smartcard.rules and
substitute username with loginname of desired user:
# cat /etc/polkit-1/rules.d/99-smartcard.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "username") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader") == 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' &&
subject.user == "username") {
return polkit.Result.YES; }
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader") == 'Yubico Yubikey 4 OTP+U2F+CCID 01 00' &&
subject.user == "username") {
return polkit.Result.YES; }
});
Make sure environment variables are set correctly for local user (in .bashrc)
export GPG_SOCKET_FILE=$HOME/.gnupg/S.gpg-agent
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK="$HOME/.gnupg/S.gpg-agent.ssh"
Enable pcscd:
systemctl enable pcscd.socket
systemctl enable pcscd.service
And reboot. Now you should have in KDE everything ready to run oathtool and gpg agent with yubikey 4 smartcard support. If there is error that yubikey is already in use, just reinsert it.