Here are configs, which are needed to run:
Modify file /etc/X11/xinit/xinitrc-common to contain last 2 lines:
$ tail /etc/X11/xinit/xinitrc-common
if [ "x$TMPDIR" != "x" ]; then
SSH_AGENT="/usr/bin/ssh-agent /bin/env TMPDIR=$TMPDIR"
else
SSH_AGENT="/usr/bin/ssh-agent"
fi
fi
SSH_AGENT="/usr/bin/gpg-agent --daemon --enable-ssh-support --homedir $HOME/.gnupg"; export SSH_AGENT;
SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
Make sure file $HOME/.gnupg/gpg.conf contains line use-agent:
$ tail -5 $HOME/.gnupg/gpg.conf with-fingerprint keyid-format 0xlong use-agent
Create file .gnupg/scdaemon.conf (I have 2 readers in notebook):
$ cat $HOME/.gnupg/scdaemon.conf reader-port "Yubico Yubikey 4 OTP+U2F+CCID 00 00" reader-port "Yubico Yubikey 4 OTP+U2F+CCID 01 00" pcsc-driver /usr/lib64/libpcsclite.so.1 card-timeout 5 disable-ccid
Create file .gnupg/scd-event and make it executable. This will trigger when yubikey is removed from computer.
$ cat $HOME/.gnupg/scd-event #!/bin/sh state=$8 if [ "$state" = "NOCARD" ]; then pkill -9 scdaemon fi
Modify .gnupg/gpg-agent.conf to include ssh-support:
$ cat .gnupg/gpg-agent.conf ###+++--- GPGConf ---+++### ###+++--- GPGConf ---+++### Thu Mar 12 10:53:37 2015 CET # GPGConf edited this configuration file. # It will disable options before this marked block, but it will # never change anything below these lines. default-cache-ttl-ssh 1209600 default-cache-ttl 1209600 max-cache-ttl 1209600 enable-ssh-support pinentry-program /usr/bin/pinentry-qt
Now udev rules for local users access are defined in 2 files:
$ cat /etc/udev/rules.d/69-yubikey.rules
ACTION!="add|change", GOTO="yubico_end"
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \
ENV{ID_SECURITY_TOKEN}="1"
LABEL="yubico_end"
$ cat /etc/udev/rules.d/70-u2f.rules
ACTION!="add|change", GOTO="u2f_end"
# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"
# Alcor Micro Corp. AU9540 Smartcard Reader
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="058f", ATTRS{idProduct}=="9540", TAG+="uaccess"
# Happlink (formerly Plug-Up) Security KEY
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"
# Neowave Keydo and Keydo AES
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess"
# HyperSecu HyperFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0880", TAG+="uaccess"
LABEL="u2f_end"
Create file /etc/polkit-1/rules.d/99-smartcard.rules and substitute username with loginname of desired user:
# cat /etc/polkit-1/rules.d/99-smartcard.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "username") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader") == 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' &&
subject.user == "username") {
return polkit.Result.YES; }
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader") == 'Yubico Yubikey 4 OTP+U2F+CCID 01 00' &&
subject.user == "username") {
return polkit.Result.YES; }
});
Make sure environment variables are set correctly for local user (in .bashrc)
export GPG_SOCKET_FILE=$HOME/.gnupg/S.gpg-agent export GPG_TTY=$(tty) export SSH_AUTH_SOCK="$HOME/.gnupg/S.gpg-agent.ssh"
Enable pcscd:
systemctl enable pcscd.socket systemctl enable pcscd.service
And reboot. Now you should have in KDE everything ready to run oathtool and gpg agent with yubikey 4 smartcard support. If there is error that yubikey is already in use, just reinsert it.
No comments:
Post a Comment