Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pcscd service must be started/restarted for ykman to access the yubikey #548

Open
nwayve opened this issue Mar 20, 2023 · 3 comments
Open

Comments

@nwayve
Copy link

nwayve commented Mar 20, 2023

- YubiKey Manager (ykman) version: 5.0.1
- How was it installed?: https://github.com/Yubico/yubikey-manager#linux
- Operating system and version: Windows 11 & Ubuntu 20.04.1 LTS
- YubiKey model and version: Yubikey 5 NFC
- Bug description summary: After attaching the yubikey to WSL, the pcscd service must be started or restarted in order for ykman to access it.

Steps to reproduce

  1. Ensure Windows 11 WSL2 installed and open a bash command prompt under WSL2.
  2. Since WSL doesn't natively support USB devices, ensure the open-source usbipd-win project is installed.
  3. Ensure WSL has the yubikey manager installed.
  4. In Powershell run usbipd wsl list to see a list of USB devices.
  5. Connect the Yubikey to a USB port and run usbipd wsl list to see the key is connected.
  6. In WSL bash run lsbusb and ykman list to verify the device is not listed
  7. In Powershell run usbipd wsl attach --busid {BUSID} where BUSID is the ID of the connected Yubikey.
  8. In WSL bash run lsbusb to verify it is connected
  9. Run ykman list to see if the device is present
    • On first setup, it may or may not show up in the device list.
    • If it is there, it may show up as YubiKey [OTP+FIDO+CCID] <access denied> and ykman will fail to access it.
      • e.g. running ykman oath accounts code will result in the error: "Failed to connect to YubiKey"
  10. Run service pcscd status
    • If it's not running, run sudo service pcscd start
    • If it is running, run sudo service pcscd restart
  11. Run ykman list and the Yubikey should be listed as YubiKey 5C NFC (5.2.7) [OTP+FIDO+CCID] Serial: 12345678

Expected result

I would expect ykman to ensure the pcscd service is started, restarted, or otherwise managed as needed when the Yubikey is attached to WSL via the usbipd wsl attach command.

Actual results and logs

I'm forced to manage the pcscd service manually after attaching the Yubikey to WSL.

Other info

I don't know if this is a ykman issue or a usbipd-win project issue. Opening here to get feedback from Yubico team and community. There should be a more elegant way of dealing with this.
Links to other issues surrounding this problem:

@dainnilsson
Copy link
Member

I don't really have a good answer here as I'm not very familiar with usbip-win. I would suggest trying some other tool than ykman to see if the YubiKey is accessible by that or not. For example, you could try pcsc_scan from the pcsc-tools package. You could also try stopping the pcscd service and instead running it in the foreground with logging enabled to see if anything shows up there when you connect the YubiKey: https://ludovicrousseau.blogspot.com/2011/07/pcscd-debug-output.html

@christoph-zero
Copy link

Same issue here.
Is there any planned support for ykman running on WSL in the future?

@1two3code
Copy link

Same issue here. Is there any planned support for ykman running on WSL in the future?

Just came back after almost 2 years to see if I can use my YubiKey 5C with WSL2 yet, and nope.
Although I suspect that the culprit is mainly the lack of native support for USB devices in WSL2, and that Yubico can't do much about this issue.

There are a lot of WSL2 users out there nowadays and I bet quite a few would love to have native, non-hacky usbip, support for their YubiKeys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants