This is still the header! Main site

Setting up Yubikeys on Gentoo

2019/10/29

Putting this here because... although there are nice articles on how to do this, I only found them once I went through the entire process, figuring out where each error message was coming from. So... here is a google-able (although extremely sloppy) writeup; maybe it'll help someone?

To begin with, our mission objective is to get a Yubikey (in our case, a YubiKey 5 NFC, connected via USB) working on Gentoo. Looks like it's approximately working on Debian... not so much here.

To begin with... let's install yubikey-manager ; although we'll be using gpg on top of this, getting a list of available smart cards would be fairly nice. Sadly, we might end up getting something like... 

          File "/usr/lib64/python3.6/site-packages/smartcard/pcsc/PCSCReader.py", line 108, in readers
    hcontext = PCSCContext().getContext()
  File "/usr/lib64/python3.6/site-packages/smartcard/pcsc/PCSCContext.py", line 53, in __init__
    PCSCContext.instance = PCSCContext.__PCSCContextSingleton()
  File "/usr/lib64/python3.6/site-packages/smartcard/pcsc/PCSCContext.py", line 40, in __init__
    raise EstablishContextException(hresult)
smartcard.pcsc.PCSCExceptions.EstablishContextException: 'Failure to establish context: Service not available.'
(yes formatting is ugly; I might fix it eventually.) So... this is because who is actually communicating with the YubiKey is pcscd , the PC/SC (smartcard) daemon. It's not running, thus we have nothing to connect to.

An emerge -at pcsc-lite solves the issue. What it (possibly) doesn't solve is that we somehow don't see anything USB related, even if we start up the daemon in the foreground with 

          sudo /usr/sbin/pcscd -f --info
        
00000000 [140351343704960] /var/tmp/portage/sys-apps/pcsc-lite-1.8.24/work/pcsc-lite-1.8.24/src/pcscdaemon.c:347:main() pcscd set to foreground with debug send to stdout
00000059 [140351343704960] /var/tmp/portage/sys-apps/pcsc-lite-1.8.24/work/pcsc-lite-1.8.24/src/pcscdaemon.c:662:main() pcsc-lite 1.8.24 daemon ready.
00000069 [140351343704960] /var/tmp/portage/sys-apps/pcsc-lite-1.8.24/work/pcsc-lite-1.8.24/src/hotplug_libudev.c:729:HPRegisterForHotplugEvents() No bundle files in pcsc drivers directory: /usr/lib64/readers/usb
00000006 [140351343704960] /var/tmp/portage/sys-apps/pcsc-lite-1.8.24/work/pcsc-lite-1.8.24/src/hotplug_libudev.c:730:HPRegisterForHotplugEvents() Disabling USB support for pcscd
For this one, we'd also need to install app-crypt/ccid , which is the standard USB driver pcscd uses to talk to YubiKeys.

Meanwhile... our client might end up complaining about RPC failures. This is because the daemon is using polkit to check whether users are authenticated or not; also, this needs dbus running. For simplicity, you can just compile pcscd with USE=-policykit; this might or might not be terribly insecure (one would hope that the " pcscd " group and its membership actually means something, but, based on some experiments, it doesn't really seem to result in any restrictions). Ohh and also, don't forget that pcscd is running as the similarly named user (unlike Debian, where it's just being run as root), so it'll need access to USB devices. Simplest method: add the user pcscd to the usb group; might be somewhat overkill but still better than running as root.