Can use Nitrokey 3A/3C only as root

[UJuwMLAx]

I read some information about using the Nitrokeys and similar u2f devices on FreeBSD posted here. It is crucial to have the Nitrokey rules somewhere in /usr/local/etc/devd/ which I have:

My /usr/local/etc/devd/u2f.conf contains:

# Nitrokey 3
notify 100 {
	match "system"		"USB";
	match "subsystem"	"DEVICE";
	match "type"		"ATTACH";
	match "vendor"		"0x20a0";
	match "product"		"0x42b2";
	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
};

attach 100 {
	match "vendor"		"0x20a0";
	match "product"		"0x42b2";
	action "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
};
# Nitrokey 3 Bootloader mode
notify 100 {
	match "system"		"USB";
	match "subsystem"	"DEVICE";
	match "type"		"ATTACH";
	match "vendor"		"0x20a0";
	match "product"		"0x42dd";
	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
};

attach 100 {
	match "vendor"		"0x20a0";
	match "product"		"0x42dd";
	action "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
};

and my user is in the group u2f.
And I restarted my devd service.

Still, when running nitropy (pynitrokey v0.10.0) I am getting this warning:

Critical error:
An unhandled exception occurred
	Exception encountered: PermissionError(13, 'Permission denied')

when I run it as root, it runs (but warns about being run as root and tells me to add the devd rules). Any ideas what is going on here?

 

[Espionage724]

Not too sure about the question with permissions, but I was able to run this in a quick Terminal to plug in a Solo U2F key within 3 seconds to get it on the older uhid (iirc then it just-worked in Firefox):

su - root -c "sysctl 'hw.usb.usbhid.enable=0' && sleep '3' && sysctl 'hw.usb.usbhid.enable=1' && chmod '060' '/dev/uhid0'"

Worked with a joystick for FlightGear too

 

[monwarez]

Can you give the the full command with its output ?
Also what gives as a regular user fido2-token -L ?
And finally, the product ID and vendor from usbconfig -v (as root)

 

[UJuwMLAx]

Espionage724: ah, this is the thing with disabling uhid, I read here about. I will try this some tome later, now must be off to work.

monwarez:
1. full command with its output:

⚡➜ ~ nitropy nk3 list
Command line tool to interact with Nitrokey devices 0.10.0
:: 'NK3' keys
Critical error:
An unhandled exception occurred
Exception encountered: PermissionError(13, 'Permission denied')

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/nitropy-20250827T050203-jgz4mu7z.log' with any support/help request!
--------------------------------------------------------------------------------

(log file attached as .txt)

and nitropy list does not list anything:

⚡➜ ~ nitropy list
Command line tool to interact with Nitrokey devices 0.10.0
Critical error:
An unhandled exception occurred
Exception encountered: PermissionError(13, 'Permission denied')

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/nitropy-20250827T051644-dp6u2f8w.log' with any support/help request!
--------------------------------------------------------------------------------

(log file attached as .txt)

2. fido2-token is not installed. Should I install libfido2 or py311-fido2 or both?

3. product ID and vendor from usbconfig -v (as root):

Spoiler: expand


ugen1.8: <Nitrokey 3A Mini/3A NFC/3C NFC Clay Logic> at usbus1, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (100mA)
ugen1.8.1: uhid1: <Nitrokey Nitrokey 3, class 239/2, rev 2.10/1.08, addr 27>

bLength = 0x0012
bDescriptorType = 0x0001
bcdUSB = 0x0210
bDeviceClass = 0x00ef <Miscellaneous device>
bDeviceSubClass = 0x0002
bDeviceProtocol = 0x0001
bMaxPacketSize0 = 0x0040
idVendor = 0x20a0
idProduct = 0x42b2
bcdDevice = 0x0108
iManufacturer = 0x0001 <Nitrokey>
iProduct = 0x0002 <Nitrokey 3>
iSerialNumber = 0x0000 <no string>
bNumConfigurations = 0x0001


Configuration index 0

bLength = 0x0009
bDescriptorType = 0x0002
wTotalLength = 0x0076
bNumInterfaces = 0x0002
bConfigurationValue = 0x0001
iConfiguration = 0x0000 <no string>
bmAttributes = 0x0080
bMaxPower = 0x0032

Interface 0
bLength = 0x0009
bDescriptorType = 0x0004
bInterfaceNumber = 0x0000
bAlternateSetting = 0x0000
bNumEndpoints = 0x0002
bInterfaceClass = 0x000b <Smart card>
bInterfaceSubClass = 0x0000
bInterfaceProtocol = 0x0000
iInterface = 0x0004 <CCID/ICCD Interface>

Additional Descriptor

bLength = 0x36
bDescriptorType = 0x21
bDescriptorSubType = 0x10
RAW dump:
0x00 | 0x36, 0x21, 0x10, 0x01, 0x00, 0x01, 0x02, 0x00,
0x08 | 0x00, 0x00, 0xfc, 0x0d, 0x00, 0x00, 0xfc, 0x0d,
0x10 | 0x00, 0x00, 0x00, 0x80, 0x25, 0x00, 0x00, 0x80,
0x18 | 0x25, 0x00, 0x00, 0x00, 0xfe, 0x00, 0x00, 0x00,
0x20 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x28 | 0x40, 0x08, 0x04, 0x00, 0x00, 0x0c, 0x00, 0x00,
0x30 | 0xff, 0xff, 0x00, 0x00, 0x00, 0x01


Endpoint 0
bLength = 0x0007
bDescriptorType = 0x0005
bEndpointAddress = 0x0081 <IN>
bmAttributes = 0x0002 <BULK>
wMaxPacketSize = 0x0040
bInterval = 0x0000
bRefresh = 0x0000
bSynchAddress = 0x0000

Endpoint 1
bLength = 0x0007
bDescriptorType = 0x0005
bEndpointAddress = 0x0001 <OUT>
bmAttributes = 0x0002 <BULK>
wMaxPacketSize = 0x0040
bInterval = 0x0000
bRefresh = 0x0000
bSynchAddress = 0x0000


Interface 1
bLength = 0x0009
bDescriptorType = 0x0004
bInterfaceNumber = 0x0001
bAlternateSetting = 0x0000
bNumEndpoints = 0x0002
bInterfaceClass = 0x0003 <HID device>
bInterfaceSubClass = 0x0000
bInterfaceProtocol = 0x0000
iInterface = 0x0000 <no string>

Additional Descriptor

bLength = 0x09
bDescriptorType = 0x21
bDescriptorSubType = 0x11
RAW dump:
0x00 | 0x09, 0x21, 0x11, 0x01, 0x00, 0x01, 0x22, 0x22,
0x08 | 0x00

Endpoint 0
bLength = 0x0007
bDescriptorType = 0x0005
bEndpointAddress = 0x0002 <OUT>
bmAttributes = 0x0003 <INTERRUPT>
wMaxPacketSize = 0x0040
bInterval = 0x0005
bRefresh = 0x0000
bSynchAddress = 0x0000

Endpoint 1
bLength = 0x0007
bDescriptorType = 0x0005
bEndpointAddress = 0x0082 <IN>
bmAttributes = 0x0003 <INTERRUPT>
wMaxPacketSize = 0x0040
bInterval = 0x0005
bRefresh = 0x0000
bSynchAddress = 0x0000


 

[monwarez]

fido2-token is from security/libfido2.

What are the permission on /dev/uhid1 ?
Also with hw.usb.usbhid.enable=1, does it still try uhid or it will use an hidraw one ?

 

[SirDice]

and my user is in the group u2f.

Did you log off and back on again after adding the group? Group membership is determined at login, it's not dynamic, although commands like id(1) might give that impression.

 

[UJuwMLAx]

Did you log off and back on again after adding the group? Group membership is determined at login, it's not dynamic, although commands like id(1) might give that impression.

I did not! I had exactly the impression, that me becoming a member of the u2f group has become effective immediately. After logout and login the two commands I mentioned above work as expected in my user account. No PermissionError anymore. Many thanks for your support.

(Sorry for my delayed reply, I had urgent work and literally zero free time in the past days.)