YubiKey Neo GPG SmartCard support

Dear all,

I know there are already some posts and threads in the forum about the YubiKey support for SSH and other services. I also got the YubiKey working with the normal HID device, but what is missing at the moment is the GPG SmartCard interface.

Device: Yubikey 4 OTP+U2F+CCID

Maybe someone have that already working or have some idea for me how to look into it. At the moment the SmartCard is not detected via GPG command.

$ gpg --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error


The YubiKey Neo is detected as USB device, and I've already modified the devfs.rules(5) to have the correct permission to the USB device.

Bus /dev/usb Device /dev/ugen1.4: ID 1050:0407 Yubico.com

What I've noticed during lsusb() is that the iInterface is somehow unrecognised for the SmartCard class:

$ lsusb -v -d 1050:0407

...
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 11 Chip/SmartCard
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
** UNRECOGNIZED: 36 21 00 01 00 07 02 00 00 00 a0 0f 00 00 a0 0f
00 00 00 00 b0 04 00 00 b0 04 00 00 f6 07 00 00 00 00 00 00 00 00 00 00
fe 00 04 00 00 0c 00 00 ff ff 00 00 00 01
...


Thank you very much!
 
Does the command work as root? I had this problem, so added the following to allow me to run gpg --card-status as normal user.

In /etc/rc.conf:
Code:
devfs_system_ruleset="localrules"
In /etc/devfs.rules:
Code:
[localrules=10]
add path 'usb/*' mode 0660 group usb
I added the usb group and put my user in it:
Code:
pw groupadd usb
pw group mod usb -m joe
And after logging out, and restarting devfs service, things worked. Without the /etc/rc.conf setting the devfs permissions didn't work.
 
Thanks for your reply, I already added these configuration options to have the device present as regular user. But it doesn't change the output of gpg --card-status. I assume that it's another issue because the iInterface isn't recognized.
 
Thanks for your reply, I already added these configuration options to have the device present as regular user. But it doesn't change the output of gpg --card-status. I assume that it's another issue because the iInterface isn't recognized.

My lsusb output also has **UNRECOGNIZED, but my Yubikey Neo (NFC version) is recognised with gpg --card-status. I can't remember for sure now, but I think Yubikey doesn't ship with the smart card interface (CCID) enabled by default. The python tool they provide can set the right modes with the command ykpersonalize -m 86 (which enables CCID, OTP, and U2F). I found a custom version of sysresccd that has all the tools you need for activating the Yubikey correctly. The changes are listed on this blog and here is a direct link to the ISO.

Also, did you try the ports version of gnupg security/gnupg (with SCDAEMON user option selected)? That is the version I am running.
 
Thanks again for your answer.

I've already set the correct mode to the yubikey with the command ykpersonalize -m 86, also I could read the yubikey information with ykinfo, but somehow the smartcard is not recognized by GPG or by pcsc_scan. I already use the Yubikey on other devices so it's working correctly.

I tried to start the pcscd and run the pcsc_scan -n but it doesn't detect the Yubikey / SmartCard. Also GPG is compiled with the option SCDAEMON.

Maybe it's because it's the "newest" YubiKey 4 NEO, which also required to build the newer ykpers version. But I also found my old YubiKey NEO OTP+CCID (with NFC) and it's also not detected als SmartCard.
 
Did you try running any of the commands as root? A permissions problem could still remain somewhere.

If pcscd is launched as non-root pcsc_scan -n produces:

Code:
SCardEstablishContext: Service not available.

But when launching pcscd as root pcsc_scan -n produces:

Code:
PC/SC device scanner
V 1.4.25 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.15
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Thu Jun 23 15:59:58 2016
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
  Card state: Card inserted,
  ATR: ...

What is your output when either of the yubikeys are inserted?
 
I already tried to run all commands as root user, so a permission problem should not exist. I assume that maybe some device is not created by inserting the YubiKey to the USB port.

As followed the output of the pcscd and pcsc_scan -n. I'm not 100% sure if the bundle files are required and if I need additional packages for that. I started the pcscd with debug.

Code:
[root@cayococo]:~ # pcscd -f -T -d
00000000 debuglog.c:289:DebugLogSetLevel() debug level=debug
00001230 configfile.l:358:DBGetReaderList() Parsing conf file: /usr/local/etc/reader.conf.d
00000076 pcscdaemon.c:672:main() pcsc-lite 1.8.17 daemon ready.
00001668 hotplug_libusb.c:268:HPReadBundleValues() No bundle files in pcsc drivers directory: /usr/local/lib/pcsc/drivers/
00000022 hotplug_libusb.c:269:HPReadBundleValues() Disabling USB support for pcscd
14977362 winscard_msg_srv.c:251:ProcessEventsServer() Common channel packet arrival
00000076 winscard_msg_srv.c:263:ProcessEventsServer() ProcessCommonChannelRequest detects: 6
00000023 pcscdaemon.c:132:SVCServiceRunLoop() A new context thread creation is requested: 6
00000377 winscard_svc.c:329:ContextThread() Authorized PC/SC client
00000028 winscard_svc.c:333:ContextThread() Thread is started: dwClientID=6, threadContext @0x801638000
00000035 winscard_svc.c:351:ContextThread() Received command: CMD_VERSION from client 6
00000041 winscard_svc.c:363:ContextThread() Client is protocol version 4:3
00000013 winscard_svc.c:383:ContextThread() CMD_VERSION rv=0x0 for client 6
00000147 winscard_svc.c:351:ContextThread() Received command: ESTABLISH_CONTEXT from client 6
00000062 winscard.c:213:SCardEstablishContext() Establishing Context: 0x7CF3D27C
00000015 winscard_svc.c:444:ContextThread() ESTABLISH_CONTEXT rv=0x0 for client 6
00000199 winscard_svc.c:351:ContextThread() Received command: CMD_GET_READERS_STATE from client 6
00000133 winscard_svc.c:351:ContextThread() Received command: CMD_WAIT_READER_STATE_CHANGE from client 6
00000361 winscard_svc.c:351:ContextThread() Received command: CMD_STOP_WAITING_READER_STATE_CHANGE from client 6
00000032 winscard_svc.c:425:ContextThread() CMD_STOP_WAITING_READER_STATE_CHANGE rv=0x0 for client 6
00000093 winscard_svc.c:351:ContextThread() Received command: CMD_GET_READERS_STATE from client 6
00000137 winscard_svc.c:351:ContextThread() Received command: CMD_GET_READERS_STATE from client 6
00000145 winscard_svc.c:351:ContextThread() Received command: CMD_GET_READERS_STATE from client 6
00000110 winscard_svc.c:351:ContextThread() Received command: CMD_GET_READERS_STATE from client 6
00000101 winscard_svc.c:351:ContextThread() Received command: CMD_WAIT_READER_STATE_CHANGE from client 6

I removed and inserted the YubiKey, but it doesn't detected by pcsc_scan -n:

Code:
[root@cayococo]:~ # pcsc_scan

PC/SC device scanner
V 1.4.26 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.17
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...
 
I don't own a Yubikey 4 to test, but I'm struggling to figure out why your Yubikey Neo OTP + CCID isn't detected, as mine is. Does the output of pcsc_scan differ between the Yubikey and Yubikey 4? If I can help you get the old Yubikey working, at least you will have an idea whether or not it is a Yubikey 4 specific problem. Let me know if there is any specific output you would like me to post for comparison. I'm on 10.3-RELEASE #0 r297264.
 
Back
Top