Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not display registered one-time passwords #35

Closed
rzeigler opened this issue Jan 4, 2022 · 22 comments
Closed

Does not display registered one-time passwords #35

rzeigler opened this issue Jan 4, 2022 · 22 comments

Comments

@rzeigler
Copy link

rzeigler commented Jan 4, 2022

On both Ubuntu 21.10 and Pop_OS 21.10 when installed via flatpak no one time password registrations are shown for my devices.

I can see the fact that the device has been plugged in.
When I install the version in the repositories instead (as well as using the mobile apps on my phone), I am able to see/generate one time passwords
@cob16
Copy link

cob16 commented Jan 4, 2022
edited
Loading

I would like to report the same issue. The key works with both the ykman cli and phone app but not the flatpak version.

The problem is also not present when using the official app image for Linux

when running in debug mode with the --log-level DEBUG flag I get the flowing output

Debug log 
022-01-04T15:52:27+0000 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw3
2022-01-04T15:52:27+0000 DEBUG [fido2.hid.linux.list_descriptors:76] Skip device: [Errno 13] Permission denied: '/dev/hidraw6'
2022-01-04T15:52:27+0000 DEBUG [fido2.hid.linux.list_descriptors:76] Skip device: [Errno 13] Permission denied: '/dev/hidraw5'
2022-01-04T15:52:27+0000 DEBUG [fido2.hid.linux.list_descriptors:76] Skip device: [Errno 13] Permission denied: '/dev/hidraw4'
2022-01-04T15:52:27+0000 DEBUG [fido2.hid.linux.list_descriptors:76] Skip device: [Errno 13] Permission denied: '/dev/hidraw1'
2022-01-04T15:52:27+0000 DEBUG [fido2.hid.linux.list_descriptors:76] Skip device: [Errno 13] Permission denied: '/dev/hidraw0'
2022-01-04T15:52:27+0000 ERROR [ykman.device.list_all_devices:173] Unable to list devices for connection
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa8 in position 0: invalid start byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 171, in list_all_devices
    devs = list_devs()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 85, in inner
    return f()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 102, in list_ccid_devices
    return _list_ccid_devices()
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 164, in list_devices
    for reader in list_readers():
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 152, in list_readers
    return System.readers()
  File "/app/lib/python3.9/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/app/lib/python3.9/site-packages/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 112, in readers
    pcsc_readers = __PCSCreaders__(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 43, in __PCSCreaders__
    hresult, readers = SCardListReaders(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/scard/scard.py", line 640, in SCardListReaders
    return _scard.SCardListReaders(hcontext, readergroups)
SystemError: <built-in function SCardListReaders> returned a result with an error set
2022-01-04T15:52:27+0000 DEBUG [ykman.hid.linux.list_devices:108] Failed opening HID device
Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/hid/linux.py", line 103, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw6'
2022-01-04T15:52:27+0000 DEBUG [ykman.hid.linux.list_devices:108] Failed opening HID device
Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/hid/linux.py", line 103, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw5'
2022-01-04T15:52:27+0000 DEBUG [ykman.hid.linux.list_devices:108] Failed opening HID device
Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/hid/linux.py", line 103, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw4'
2022-01-04T15:52:27+0000 DEBUG [ykman.hid.linux.list_devices:108] Failed opening HID device
Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/hid/linux.py", line 103, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
2022-01-04T15:52:27+0000 DEBUG [ykman.hid.linux.list_devices:108] Failed opening HID device
Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/hid/linux.py", line 103, in list_devices
    with open(hidraw, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'

My assumption is that this is an issue only on the flatpak version

Note: this could perhaps be a duplicate of #26

@NerfyGek0
Copy link

NerfyGek0 commented Jan 16, 2022
edited
Loading

Same issue here seen on fedora silverblue and PopOs with this flatpak version.

If I use the equivalent AppImage version (5.1.0) provided by YubiCo it all works as expected.

@claudio-walser
Copy link

Yes, i can confirm the same issue on Fedora Silverblue 35.
pcsc-lite is installed and the pcscd is running.

@Erick555
Copy link
Contributor

Can you post output from:
ls -al /dev/hidraw*
and
getfacl /dev/hidraw*

@claudio-walser
Copy link

claudio-walser commented Feb 12, 2022
edited
Loading

Sure

crw-rw----+ 1 root root 239, 0 12. Feb 00:21 /dev/hidraw0
crw-rw----+ 1 root root 239, 1 12. Feb 00:21 /dev/hidraw1

and

# file: dev/hidraw0
# owner: root
# group: root
user::rw-
user:claudio:rw-
group::---
mask::rw-
other::---

# file: dev/hidraw1
# owner: root
# group: root
user::rw-
user:claudio:rw-
group::---
mask::rw-
other::---

@Erick555
Copy link
Contributor

Erick555 commented Feb 12, 2022
edited
Loading

Thx, it looks good, user claudio seems to have access to hidraw devices therefore [Errno 13] Permission denied error is surprising. I wonder if it could be blocked by SELinux? Can you gather some audit logs after you try to use yubikey with this app?

@claudio-walser
Copy link

True and as the other reported, the official AppImage from Yubico works well.

@claudio-walser
Copy link

claudio-walser commented Feb 14, 2022
edited
Loading

I do believe the sandbox permissions are the issue here.
From the docs i've learned:
No access to any device nodes (apart from /dev/null, etc).
https://docs.flatpak.org/en/latest/sandbox-permissions.html
Not sure what etc means in this context.

A quick check shows, yubioath does not have any special permissions set by default.
Table Object App Permissions Data
background background com.yubico.yubioath no 0x00

I will play around this evening a little bit.

By the way, I do have selinux enabled, if this makes a different, which it probably does, not sure.

Ou, you asked about selinux, sorry did not see that. I'll check this as well.

@Lunarequest
Copy link
Collaborator

sorry for not responding before, I've had uni exams. The sandbox permission are not a issue since we use --device=all, however it looks like there may have been a change at some point since on fedora 24 it works. selinux is probably playing a factor in this issue

@Lunarequest Lunarequest mentioned this issue Feb 14, 2022
Closed
@claudio-walser
Copy link

claudio-walser commented Feb 15, 2022
edited
Loading

Sorry for the delay. I've tested it even with selinux disabled. Nothing changed. Also there is no log entry in /var/log/audit/audit.log

But also flatpak override com.yubico.yubioath --device=all does not help, but you said already this should be the application default.

I do not have any more ideas right now 🙈

@Lunarequest
Copy link
Collaborator

I suspect flatpak changed something under the hood. I have no idea honeslty how to fix things

@claudio-walser
Copy link

claudio-walser commented Feb 15, 2022
edited
Loading

I tried to dig a bit deeper but without any major success. Still far away from your research i guess ;-)
I got rid of the permission denied error somehow (not sure how exactly to be honest)
My current DEBUG Log looks like this

QSocketNotifier: Can only be used with threads started with QThread
Got library name:  "/app/lib/qml/io/thp/pyotherside/libpyothersideplugin.so"
2022-02-15T22:26:59+0100 INFO [ykman.logging_setup.setup:76] Initialized logging for level: DEBUG
2022-02-15T22:26:59+0100 INFO [ykman.logging_setup.setup:77] Running ykman version: 4.0.7
2022-02-15T22:26:59+0100 DEBUG [ykman.logging_setup.log_sys_info:48] Python: 3.9.9 (main, Nov 10 2011, 15:00:00) 
[GCC 11.2.0]
2022-02-15T22:26:59+0100 DEBUG [ykman.logging_setup.log_sys_info:49] Platform: linux
2022-02-15T22:26:59+0100 DEBUG [ykman.logging_setup.log_sys_info:50] Arch: x86_64
2022-02-15T22:26:59+0100 DEBUG [ykman.logging_setup.log_sys_info:56] Running as admin: False
2022-02-15T22:26:59+0100 ERROR [ykman.device.scan_devices:141] Unable to list devices for connection
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe0 in position 2: invalid continuation byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 139, in scan_devices
    devs = list_devs()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 85, in inner
    return f()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 102, in list_ccid_devices
    return _list_ccid_devices()
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 164, in list_devices
    for reader in list_readers():
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 152, in list_readers
    return System.readers()
  File "/app/lib/python3.9/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/app/lib/python3.9/site-packages/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 112, in readers
    pcsc_readers = __PCSCreaders__(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 43, in __PCSCreaders__
    hresult, readers = SCardListReaders(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/scard/scard.py", line 640, in SCardListReaders
    return _scard.SCardListReaders(hcontext, readergroups)
SystemError: <built-in function SCardListReaders> returned a result with an error set
2022-02-15T22:26:59+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:26:59+0100 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000136b5b000000
2022-02-15T22:26:59+0100 DEBUG [yubikit.core.otp.send_and_receive:164] RECV: 2b0102023f0302023f020400a6914004010105030501020602000007010f0801000d02023b0e02023b0a010097e07a76fa
2022-02-15T22:26:59+0100 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=1234, version=Version(major=5, minor=1, patch=2), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, is_locked=False, is_fips=False, is_sky=False)
2022-02-15T22:26:59+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:26:59+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:26:59+0100 DEBUG [fido2.hid.call:156] SEND: ffffffff8600085266119d851a918a
2022-02-15T22:26:59+0100 DEBUG [fido2.hid.call:176] RECV: ffffffff8600115266119d851a918a00240022020501020500000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-02-15T22:26:59+0100 DEBUG [fido2.hid.call:156] SEND: 00240022c20000
2022-02-15T22:27:02+0100 DEBUG [fido2.hid.call:176] RECV: 00240022c2002c2b0102023f0302023f020400a6914004010105030501020602000007010f0801000d02023b0e02023b0a010000000000000000000000000000
2022-02-15T22:27:02+0100 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=1234, version=Version(major=5, minor=1, patch=2), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, is_locked=False, is_fips=False, is_sky=False)
2022-02-15T22:27:02+0100 DEBUG [fido2.hid.call:156] SEND: 0024002290000104
2022-02-15T22:27:02+0100 DEBUG [fido2.hid.call:176] RECV: 0024002290005600a60182665532465f5632684649444f5f325f3002816b686d61632d7365637265740350fa2b99dc9e3942578f924a30d23c411804a462726b
2022-02-15T22:27:02+0100 DEBUG [fido2.hid.call:176] RECV: 0024002200f5627570f564706c6174f469636c69656e7450696ef4051904b0068101000000000000000000000000000000000000000000000000000000000000
2022-02-15T22:27:02+0100 ERROR [ykman.device.connect_to_device:208] Error listing connection of type <class 'yubikit.core.smartcard.SmartCardConnection'>
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe0 in position 2: invalid continuation byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 206, in connect_to_device
    devs = CONNECTION_LIST_MAPPING[connection_type]()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 85, in inner
    return f()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 102, in list_ccid_devices
    return _list_ccid_devices()
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 164, in list_devices
    for reader in list_readers():
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 152, in list_readers
    return System.readers()
  File "/app/lib/python3.9/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/app/lib/python3.9/site-packages/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 112, in readers
    pcsc_readers = __PCSCreaders__(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 43, in __PCSCreaders__
    hresult, readers = SCardListReaders(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/scard/scard.py", line 640, in SCardListReaders
    return _scard.SCardListReaders(hcontext, readergroups)
SystemError: <built-in function SCardListReaders> returned a result with an error set
2022-02-15T22:27:02+0100 ERROR [yubikey.wrapped:141] Uncaught exception
Traceback (most recent call last):
  File "qrc:///py/yubikey.py", line 129, in wrapped
    return f(*args, **kwargs)
  File "qrc:///py/yubikey.py", line 785, in ccid_calculate_all
    with self._open_oath() as oath_controller:
  File "qrc:///py/yubikey.py", line 206, in _open_oath
    return connect_to_device(self._current_serial, [SmartCardConnection])[0]
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 228, in connect_to_device
    raise ConnectionNotAvailableException(connection_types)
ykman.device.ConnectionNotAvailableException: No eligiable connections are available ([<class 'yubikit.core.smartcard.SmartCardConnection'>]).
qml: calculateAll failed: No eligiable connections are available ([<class 'yubikit.core.smartcard.SmartCardConnection'>]).
2022-02-15T22:27:02+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:02+0100 ERROR [ykman.device.list_all_devices:173] Unable to list devices for connection
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9f in position 1: invalid start byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 171, in list_all_devices
    devs = list_devs()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 85, in inner
    return f()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 102, in list_ccid_devices
    return _list_ccid_devices()
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 164, in list_devices
    for reader in list_readers():
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 152, in list_readers
    return System.readers()
  File "/app/lib/python3.9/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/app/lib/python3.9/site-packages/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 112, in readers
    pcsc_readers = __PCSCreaders__(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 43, in __PCSCreaders__
    hresult, readers = SCardListReaders(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/scard/scard.py", line 640, in SCardListReaders
    return _scard.SCardListReaders(hcontext, readergroups)
SystemError: <built-in function SCardListReaders> returned a result with an error set
2022-02-15T22:27:02+0100 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000136b5b000000
2022-02-15T22:27:03+0100 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000136b5b000000
2022-02-15T22:27:03+0100 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000136b5b000000
2022-02-15T22:27:04+0100 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000136b5b000000
2022-02-15T22:27:04+0100 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000136b5b000000
2022-02-15T22:27:05+0100 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000136b5b000000
2022-02-15T22:27:05+0100 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000136b5b000000
2022-02-15T22:27:05+0100 DEBUG [yubikit.core.otp.send_and_receive:164] RECV: 2b0102023f0302023f020400a6914004010105030501020602000007010f0801000d02023b0e02023b0a010097e07a76fa
2022-02-15T22:27:05+0100 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=1234, version=Version(major=5, minor=1, patch=2), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, is_locked=False, is_fips=False, is_sky=False)
2022-02-15T22:27:05+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:06+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:06+0100 DEBUG [fido2.hid.call:156] SEND: ffffffff860008a7549cd3a47465c5
2022-02-15T22:27:06+0100 DEBUG [fido2.hid.call:176] RECV: ffffffff860011a7549cd3a47465c500240023020501020500000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-02-15T22:27:06+0100 DEBUG [fido2.hid.call:156] SEND: 00240023c20000
2022-02-15T22:27:08+0100 DEBUG [fido2.hid.call:176] RECV: 00240023c2002c2b0102023f0302023f020400a6914004010105030501020602000007010f0801000d02023b0e02023b0a010000000000000000000000000000
2022-02-15T22:27:08+0100 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=1234, version=Version(major=5, minor=1, patch=2), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, is_locked=False, is_fips=False, is_sky=False)
2022-02-15T22:27:08+0100 DEBUG [fido2.hid.call:156] SEND: 0024002390000104
2022-02-15T22:27:08+0100 DEBUG [fido2.hid.call:176] RECV: 0024002390005600a60182665532465f5632684649444f5f325f3002816b686d61632d7365637265740350fa2b99dc9e3942578f924a30d23c411804a462726b
2022-02-15T22:27:08+0100 DEBUG [fido2.hid.call:176] RECV: 0024002300f5627570f564706c6174f469636c69656e7450696ef4051904b0068101000000000000000000000000000000000000000000000000000000000000
2022-02-15T22:27:08+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:09+0100 ERROR [ykman.device.scan_devices:141] Unable to list devices for connection
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9f in position 1: invalid start byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 139, in scan_devices
    devs = list_devs()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 85, in inner
    return f()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 102, in list_ccid_devices
    return _list_ccid_devices()
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 164, in list_devices
    for reader in list_readers():
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 152, in list_readers
    return System.readers()
  File "/app/lib/python3.9/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/app/lib/python3.9/site-packages/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 112, in readers
    pcsc_readers = __PCSCreaders__(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 43, in __PCSCreaders__
    hresult, readers = SCardListReaders(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/scard/scard.py", line 640, in SCardListReaders
    return _scard.SCardListReaders(hcontext, readergroups)
SystemError: <built-in function SCardListReaders> returned a result with an error set
2022-02-15T22:27:09+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:10+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:11+0100 ERROR [ykman.device.scan_devices:141] Unable to list devices for connection
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9f in position 1: invalid start byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 139, in scan_devices
    devs = list_devs()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 85, in inner
    return f()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 102, in list_ccid_devices
    return _list_ccid_devices()
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 164, in list_devices
    for reader in list_readers():
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 152, in list_readers
    return System.readers()
  File "/app/lib/python3.9/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/app/lib/python3.9/site-packages/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 112, in readers
    pcsc_readers = __PCSCreaders__(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 43, in __PCSCreaders__
    hresult, readers = SCardListReaders(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/scard/scard.py", line 640, in SCardListReaders
    return _scard.SCardListReaders(hcontext, readergroups)
SystemError: <built-in function SCardListReaders> returned a result with an error set
2022-02-15T22:27:11+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:12+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:13+0100 ERROR [ykman.device.scan_devices:141] Unable to list devices for connection
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9f in position 1: invalid start byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 139, in scan_devices
    devs = list_devs()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 85, in inner
    return f()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 102, in list_ccid_devices
    return _list_ccid_devices()
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 164, in list_devices
    for reader in list_readers():
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 152, in list_readers
    return System.readers()
  File "/app/lib/python3.9/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/app/lib/python3.9/site-packages/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 112, in readers
    pcsc_readers = __PCSCreaders__(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 43, in __PCSCreaders__
    hresult, readers = SCardListReaders(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/scard/scard.py", line 640, in SCardListReaders
    return _scard.SCardListReaders(hcontext, readergroups)
SystemError: <built-in function SCardListReaders> returned a result with an error set
2022-02-15T22:27:13+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:14+0100 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP device: /dev/hidraw1
2022-02-15T22:27:15+0100 ERROR [ykman.device.scan_devices:141] Unable to list devices for connection
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9f in position 1: invalid start byte

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 139, in scan_devices
    devs = list_devs()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 85, in inner
    return f()
  File "/app/lib/python3.9/site-packages/ykman/device.py", line 102, in list_ccid_devices
    return _list_ccid_devices()
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 164, in list_devices
    for reader in list_readers():
  File "/app/lib/python3.9/site-packages/ykman/pcsc/__init__.py", line 152, in list_readers
    return System.readers()
  File "/app/lib/python3.9/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/app/lib/python3.9/site-packages/smartcard/reader/ReaderFactory.py", line 58, in readers
    zreaders += fm(groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 112, in readers
    pcsc_readers = __PCSCreaders__(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/pcsc/PCSCReader.py", line 43, in __PCSCreaders__
    hresult, readers = SCardListReaders(hcontext, groups)
  File "/app/lib/python3.9/site-packages/smartcard/scard/scard.py", line 640, in SCardListReaders
    return _scard.SCardListReaders(hcontext, readergroups)
SystemError: <built-in function SCardListReaders> returned a result with an error set

Did try to add the udev rules from yubico, without success
https://github.com/Yubico/libfido2/blob/master/udev/70-u2f.rules

What i noticed, the yubikey works fine in keepassxc from flathub. But it seems they are not communicating over pcsc, at least, they do not use socket=pcsc permissions but device=all.

Which leads me to the conclusion, the error lies in the pcsc communication somehow.
I have tried to dig into pyscard a little. But since the default AppImage works, my best guess right now is, that it has something to do with the socket integration in flatpak.

@Erick555
Copy link
Contributor

Erick555 commented Feb 15, 2022
edited
Loading

Note that fedora is carrying some custom patch for pcsc-lite that break interoperability with non-patched clients in smartcard contexts. I don't know if this can affect usage of this app as well.

You may try adding same patch for psc-lite in flatpak test build to confirm if this is related.

@claudio-walser
Copy link

Hello Erick
Thank you for the link, I will check that, once I fully understand Ludovic's blog post. I did a short debugging session yesterday using strace within the application container. Not that i gathered much information from it 🙈
Might read into gnu debugger and try that as well if i find time for it.

@FilBot3
Copy link

FilBot3 commented Mar 31, 2022

I also have this issue on Fedora 35 Silverblue with the Flatpak. However, running the AppImage, it was able to recognize my YubiKey 5 NFC like it should.

@brugr
Copy link
Contributor

brugr commented Oct 14, 2022

Note that fedora is carrying some custom patch for pcsc-lite that break interoperability with non-patched clients in smartcard contexts. I don't know if this can affect usage of this app as well.

You may try adding same patch for psc-lite in flatpak test build to confirm if this is related.

Did some basic testing with the beta ver of the app (#58), and it's probably related to this. With the patch it works perfectly fine. Tested the stable ver as well and it's the same result.

Tested on Nobara/Fedora 36

@brugr brugr mentioned this issue Oct 14, 2022
Merged
@brugr brugr mentioned this issue Nov 16, 2022
Merged
@schmensch
Copy link

schmensch commented Mar 9, 2023
edited
Loading

I found the corresponding issue in the pcsc-lite Github repo:

LudovicRousseau/PCSC#118 (comment)

There are three possible solutions I came up with right now, but there might be more:

  • Have Fedora and other distros un-patch their pcsc-lite implementation
  • Patch the pcsc-lite used in the Flatpak, this would break compatability on every distro that doesn't use the patched pcsc-lite though
  • Have custom Fedora Copr / OpenSUSE OBS / Launchpad PPA repos available with the unpatched pcscd-lite package.

Edit: pressed enter too soon

@Lunarequest
Copy link
Collaborator

Fedora 38 will ship a unpatched pscc-lite. I'm for the 3rd option since patching our pcsc would break it for everyone else

@SoMuchForSubtlety
Copy link

You can get the fixed version already by installing the version from rawhide

sudo dnf install fedora-repos-rawhide -y
sudo dnf install pcsc-lite --disablerepo="*" --enablerepo=rawhide

@Lunarequest
Copy link
Collaborator

You can get the fixed version already by installing the version from rawhide

sudo dnf install fedora-repos-rawhide -y
sudo dnf install pcsc-lite --disablerepo="*" --enablerepo=rawhide

unless you want a partially upgraded system avoid this. it is not supported by fedora and will break things. I'll look into getting a unpatched pcsc-lite package on obs this weekend so everyone can enjoy it

@Erick555 Erick555 mentioned this issue Apr 3, 2023
Open
@JamesBelchamber
Copy link

This is fixed in Fedora 38. Does this ticket need to stay open?

@Lunarequest
Copy link
Collaborator

I'll close this

slagiewka added a commit to slagiewka/com.yubico.yubioath that referenced this issue Jul 6, 2023
@slagiewka
chore: update description about pcsc-lite in Fedora
aa9f258 
According to pre-existing issues [^1] and my experience,
Fedora 38 is no longer causing issues.

[^1]: flathub#35 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests