Can access Nitrokey only as root?

Hi! My normal user can’t access the Nitrokey. At least I assume that’s the problem.

This is my setup: Windows 10 host and running NixOS in WSL2, using usbipd to share the USB device from the Windows host to the Linux guest. udev rules (libnitrokey) are installed. So far I think this works, because lsusb shows the device:

Bus 001 Device 003: ID 20a0:4109 Clay Logic Nitrokey Storage

gpg --card-status shows:

gpg: selecting card failed: No such device
gpg: OpenPGP Karte ist nicht vorhanden: No such device

And journalctl --user -u gpg-agent shows:

Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK Pleased to meet you, process 6648
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- RESET
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION ttyname=/dev/pts/2
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION ttytype=xterm-256color
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION display=:0
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION putenv=WAYLAND_DISPLAY=wayland-0
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION lc-ctype=de_DE.UTF-8
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION lc-messages=de_DE.UTF-8
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- GETINFO version
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> D 2.4.1
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION allow-pinentry-notify
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- OPTION agent-awareness=2.1.0
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- SCD GETINFO version
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: no running /nix/store/wd3xl6h29kjr9ng2kl0yf3mh7ciw3pri-gnupg-2.4.1/libexec/scdaemon daemon - starting it
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 <- OK GNU Privacy Guard's Smartcard server ready
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: first connection to daemon /nix/store/wd3xl6h29kjr9ng2kl0yf3mh7ciw3pri-gnupg-2.4.1/libexec/scdaemon established
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 -> GETINFO socket_name
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 <- D /run/user/1000/gnupg/S.scdaemon
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 <- OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: additional connections at '/run/user/1000/gnupg/S.scdaemon'
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 -> OPTION event-signal=12
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 <- OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 -> GETINFO version
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 <- D 2.4.1
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 <- OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> D 2.4.1
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> OK
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- SCD SERIALNO
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 -> SERIALNO
Nov 10 15:21:13 nixos-wsl gpg-agent[6651]: scdaemon[6651]: ccid open error: skip
Nov 10 15:21:13 nixos-wsl gpg-agent[6651]: scdaemon[6651]: check permission of USB device at Bus 001 Device 003
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 <- ERR 100696144 No such device <SCD>
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 -> ERR 100696144 No such device <SCD>
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_7 <- [eof]
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 -> RESTART
Nov 10 15:21:13 nixos-wsl gpg-agent[6649]: DBG: chan_8 <- OK

note the following lines:

scdaemon[6651]: ccid open error: skip
scdaemon[6651]: check permission of USB device at Bus 001 Device 003
DBG: chan_8 <- ERR 100696144 No such device <SCD>
DBG: chan_7 -> ERR 100696144 No such device <SCD>

And also the wayland display and pinentry look wrong. Because I don’t have a graphical interface enabled in WSL. Might be possible that I will have problems with pinentry, but I can figure that out on my own. First of all I need to be able to successfully run gpg --card-status…

In a root shell, gpg --card-status works. There I don’t have gpg-agent or anything else configured.

Please help

Does the Nitrokey device look different through usbip than when plugged in directly? And because of that udev rules don’t apply? Could that be possible?

This is the udev rule:

ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"

And this is how the Nitrokey device looks

looking at device '/devices/platform/vhci_hcd.0/usb1/1-1':
    KERNEL=="1-1"
    SUBSYSTEM=="usb"
    DRIVER=="usb"
    ATTR{authorized}=="1"
    ATTR{avoid_reset_quirk}=="0"
    ATTR{bConfigurationValue}=="1"
    ATTR{bDeviceClass}=="00"
    ATTR{bDeviceProtocol}=="00"
    ATTR{bDeviceSubClass}=="00"
    ATTR{bMaxPacketSize0}=="64"
    ATTR{bMaxPower}=="100mA"
    ATTR{bNumConfigurations}=="1"
    ATTR{bNumInterfaces}==" 3"
    ATTR{bcdDevice}=="0101"
    ATTR{bmAttributes}=="80"
    ATTR{busnum}=="1"
    ATTR{configuration}==""
    ATTR{devnum}=="4"
    ATTR{devpath}=="1"
    ATTR{idProduct}=="4109"
    ATTR{idVendor}=="20a0"
    ATTR{ltm_capable}=="no"
    ATTR{manufacturer}=="Nitrokey"
    ATTR{maxchild}=="0"
    ATTR{product}=="Nitrokey Storage"
    ATTR{quirks}=="0x0"
    ATTR{removable}=="unknown"
    ATTR{remove}=="(not readable)"
    ATTR{rx_lanes}=="1"
    ATTR{serial}=="0000000000000"
    ATTR{speed}=="480"
    ATTR{tx_lanes}=="1"
    ATTR{urbnum}=="195"
    ATTR{version}==" 2.00"

idVendor and idProduct match… should be fine.

I am completely in despair.

Got it.
I had to enable the pcscd service… now its working.

Which I absolutely don’t understand, because it worked for root before. And the same configuration works on my main machine (bare metal) without pcscd…

I can interact only through root after replugging nitrokey 3c nfc on freebsd 13.2.
It’s a bit annoying.

Did you create any devfs rules? (Just read man 5 devfs, man 8 devds, man devfs.conf, man 8 devfs.rules if you need more info)