Cannot detect Nitrokey 3 with USB redirection

Hi,

i am trying to use a Nitrokey 3C NFC via USB redirection on a remote linux vm.
For the USB redirection i am using https://www.incentivespro.com/usb-redirector.html and everything seems to work.

lsusb
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 009 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 010 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 011 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 011 Device 011: ID 20a0:42b2 Clay Logic Nitrokey 3A Mini/3A NFC/3C NFC
Bus 012 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

Also the udev rules seems to apply

udevadm test $(udevadm info --query=path --name=hidraw0)                                  
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.

Trying to open "/etc/systemd/hwdb/hwdb.bin"...
Trying to open "/etc/udev/hwdb.bin"...
Trying to open "/usr/lib/systemd/hwdb/hwdb.bin"...
Trying to open "/usr/lib/udev/hwdb.bin"...
=== trie on-disk ===
tool version:          255
file size:        13009891 bytes
header size             80 bytes
strings            2642363 bytes
nodes             10367448 bytes
Loading kernel module index.
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Found container virtualization none.
Using default interface naming scheme 'v255'.
Parsed configuration file "/usr/lib/systemd/network/99-default.link"
Created link configuration context.
Reading rules file: /usr/lib/udev/rules.d/01-md-raid-creating.rules
Reading rules file: /usr/lib/udev/rules.d/10-dm.rules
Reading rules file: /usr/lib/udev/rules.d/13-dm-disk.rules
Reading rules file: /usr/lib/udev/rules.d/39-usbmuxd.rules
Reading rules file: /usr/lib/udev/rules.d/40-gphoto.rules
Reading rules file: /etc/udev/rules.d/41-nitrokey.rules
Reading rules file: /usr/lib/udev/rules.d/50-udev-default.rules
Reading rules file: /usr/lib/udev/rules.d/60-autosuspend.rules
Reading rules file: /usr/lib/udev/rules.d/60-block.rules
Reading rules file: /usr/lib/udev/rules.d/60-cdrom_id.rules
Reading rules file: /usr/lib/udev/rules.d/60-dmi-id.rules
Reading rules file: /usr/lib/udev/rules.d/60-drm.rules
Reading rules file: /usr/lib/udev/rules.d/60-evdev.rules
Reading rules file: /usr/lib/udev/rules.d/60-fido-id.rules
Reading rules file: /usr/lib/udev/rules.d/60-infiniband.rules
Reading rules file: /usr/lib/udev/rules.d/60-input-id.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-alsa.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-input.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-storage-mtd.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-storage-tape.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-storage.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-v4l.rules
Reading rules file: /usr/lib/udev/rules.d/60-rfkill.rules
Reading rules file: /usr/lib/udev/rules.d/60-sensor.rules
Reading rules file: /usr/lib/udev/rules.d/60-serial.rules
Reading rules file: /usr/lib/udev/rules.d/60-tpm-udev.rules
Reading rules file: /usr/lib/udev/rules.d/61-gdm.rules
Reading rules file: /usr/lib/udev/rules.d/61-gnome-settings-daemon-rfkill.rules
Reading rules file: /usr/lib/udev/rules.d/61-mutter.rules
Reading rules file: /usr/lib/udev/rules.d/63-md-raid-arrays.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs-dm.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs-zoned.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs.rules
Reading rules file: /usr/lib/udev/rules.d/64-ext4.rules
Reading rules file: /usr/lib/udev/rules.d/64-md-raid-assembly.rules
Reading rules file: /usr/lib/udev/rules.d/65-libwacom.rules
Reading rules file: /usr/lib/udev/rules.d/65-sane.rules
Reading rules file: /usr/lib/udev/rules.d/66-saned.rules
Reading rules file: /usr/lib/udev/rules.d/69-cd-sensors.rules
Reading rules file: /usr/lib/udev/rules.d/69-libmtp.rules
Reading rules file: /usr/lib/udev/rules.d/69-md-clustered-confirm-device.rules
Reading rules file: /usr/lib/udev/rules.d/70-camera.rules
Reading rules file: /usr/lib/udev/rules.d/70-infrared.rules
Reading rules file: /usr/lib/udev/rules.d/70-joystick.rules
Reading rules file: /usr/lib/udev/rules.d/70-memory.rules
Reading rules file: /usr/lib/udev/rules.d/70-mouse.rules
Reading rules file: /usr/lib/udev/rules.d/70-power-switch.rules
Reading rules file: /usr/lib/udev/rules.d/70-printers.rules
Reading rules file: /usr/lib/udev/rules.d/70-spice-vdagentd.rules
Reading rules file: /usr/lib/udev/rules.d/70-touchpad.rules
Reading rules file: /usr/lib/udev/rules.d/70-uaccess.rules
Reading rules file: /usr/lib/udev/rules.d/71-seat.rules
Reading rules file: /usr/lib/udev/rules.d/73-seat-late.rules
Reading rules file: /usr/lib/udev/rules.d/75-net-description.rules
Reading rules file: /usr/lib/udev/rules.d/75-probe_mtd.rules
Reading rules file: /usr/lib/udev/rules.d/78-sound-card.rules
Reading rules file: /usr/lib/udev/rules.d/80-drivers.rules
Reading rules file: /usr/lib/udev/rules.d/80-iio-sensor-proxy.rules
Reading rules file: /usr/lib/udev/rules.d/80-libinput-device-groups.rules
Reading rules file: /usr/lib/udev/rules.d/80-net-setup-link.rules
Reading rules file: /usr/lib/udev/rules.d/80-udisks2.rules
Reading rules file: /usr/lib/udev/rules.d/81-net-dhcp.rules
Reading rules file: /usr/lib/udev/rules.d/84-nm-drivers.rules
Reading rules file: /usr/lib/udev/rules.d/85-nm-unmanaged.rules
Reading rules file: /usr/lib/udev/rules.d/90-bolt.rules
Reading rules file: /usr/lib/udev/rules.d/90-brltty-hid.rules
Reading rules file: /usr/lib/udev/rules.d/90-brltty-uinput.rules
Reading rules file: /usr/lib/udev/rules.d/90-brltty-usb-customized.rules
Reading rules file: /usr/lib/udev/rules.d/90-iocost.rules
Reading rules file: /usr/lib/udev/rules.d/90-libinput-fuzz-override.rules
Reading rules file: /usr/lib/udev/rules.d/90-nm-thunderbolt.rules
Reading rules file: /usr/lib/udev/rules.d/90-pipewire-alsa.rules
Reading rules file: /usr/lib/udev/rules.d/90-vconsole.rules
Reading rules file: /usr/lib/udev/rules.d/95-cd-devices.rules
Reading rules file: /usr/lib/udev/rules.d/95-dm-notify.rules
Reading rules file: /usr/lib/udev/rules.d/95-upower-hid.rules
Reading rules file: /usr/lib/udev/rules.d/95-upower-wup.rules
Reading rules file: /usr/lib/udev/rules.d/96-e2scrub.rules
Reading rules file: /usr/lib/udev/rules.d/99-fuse.rules
Reading rules file: /usr/lib/udev/rules.d/99-fuse3.rules
Reading rules file: /usr/lib/udev/rules.d/99-qemu-guest-agent.rules
Reading rules file: /usr/lib/udev/rules.d/99-systemd.rules
sd-device: Failed to chase symlinks in "/devices/platform/tusb-vhci-driver/usb11/11-1/11-1:1.1/0003:20A0:42B2.000A/hidraw/hidraw0".
hidraw0: /usr/lib/udev/rules.d/50-udev-default.rules:17 Importing properties from results of builtin command 'hwdb'
hidraw0: hwdb modalias key: "hid:b0003g0001v000020A0p000042B2"
hidraw0: hwdb modalias key: "usb:v20A0p42B2d0107dcEFdsc02dp01ic03isc00ip00in01"
hidraw0: /usr/lib/udev/rules.d/60-fido-id.rules:5 Importing properties from results of 'fido_id'
hidraw0: Starting 'fido_id'
Successfully forked off '(spawn)' as PID 57265.
hidraw0: 'fido_id'(err) 'Failed to get current device from environment: Invalid argument'
hidraw0: Process 'fido_id' failed with exit code 1.
hidraw0: /usr/lib/udev/rules.d/60-fido-id.rules:5 Command "fido_id" returned 1 (error), ignoring
hidraw0: /usr/lib/udev/rules.d/71-seat.rules:74 Importing properties from results of builtin command 'path_id'
hidraw0: /usr/lib/udev/rules.d/73-seat-late.rules:16 RUN 'uaccess'
hidraw0: Preserve permissions of /dev/hidraw0, uid=0, gid=0, mode=0660
hidraw0: Successfully created symlink '/dev/char/240:0' to '/dev/hidraw0'
hidraw0: sd-device: Created db file '/run/udev/data/c240:0' for '/devices/platform/tusb-vhci-driver/usb11/11-1/11-1:1.1/0003:20A0:42B2.000A/hidraw/hidraw0'
DEVPATH=/devices/platform/tusb-vhci-driver/usb11/11-1/11-1:1.1/0003:20A0:42B2.000A/hidraw/hidraw0
DEVNAME=/dev/hidraw0
MAJOR=240
MINOR=0
ACTION=add
SUBSYSTEM=hidraw
TAGS=:security-device:uaccess:seat:
CURRENT_TAGS=:uaccess:seat:
ID_USB_CLASS_FROM_DATABASE=Miscellaneous Device
ID_USB_PROTOCOL_FROM_DATABASE=Interface Association
ID_VENDOR_FROM_DATABASE=Clay Logic
ID_MODEL_FROM_DATABASE=Nitrokey 3A Mini/3A NFC/3C NFC
ID_PATH_WITH_USB_REVISION=platform-tusb-vhci-driver-usbv2-0:1:1.1
ID_PATH=platform-tusb-vhci-driver-usb-0:1:1.1
ID_PATH_TAG=platform-tusb-vhci-driver-usb-0_1_1_1
ID_FOR_SEAT=hidraw-platform-tusb-vhci-driver-usb-0_1_1_1
.BRLTTY_HID_NAME=Nitrokey 3-Intf:01
USEC_INITIALIZED=76221804499
run: 'uaccess'
Unload kernel module index.
Unloaded link configuration context.

However with the nitrokey app 2 or with nitropy the nitrokey is not detected.

nitropy list                                                  
Command line tool to interact with Nitrokey devices 0.4.47
:: 'Nitrokey FIDO2' keys
:: 'Nitrokey Start' keys:
:: 'Nitrokey 3' keys
:: 'Nitrokey Passkey' keys

Are there any ideas on your site what i am still missing?

Is it working when you plugin the Nitrokey directly? What Linux version are you using? Do you execute the nitropy command as user or with root permissions?

As i am using a linux vm i cannot really try it directly. On my windows laptop the nitrokey app 2 is detecting the key (directly attached).

On linux I have started nitropy as a normal user (same with the nitrokey app 2).

Edit:
I just started nitropy as root and the key is detected!
Seems like a permission issue? My linux distribution is arch.

Edit2:
I edited /etc/udev/rules.d/41-nitrokey.rules and added:

MODE="0666" 

to the appropriate line. Now the key is also detected by nitropy as a normal user.
Thanks for pointing me in the right direction.

As an hint, when using spice, and the pcscd daemon(and the socket also) is running, forwarding to the vm will be blocked. Tested on Fedora-39