Nitrokey 3 not detected by KeepassXC on Arch Linux

mepi0011 · October 13, 2023, 6:57am

I am trying to get a Nitrokey 3 running on Manjaro Linux (Arch).
KeePassXC does not recognize the Nitrokey.
I have already looked for solutions on the internet.

In the troubleshooting chapter of Taikun’s manual it says that pcscd.service must be running.

The status output shows me that the service is running:

command:

sudo systemctl status pcscd.service

output:

● pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
     Active: active (running) since Fri 2023-10-13 08:31:23 CEST; 50s ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
   Main PID: 5522 (pcscd)
      Tasks: 6 (limit: 19066)
     Memory: 1.4M
        CPU: 18ms
     CGroup: /system.slice/pcscd.service
             └─5522 /usr/bin/pcscd --foreground --auto-exit

As described in the Nitrokey help, I have adjusted the file ~/.gnupg/scdaemon.conf.

The command gpg --card-status shows me the Nitrokey:
output:

Reader ...........: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Application ID ...: <My ID>
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: <my Serial Number>
Name of cardholder: [nicht gesetzt]
Language prefs ...: [nicht gesetzt]
Salutation .......: 
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

and pcsc_scan -r find the nitrokey too!
output:

0: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
1: Yubico YubiKey OTP+FIDO+CCID 01 00

KeePassXC finden den Nitrokey nicht!
What have I overlooked?
What else can I do?

Thank you for your support!

[Edit] KeePassXC finds the Nitrokey if it is plugged into the PC before KeePassXC starts.

nku · October 13, 2023, 3:04pm

Did you configure your HMAC Slot?

mepi0011 · October 13, 2023, 5:02pm

What did you mean with configure HMAC Slot?

I did following steps:

The command nitropy nk3 secrets list shows me following output:

Command line tool to interact with Nitrokey devices 0.4.39
01. HmacSlot2   Hmac/Sha1

nku · October 14, 2023, 7:45am

Ok. The slot is configured. How did you install KeepassXC?

Snap for example needs more permissions to talk with USB devices.

mepi0011 · October 14, 2023, 2:21pm

I have installed from the official sources (extra). I do not use Snap or Flatpack

nku · October 14, 2023, 6:46pm

Submitted by Anonymous on 28. September 2023 - 10:42
I had the same Problem on Manjaro, pynitro and GPG worked, KeepassXC didn’t found it. The available udev rules was correctly installed. The solution for me was installing the package “ccid”, then it worked without any further configuration. On Mint, maybe it’s called “libccid”, I don’t know.

Source

Does this help?

mepi0011 · October 15, 2023, 3:05pm

By random I noticed that the Nitrokey is recognized by KeePassXC.
On the same PC but with a different user.

It is not running yet on my user account

My current setup:

I have installed the following packages:
ccid (1.5.2)
pcsclite (2.0.0)
pcscd.service and pcscd.socket are running and enabeld.
File ~/.gnupg/scdaemon.conf not created

nku · October 16, 2023, 4:46am

With ‘id’ you could compare for both users whether they might be part of different groups.

saper · October 17, 2023, 1:00pm

Is some user has access, but others do not, this might mean one needs to enable the affected users Pkcs11-tool: is a UDEV rule required for CentOS 8? - #4 by MagellanTX in the policy kit configuration.

mepi0011 · October 17, 2023, 2:35pm

Thanks for the reply, but I am not sure what to do with the hint.

In the meantime I found out that with USER2 the Nitrokey is not reliably recognized by Keepass XC. Only after the second or third press of the search button the nitrokey is found. For user USER1, the nitrokey is only found if I have already inserted it before logging as USER1 in.

The command journalctl --since "2023-10-17" | grep Nitrokey shows me following output (as USER1):

Okt 17 15:56:11 my-pc kernel: usb 3-3.1: Product: Nitrokey 3
Okt 17 15:56:11 my-pc kernel: usb 3-3.1: Manufacturer: Nitrokey
Okt 17 15:56:12 my-pc kernel: hid-generic 0003:20A0:42B2.0008: hiddev99,hidraw7: USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-0000:0a:00.3-3.1/input1
Okt 17 16:02:39 my-pc pcscd[2116]: 00000002 eventhandler.c:336:EHStatusHandlerThread() Error communicating to: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Okt 17 16:09:27 my-pc kernel: usb 3-3.1: Product: Nitrokey 3
Okt 17 16:09:27 my-pc kernel: usb 3-3.1: Manufacturer: Nitrokey
Okt 17 16:09:28 my-pc kernel: hid-generic 0003:20A0:42B2.000E: hiddev99,hidraw7: USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-0000:0a:00.3-3.1/input1

and
journalctl --since "2023-10-17" | grep pcsc

Okt 17 15:55:46 my-pc (pcscd)[2116]: pcscd.service: Referenced but unset environment variable evaluates to an empty string: PCSCD_ARGS
Okt 17 16:02:39 my-pc pcscd[2116]: 00000000 ccid_usb.c:899:WriteUSB() write failed (3/7): LIBUSB_ERROR_PIPE
Okt 17 16:02:39 my-pc pcscd[2116]: 00000019 ifdwrapper.c:364:IFDStatusICC() Card not transacted: 612
Okt 17 16:02:39 my-pc pcscd[2116]: 00000002 eventhandler.c:336:EHStatusHandlerThread() Error communicating to: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Okt 17 16:09:16 my-pc pcscd[2116]: 99999999 ccid_usb.c:1579:InterruptStop() libusb_cancel_transfer failed: LIBUSB_ERROR_NO_DEVICE

nku · October 17, 2023, 3:15pm

id will show you whether the users are in the same ones. a group might have permissions on the device file that the other user lacks.

You could also try a Ubuntu live cd to check whether it works with a more “common” distro. Then work out the differences of those distros.

mepi0011 · October 19, 2023, 3:46pm

Hi @nku,
Thank you for your answer.

Both users are in the same groups. This is not the problem.

I don’t think it’s caused by the user rights, because KeePassXC detects the nitrokey if I have already plugged it in before the user login.

The Nitrokey does not detect if it is plugged in after the user logs in.

Not sure if it’s a timing issue with KeePassXC or if other services are blocking. Any ideas on how to get to the bottom of the problem are welcome!

mepi0011 · October 19, 2023, 4:06pm

For both users, the Nitrokey is recognized if the stick is already inserted before the user logs in.

I am not sure which of the two drivers/services (ccid or pcscd) are being used. Entries in the ~/.gnupg/scdaemon.conf file have no effect (my feeling).

The comand opensc-tool --reader 0 --name -v returns follwing output:

Connecting to card in reader Nitrokey Nitrokey 3 [CCID/ICCD Interface] 01 00...
Using card driver OpenPGP card.
Card name: OpenPGP card v3.4 (000F 85948C75)

When KeePassXC detect the the Nitrokey he shows me following text:
(PCSC) Nitrokey 3 v4.11.0 ... Challenge ...

I think that I need PCSC. Following entry in the file ~/.gnupg/scdaemon.conf has no effect.

pcsc-driver /usr/lib/libpcsclite.so.1
disable-ccid

mepi0011 · October 24, 2023, 5:22am

After a long search I came across the following article.
I can also confirm the behavior. The Nitrokey will only be found if it is plugged into the PC before KeePassXC starts.

saper · October 25, 2023, 8:03am

What NixOS people refer to is the conflict between gpg and pcsc, this can be solved by telling gpg not to play directly with USB with disable-ccid.

This is something strange - why does this happen @jan @daringer ?

ion · October 25, 2023, 11:04pm

I just tried keepassXC first time to replay the issue on Arch with exactly the same result. Starting/stopping pcscd does not seem to make a difference. The key is consistently recognised when plugged in before application start, but not when later.

Something I noticed is that the app-button does work when any other key is inserted before application start. I can plug in a NK Pro2, it shows “no hardware key detected”, switch the Pro for the NK3 and then the refresh works. This might indicate it’s actually a keepassxc bug. I saw 8307 and 8213. It might be useful to add to the latter bug that the error also shows outside flatpak. Another quirk I noticed is you can unplug a detected key, refresh to “no key detected”, re-plug and refresh and it continues to work.

edit to clarify:

The app-button I refer to above is the button in keepassxc to detect/re-detect a hardware key.
The NK Pro2 referred to in the test has not the needed capability. So it is expected that keepassxc does not detect it as a hw key. The point is that the configured NK3 is detected afterwards (refresh functionality works). I tested it as well with a YK not registered in keepassxc, same behaviour (no hw key detected, refresh works).
Switching between wayland/X11, gdm/sddm made no difference. For me it was not necessary to log out, inserting a key before start of keepassxc was necessary otherwise a refresh does not have an effect.

SecureBoot · October 26, 2023, 10:12pm

…not detected by KeePassXC on F38 Qubes.

What am I missing? udev config? gnupg? hmac set up? all of the above?

for screenshots, look here:

Thanks!

mepi0011 · January 12, 2024, 6:30am

With the latest update V1.6.0 for Nitrokey 3, the NK3 works much better with keepassXC.

The update announcement describes some bug fixes that allow the NK to be recognized more quickly by the operating system.