Nitrokey HSM 2 no longer detected

daubsi · April 1, 2025, 3:29pm

I am using the Nitrokey HSM 2 since many years to store my CA and intermediate CA certificates. My host is Ubuntu Linux and all the tools like pkcs15-tool, pkcs11-tool worked without any issues. I have migrated to Ubuntu 24.04. some months ago and today I wanted to sign a new CSR and got the error that no smartcard reader was found.

The tools confirm

✘ daubsi@bigigloo  ~  opensc-tool -l
No smart card readers found.

✘ daubsi@bigigloo  ~  pkcs11-tool -I
Cryptoki version 3.0
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.25)
No slots.

✘ daubsi@bigigloo  ~  pkcs15-tool --list-info
No smart card readers found.

The USB device is properly found though:

[5042503.560445] usb 2-1.5: USB disconnect, device number 3
[5042507.931914] usb 2-1.6: new full-speed USB device number 4 using ehci-pci
[5042508.011517] usb 2-1.6: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
[5042508.011525] usb 2-1.6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[5042508.011526] usb 2-1.6: Product: Nitrokey HSM
[5042508.011528] usb 2-1.6: Manufacturer: Nitrokey
[5042508.011529] usb 2-1.6: SerialNumber: DENK02006400000

Did something break during update to Ubuntu 24.04. maybe?

daubsi · April 1, 2025, 3:41pm

Just seeing it might be related to this:

github.com/NixOS/nixpkgs

pcscd NOT authorized for action: access_pcsc

opened 04:39PM - 23 Feb 24 UTC

YaroKasear

0.kind: bug

### Describe the bug Since updating nixpkgs-unstable this morning my Yubikey st…opped working again with gpg. ### Steps To Reproduce Steps to reproduce the behavior: 1. Try to use anything using a smartcard with gpg (In my case a Yubikey.) ### Expected behavior Being asked for my PIN and unlocking things using pcscd gpg-agent stuff. ### Additional context It keeps asking me to insert my Yubikey despite being present. Running `gpg --card-status` returns the following: ``` gpg: selecting card failed: Service is not running gpg: OpenPGP card not available: Service is not running ``` Checking the status for pcscd gives me: ``` ○ pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/etc/systemd/system/pcscd.service; linked; preset: enabled) Drop-In: /nix/store/6npwg6586svdyf1p4fdz8as91859kp34-system-units/pcscd.service.d └─overrides.conf Active: inactive (dead) since Fri 2024-02-23 10:31:13 CST; 27s ago Duration: 1min 16.442s TriggeredBy: ● pcscd.socket Docs: man:pcscd(8) Process: 6102 ExecStart=/nix/store/pkw8q8vf74c2mlj3ir51aafqjmz5q7ia-pcsclite-with-polkit-2.0.1/bin/pcscd -f -x -c /nix/store/38wcpbh4yss3vh35vrazm1wbns0vld61-reader.conf (code=exited, status=0/SUCCESS) Main PID: 6102 (code=exited, status=0/SUCCESS) IP: 0B in, 0B out CPU: 71ms Feb 23 10:29:57 loki systemd[1]: Started PC/SC Smart Card Daemon. Feb 23 10:29:57 loki pcscd[6102]: 00000000 auth.c:143:IsClientAuthorized() Process 4574 (user: 1000) is NOT authorized for action: access_pcsc Feb 23 10:29:57 loki pcscd[6102]: 00000081 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client Feb 23 10:30:09 loki pcscd[6102]: 12486287 ccid_usb.c:1663:InterruptStop() libusb_cancel_transfer failed: LIBUSB_ERROR_NO_DEVICE Feb 23 10:30:12 loki pcscd[6102]: 02394614 auth.c:143:IsClientAuthorized() Process 4574 (user: 1000) is NOT authorized for action: access_pcsc Feb 23 10:30:12 loki pcscd[6102]: 00000057 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client Feb 23 10:31:13 loki systemd[1]: pcscd.service: Deactivated successfully. ``` Most telling here is the "NOT authorized for action" part. This looks like an issue that might have been resolved in nixpkgs previously. [https://github.com/NixOS/nixpkgs/issues/280826](url) I didn't see anything about PolicyKit, though, so not sure this is the same issue. ### Notify maintainers @anthonyroussel ### Metadata Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result. ```console - system: `"x86_64-linux"` - host os: `Linux 6.6.17, NixOS, 24.05 (Uakari), 24.05.20240222.98b00b6` - multi-user?: `yes` - sandbox: `yes` - version: `nix-env (Nix) 2.18.1` - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos` ``` --- Add a :+1: [reaction] to [issues you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

as starting the processes as root works, otherwise I get these errors.

Apr 1 17:40:03 bigigloo pcscd[4010993]: 00000000 auth.c:143:IsClientAuthorized() Process 4010989 (user: 1000) is NOT authorized for action: access_pcsc
Apr 1 17:40:03 bigigloo pcscd[4010993]: 00000144 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client
Apr 1 17:40:03 bigigloo pcscd[4010993]: 00017161 auth.c:143:IsClientAuthorized() Process 4010989 (user: 1000) is NOT authorized for action: access_pcsc
Apr 1 17:40:03 bigigloo pcscd[4010993]: 00000132 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client

However the suggested fixes don’t work yet for me

daubsi · April 1, 2025, 3:48pm

Using these files and “systemctl restart polkit.service” made it work for me again:

daubsi@bigigloo  /usr/share/polkit-1/rules.d  cat 03-polkit-pcscd.rules
polkit.addRule(function(action, subject) {
if (action.id == “org.debian.pcsc-lite.access_pcsc” &&
subject.user == “daubsi”) {
return polkit.Result.YES;
}
});

polkit.addRule(function(action, subject) {
if (action.id == “org.debian.pcsc-lite.access_card” &&
action.lookup(“reader”).startsWith(‘Nitrokey’) &&
subject.user == “daubsi”) {
return polkit.Result.YES; }
});

Though, what I observe, is, that the commands execute all much more slowly now …?

saper · April 6, 2025, 10:05am

Which pcsc-lite are you using?

daubsi · April 6, 2025, 8:36pm

Hm, it seems I don´t even have pcsc-lite? Ubuntu 24.04.02 this is. Or is it the combination of pcscd and libpcsclite?

libpcsc-perl                                     1.4.16-1build3   
libpcsclite-dev:amd64                            2.0.3-1build1    
libpcsclite1:amd64                               2.0.3-1build1    
pcsc-tools                                       1.7.1-1          
pcscd                                            2.0.3-1build1