yubikey-manager: ykman oath returns 'Failed connecting to the YubiKey'
Killing gpg’s scdaemon seems to restore functionality:
$ ykman oath list
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Error: Failed connecting to the YubiKey.
$ killall scdaemon
$ ykman oath ist
test
I’m not sure exactly what triggers the failure, but often after signing something using gpg and an OpenPGP key stored in the yubikey, ykman begins to fail again.
This is on a Ubuntu Xenial system (gpg2 2.1.11) with a YubiKey 4 (FW 4.3.7)
When things are working running ‘oath list’ causes scdaemon to exit with SIGKILL:
read(6, "Yubico Yubikey 4 OTP+U2F+CCID 00"..., 2944) = 2944
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
select(7, NULL, [6], NULL, NULL) = 1 (out [6])
sendto(6, "\0\0\0\0\22\0\0\0", 8, MSG_NOSIGNAL, NULL, 0) = 8
select(7, [6], NULL, NULL, NULL) = 1 (in [6])
read(6, "Yubico Yubikey 4 OTP+U2F+CCID 00"..., 2944) = 2944
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8} <unfinished ...>
+++ killed by SIGKILL +++
When things are not working strace says scdaemon is looping doing this:
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = 0
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = 0
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = -1 EAGAIN (Resource temporarily unavailable)
select(7, NULL, [6], NULL, {0, 1000}) = 1 (out [6], left {0, 999})
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = -1 EAGAIN (Resource temporarily unavailable)
select(7, NULL, [6], NULL, {0, 1000}) = 1 (out [6], left {0, 999})
Even when things are working it is kind of useless because requesting a TOPT value causes scdaemon to exit and then requires pin re-entry on the gpg2 side…
Can’t ykman access the yubikey without disrupting scdaemon?
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 2
- Comments: 41 (3 by maintainers)
I was having the same error when trying to use both OATH and CCID at the same time This issue is also described in this pretty old post https://forum.yubico.com/viewtopicb85f.html?p=7513
In short after plugging the key:
I’ve managed to “fix” it (for now?) by following the advice from https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device- of putting “reader-port Yubico YubiKey” (for Yubikey 5) in
~/.gnupg/scdaemon.conf
fileNow “I can use both OATH and CCID” HOWEVER every time I use OATH, the gnupg scdaemon gets released/disconnected, so next time I need to use the GPG key I have to reenter the PIN. From what I gathered in a previous comment, this is expected due to gnupg scdaemon current behavior. So this is less than ideal but at least it doesn’t require unplugging and plugging the key to switch between them
I wanted to share my personal solution, which may be of some help to other users here.
I was having trouble listing any credentials stored on my Yubikey 5 NFC (I used to use the GUI so there were definitely stored creds). After scouring the internet for clues, I found this: https://wiki.archlinux.org/index.php/Yubikey#ykman_fails_to_connect_to_the_YubiKey
I ran
sudo service pcscd status
and lo and behold it was inactive. This was the cause of my issue.So I ran:
sudo service pcscd restart
to restart the service.sudo service pcscd status
to verify the service was then active.ykman oath list
to list all of my credentials as expected.There seems to be several different issues present in this issue, so it’s difficult to know which ones are already “solved” and which aren’t. Some reoccurring ones I see are:
CCID based commands (such as
piv
,oath
, andopenpgp
) don’t work after running gpg. This is in most cases due to scdaemon (which is part of gpg) holding exclusive access to the YubiKey (details here: https://dev.gnupg.org/T2440 possible workaround: setting a timeout in scdaemon.conf as described here: https://forum.yubico.com/viewtopicb85f.html?p=7513).CCID based commands don’t work in general (without scdaemon running). This indicates that ykman isn’t able to communicate with the smart card system, which on Linux is the pcscd service. This commonly means that the service is either missing, or not running. Instructions for how to set it up will vary between Linux distributions, and unfortunately we aren’t able to provide these. Instead we refer you to the documentation for your particular distribution.
Other commands don’t work. Different commands need to use different USB interfaces on the YubiKey, which use different communication mechanisms. These issues will need to be resolved on a case-by-case basis, but one common problem is not having the proper permissions to access one or more of these USB interfaces. This can usually be tested for by running the command as root (eg. by using sudo), and might be resolved by configuring permissions using Udev rules, or granting specific permissions to the user account.
I see that several people in this thread have found answers already, and it’s difficult to know where that is and isn’t the case, so I am closing this issue now. If you do still have problems and the already provided solutions and workarounds don’t help you, please open a new issue to deal with your specific problem, or contact our support team for help: https://support.yubico.com/hc/en-us
I also saw “No YubiKey found with the given interface” and found that the problem was that my kernel didn’t have
CONFIG_HIDRAW
enabled. (This is disabled by default in the mainline aarch64 defconfig, but most distros seem to have enabled it).To check if you have that kernel config, here’s what it should look like:
Indeed @zpeterg I get
OATH Enabled
yetykman oath info
fails withError: No YubiKey found with the given interface(s)
Details :
Glad you opened https://github.com/Yubico/yubikey-manager/issues/471 .
I made it further with these steps:
That got it installed, but it said that no Yubikey was present. So then I edited /etc/udev/rules.d/70-u2f.rules to add:
That made
ykman info
function correctly, but I still can’t accessykman oath accounts list
- it shows “No yubikey found with the given interface(s)”. The errors indicate that it’s timing-out. The same yubikey works fine in another computer using the same command, so I know the interface exists). @Utopiah, do you recall running into that problem?Faced the same issue with
ykman otp swap
ykman info Device type: YubiKey 4 Serial number: 7203850 Firmware version: 4.3.7 Enabled USB interfaces: OTP+FIDO+CCID