yubikey-manager: ykman oath returns 'Failed connecting to the YubiKey'

Killing gpg’s scdaemon seems to restore functionality:

$ ykman oath list
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: Failed connecting to the YubiKey.
$ killall scdaemon
$ ykman oath  ist
test

I’m not sure exactly what triggers the failure, but often after signing something using gpg and an OpenPGP key stored in the yubikey, ykman begins to fail again.

This is on a Ubuntu Xenial system (gpg2 2.1.11) with a YubiKey 4 (FW 4.3.7)

When things are working running ‘oath list’ causes scdaemon to exit with SIGKILL:

read(6, "Yubico Yubikey 4 OTP+U2F+CCID 00"..., 2944) = 2944
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
select(7, NULL, [6], NULL, NULL)        = 1 (out [6])
sendto(6, "\0\0\0\0\22\0\0\0", 8, MSG_NOSIGNAL, NULL, 0) = 8
select(7, [6], NULL, NULL, NULL)        = 1 (in [6])
read(6, "Yubico Yubikey 4 OTP+U2F+CCID 00"..., 2944) = 2944
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8} <unfinished ...>
+++ killed by SIGKILL +++

When things are not working strace says scdaemon is looping doing this:

pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = 0
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = 0
pselect6(4, [3], NULL, NULL, {0, 500000000}, {[], 8}) = 0 (Timeout)
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786e010) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = -1 EAGAIN (Resource temporarily unavailable)
select(7, NULL, [6], NULL, {0, 1000})   = 1 (out [6], left {0, 999})
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfd8) = 0
ioctl(6, USBDEVFS_SUBMITURB, 0x7ffe2786dfe0) = 0
ioctl(6, USBDEVFS_REAPURBNDELAY, 0x7ffe2786dfa8) = -1 EAGAIN (Resource temporarily unavailable)
select(7, NULL, [6], NULL, {0, 1000})   = 1 (out [6], left {0, 999})

Even when things are working it is kind of useless because requesting a TOPT value causes scdaemon to exit and then requires pin re-entry on the gpg2 side…

Can’t ykman access the yubikey without disrupting scdaemon?

About this issue

Original URL
State: closed
Created 7 years ago
Reactions: 2
Comments: 41 (3 by maintainers)

Commits related to this issue

add gnupg scdaemon config for Yubikey see https://github.com/Yubico/yubikey-manager/issues/35#issuecomment-534481504 needed to switch between OATH and CCID usage in ykman without having to unplug an... — committed to tardypad/dotfiles by tardypad 5 years ago

Most upvoted comments

I was having the same error when trying to use both OATH and CCID at the same time This issue is also described in this pretty old post https://forum.yubico.com/viewtopicb85f.html?p=7513

In short after plugging the key:

If I use OATH first, then I couldn’t use my GPG key

> gpg --card-status
gpg: selecting openpgp failed: No such device  
gpg: OpenPGP card not available: No such device

If I use CCID first (for my GPG key), then I couldn’t use anymore OATH

> ykman oath list
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.

Error: No YubiKey detected!

I’ve managed to “fix” it (for now?) by following the advice from https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device- of putting “reader-port Yubico YubiKey” (for Yubikey 5) in ~/.gnupg/scdaemon.conf file

Now “I can use both OATH and CCID” HOWEVER every time I use OATH, the gnupg scdaemon gets released/disconnected, so next time I need to use the GPG key I have to reenter the PIN. From what I gathered in a previous comment, this is expected due to gnupg scdaemon current behavior. So this is less than ideal but at least it doesn’t require unplugging and plugging the key to switch between them

+10

tardypad on Sep 24, 2019

I wanted to share my personal solution, which may be of some help to other users here.

I was having trouble listing any credentials stored on my Yubikey 5 NFC (I used to use the GUI so there were definitely stored creds). After scouring the internet for clues, I found this: https://wiki.archlinux.org/index.php/Yubikey#ykman_fails_to_connect_to_the_YubiKey

I ran sudo service pcscd status and lo and behold it was inactive. This was the cause of my issue.

So I ran:

sudo service pcscd restart to restart the service.
sudo service pcscd status to verify the service was then active.
ykman oath list to list all of my credentials as expected.

ghost on Oct 17, 2020

There seems to be several different issues present in this issue, so it’s difficult to know which ones are already “solved” and which aren’t. Some reoccurring ones I see are:

CCID based commands (such as piv, oath, and openpgp) don’t work after running gpg. This is in most cases due to scdaemon (which is part of gpg) holding exclusive access to the YubiKey (details here: https://dev.gnupg.org/T2440 possible workaround: setting a timeout in scdaemon.conf as described here: https://forum.yubico.com/viewtopicb85f.html?p=7513).

CCID based commands don’t work in general (without scdaemon running). This indicates that ykman isn’t able to communicate with the smart card system, which on Linux is the pcscd service. This commonly means that the service is either missing, or not running. Instructions for how to set it up will vary between Linux distributions, and unfortunately we aren’t able to provide these. Instead we refer you to the documentation for your particular distribution.

Other commands don’t work. Different commands need to use different USB interfaces on the YubiKey, which use different communication mechanisms. These issues will need to be resolved on a case-by-case basis, but one common problem is not having the proper permissions to access one or more of these USB interfaces. This can usually be tested for by running the command as root (eg. by using sudo), and might be resolved by configuring permissions using Udev rules, or granting specific permissions to the user account.

I see that several people in this thread have found answers already, and it’s difficult to know where that is and isn’t the case, so I am closing this issue now. If you do still have problems and the already provided solutions and workarounds don’t help you, please open a new issue to deal with your specific problem, or contact our support team for help: https://support.yubico.com/hc/en-us

dainnilsson on Nov 26, 2020

I also saw “No YubiKey found with the given interface” and found that the problem was that my kernel didn’t have CONFIG_HIDRAW enabled. (This is disabled by default in the mainline aarch64 defconfig, but most distros seem to have enabled it).

To check if you have that kernel config, here’s what it should look like:

$ zcat /proc/config.gz | grep CONFIG_HIDRAW
CONFIG_HIDRAW=y

tomfitzhenry on Jun 5, 2022

Indeed @zpeterg I get OATH Enabled yet ykman oath info fails with Error: No YubiKey found with the given interface(s)

Details :

pine64-pinephone:/home/user# /root/.local/bin/ykman info
Device type: YubiKey 5Ci
Serial number: 12345678
Firmware version: 5.2.4
Form factor: Keychain (USB-C, Lightning)
Enabled USB interfaces: OTP, FIDO, CCID

Applications
FIDO2           Enabled      
OTP             Enabled      
FIDO U2F        Enabled      
OATH            Enabled      
YubiHSM Auth    Not available
OpenPGP         Enabled      
PIV             Enabled      
pine64-pinephone:/home/user# /root/.local/bin/ykman  oath accounts list
Error: No YubiKey found with the given interface(s)

Glad you opened https://github.com/Yubico/yubikey-manager/issues/471 .

Utopiah on Dec 20, 2021

I made it further with these steps:

sudo apk add py3-pip
sudo apk add build-base
sudo apk add python3-dev
sudo apk add libffi-dev
sudo apk add swig
pip install --upgrade pip
pip install --user yubikey-manager

That got it installed, but it said that no Yubikey was present. So then I edited /etc/udev/rules.d/70-u2f.rules to add:

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120"

That made ykman info function correctly, but I still can’t access ykman oath accounts list - it shows “No yubikey found with the given interface(s)”. The errors indicate that it’s timing-out. The same yubikey works fine in another computer using the same command, so I know the interface exists). @Utopiah, do you recall running into that problem?

zpeterg on Dec 19, 2021

Faced the same issue with ykman otp swap

ykman info Device type: YubiKey 4 Serial number: 7203850 Firmware version: 4.3.7 Enabled USB interfaces: OTP+FIDO+CCID

boredabdel on Dec 27, 2019

$ ykman --log-level=DEBUG oath list
2018-01-02T07:58:48-0700 DEBUG [ykman.descriptor.Descriptor.open_device:86] transports: 0x4, self.mode.transports: 0x7
2018-01-02T07:58:48-0700 DEBUG [ykman.descriptor.open_driver:141] Opening driver for serial: None, pid: PID.YK4_OTP_U2F_CCID
2018-01-02T07:58:48-0700 DEBUG [ykman.descriptor.open_driver:143] Attempt 1 of 3
2018-01-02T07:58:48-0700 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.100000 s
2018-01-02T07:58:48-0700 DEBUG [ykman.descriptor.open_driver:143] Attempt 2 of 3
2018-01-02T07:58:48-0700 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.200000 s
2018-01-02T07:58:49-0700 DEBUG [ykman.descriptor.open_driver:143] Attempt 3 of 3
2018-01-02T07:58:49-0700 DEBUG [ykman.descriptor.open_driver:161] Sleeping for 0.300000 s
2018-01-02T07:58:49-0700 DEBUG [ykman.descriptor.open_driver:163] No driver found for serial: None, pid: PID.YK4_OTP_U2F_CCID
Usage: ykman [OPTIONS] COMMAND [ARGS]...

Error: Failed connecting to the YubiKey.

jgunthorpe on Jan 2, 2018