Yubikey not recognized unless using sudo

I want to use my Yubikey (Legacy) as OTP device for KeepassXC. However as a user I don’t have access to this device and it is not showing up when executing “ykman list”. Running “sudo ykman list” the device is shown. I have verified that I have u2f-host installed and the appropriate udev rules are in place. Though no matter what I try the device is for the normal user not recognizable.

sudo zypper search -i u2f
Loading repository data…
Reading installed packages…

S | Name | Summary | Type
—±-------------±----------------------------------------------------±-------
i+ | libu2f-host0 | Library for Universal 2nd Factor (U2F) | package
i+ | pam_u2f | U2F authentication integration into PAM | package
i+ | u2f-host | Tool to support Yubico’s Universal 2nd Factor (U2F) | package
sudo zypper search -i yubi
Loading repository data…
Reading installed packages…

S | Name | Summary | Type
—±-------------------±-----------------------------------------------------------------±-------
i+ | libyubikey-tools | Tools to support Yubico’s USB key low-level C library | package
i | libyubikey0 | Yubico’s USB key low-level C library | package
i+ | yubikey-manager | Python 3 library and command line tool for configuring a YubiKey | package
i+ | yubikey-manager-qt | Graphical application for configuring a YubiKey | package

What else might I try?

What do you see if you run ykman --diagnose - both as root and not as root?

That might help narrow the issue down.

As a non-root user, do you see the device when you run lsusb?

ykman --diagnose
ykman: 4.0.9
Python: 3.10.11 (main, Apr 27 2023, 21:52:36) [GCC]
Platform: linux
Arch: x86_64
Running as admin: False

Detected PC/SC readers:

Detected YubiKeys over PC/SC:

Detected YubiKeys over HID OTP:

Detected YubiKeys over HID FIDO:
End of diagnostics

Root:

sudo ykman --diagnose
[sudo] password for root: 
ykman: 4.0.9
Python: 3.10.11 (main, Apr 27 2023, 21:52:36) [GCC]
Platform: linux
Arch: x86_64
Running as admin: True

Detected PC/SC readers:

Detected YubiKeys over PC/SC:

Detected YubiKeys over HID OTP:
        OtpYubiKeyDevice(pid=0010, fingerprint='/dev/hidraw2')
        Failed to read device info via Management: ApplicationNotAvailableError()
        DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP: 1>}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG.0: 0>), serial=1622472, version=Version(major=2, minor=3, patch=3), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP: 1>}, is_locked=False, is_fips=False, is_sky=False)
        Device name: YubiKey Standard
        OTP: ConfigState(configured: (True, True), touch_triggered: None, led_inverted: False)

Detected YubiKeys over HID FIDO:
End of diagnostics

As non-root user the device is showing with lsusb

Let’s see what you get with:

lsusb -v -d [vendor:device]

Replace [vendor:device] with the values you see in lsusb for the YubiKey device. For example, my device is identified with the string 1050:0407 - so I’d run the command lsusb -v -d 1050:0407.

The things to look for are the interface class (it should be showing as a Human Interface Device, as Yubikeys are used to inject keystrokes, generally), but the full output should be useful.

If it is showing correctly, you may need to contact YubiCo for further assistance - but if it’s showing as a HID device, then there shouldn’t be any restrictions on accessing it, because it’s essentially “just a keyboard”. I do note that even as root, ykman says it can’t read device info via Management, so it may be that the device is no longer supported, but my experience with YubiCo has been that the devices are generally very well supported over the long term (unfortunately, I fried my oldest one and can’t test with it).

It shows up as HID. Running “kdesu ykman-gui” does show the device and I can interact with it as expected. Non-root user is not allowed to access the device.

Where is it handled to grant access to a device?

I didn’t have to do anything to grant access to the device running as non-root - so I’m not sure what’s needed. Looking at my system, the device for the one that’s always present is /dev/hidraw2 and the permissions are:

crw-rw----+ 1 root root 245, 2 May 25 10:28 /dev/hidraw2

Hmmm. The + indicates additional ACLs are applied. getfacl reports:

$ getfacl /dev/hidraw2 
getfacl: Removing leading '/' from absolute path names
# file: dev/hidraw2
# owner: root
# group: root
user::rw-
user:jhenderson:rw-
group::---
mask::rw-
other::---

So it seems that there is something granting additional permissions.

I don’t have anything in my udev rules, but I found this which should be useful for your device:

What is the udev rule that you put in place on your system?

Thank you!

In that article it is mentioned you need to add a udev rule:
sudo /usr/lib/udev/rules.d/99-yubikeys.rules

Insert:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", TAG+="uaccess"

And bam it is working for non-root user.

Excellent! Glad you were able to get it working :slight_smile: