I want to use my Yubikey (Legacy) as OTP device for KeepassXC. However as a user I don’t have access to this device and it is not showing up when executing “ykman list”. Running “sudo ykman list” the device is shown. I have verified that I have u2f-host installed and the appropriate udev rules are in place. Though no matter what I try the device is for the normal user not recognizable.
S | Name | Summary | Type
—±-------------±----------------------------------------------------±-------
i+ | libu2f-host0 | Library for Universal 2nd Factor (U2F) | package
i+ | pam_u2f | U2F authentication integration into PAM | package
i+ | u2f-host | Tool to support Yubico’s Universal 2nd Factor (U2F) | package sudo zypper search -i yubi
Loading repository data…
Reading installed packages…
S | Name | Summary | Type
—±-------------------±-----------------------------------------------------------------±-------
i+ | libyubikey-tools | Tools to support Yubico’s USB key low-level C library | package
i | libyubikey0 | Yubico’s USB key low-level C library | package
i+ | yubikey-manager | Python 3 library and command line tool for configuring a YubiKey | package
i+ | yubikey-manager-qt | Graphical application for configuring a YubiKey | package
Replace [vendor:device] with the values you see in lsusb for the YubiKey device. For example, my device is identified with the string 1050:0407 - so I’d run the command lsusb -v -d 1050:0407.
The things to look for are the interface class (it should be showing as a Human Interface Device, as Yubikeys are used to inject keystrokes, generally), but the full output should be useful.
If it is showing correctly, you may need to contact YubiCo for further assistance - but if it’s showing as a HID device, then there shouldn’t be any restrictions on accessing it, because it’s essentially “just a keyboard”. I do note that even as root, ykman says it can’t read device info via Management, so it may be that the device is no longer supported, but my experience with YubiCo has been that the devices are generally very well supported over the long term (unfortunately, I fried my oldest one and can’t test with it).
It shows up as HID. Running “kdesu ykman-gui” does show the device and I can interact with it as expected. Non-root user is not allowed to access the device.
I didn’t have to do anything to grant access to the device running as non-root - so I’m not sure what’s needed. Looking at my system, the device for the one that’s always present is /dev/hidraw2 and the permissions are:
crw-rw----+ 1 root root 245, 2 May 25 10:28 /dev/hidraw2
Hmmm. The + indicates additional ACLs are applied. getfacl reports: