yubico-piv-tool only works as root user on Ubuntu 24.04

[lspiehler]

The command "yubico-piv-tool -astatus" runs successfully as a non-root user on Ubuntu 20.04. On Ubuntu 24.04, I can only get it to work as root. What permissions are required for a non-root user to run yubico-piv-tool on Ubuntu 24.04?

[aveenismail]

None of the yubico-piv-tool commands should require root access. What is the error you get when running it on Ubuntu 24.04?

[lspiehler]

When running as a normal user, the "yubico-piv-tool -astatus" returns the following output

Failed to connect to yubikey.
Try removing and reconnecting the device.

I'm seeing these errors in /var/log/syslog

2024-08-16T11:51:14.364338+00:00 iot-hsm24 pcscd[2729]: 00000000 auth.c:143:IsClientAuthorized() Process 3770 (user: 1001) is NOT authorized for action: access_pcsc
2024-08-16T11:51:14.364396+00:00 iot-hsm24 pcscd[2729]: 00000097 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client

I was able to create a polkit rule to allow the user that needs access like this

user=myuser

cat << EOF > /usr/share/polkit-1/rules.d/sssd-pcsc.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.user == "$user") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "$user") {
            return polkit.Result.YES;
    }
});
EOF

systemctl restart polkit

I am now able to run the yubico-piv-tool commands as the user specified in the rule. I'm curious about your thoughts on this as a solution/workaround. Thanks!

[joanandk]

@lspiehler With Gentoo, I had to start the pcscd service to do operations as a user. Could you check if pcscd service is started?