Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1332940

Summary: smartcard feature of yubikey 4 not supported on RHEL 7
Product: Red Hat Enterprise Linux 7 Reporter: M. Scherer <mscherer>
Component: pcsc-lite-ccidAssignee: Bob Relyea <rrelyea>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: aakkiang, bressers, dsirrine, hkario, mscherer, pgozart, pvrabec, rpattath, rrelyea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcsc-lite-ccid-1.4.10-11.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1360390 (view as bug list) Environment:
Last Closed: 2016-11-04 07:37:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1360390    
Attachments:
Description Flags
patch for 7.3 none

Description M. Scherer 2016-05-04 11:59:56 UTC 
Description of problem:

This is the same problem as https://bugzilla.redhat.com/show_bug.cgi?id=1157226
The fix is the same, with newer ID.

The commit upstream is 4c905913c5b6c745737be9b5cfcea225391fe550
There is 4 differents ID to add, and it seems that another one is also missing. 


 0x1050:0x0116:Yubico Yubikey NEO OTP+U2F+CCID
 0x1050:0x0404:Yubico Yubikey 4 CCID
 0x1050:0x0405:Yubico Yubikey 4 OTP+CCID
 0x1050:0x0406:Yubico Yubikey 4 U2F+CCID
 0x1050:0x0407:Yubico Yubikey 4 OTP+U2F+CCID

I can test the package if people point me to a updated one internally (ie, for RHEL 7.3).

Version-Release number of selected component (if applicable):
pcsc-lite-ccid-1.4.10-10.el7.x86_64

How reproducible:
each time.

Steps to Reproduce:
1.plug yubikey 4 Neo
2.see it doesn't work with gpg --card-edit, using the same instruction as RHBZ#1157226


Actual results:
gpg --card-edit show the same error message as the bug https://bugzilla.redhat.com/show_bug.cgi?id=1157226

Expected results:
gpg --card-edit should work.


Additional info:
yubikey is out since a few months now, and being tooted as being used to sign containers and everything. So it would be nice to support. Not to mention that the patch is upstream since more than 9 months and almost risk free.
Comment 1 M. Scherer 2016-05-04 12:04:27 UTC 
Created attachment 1153820 [details]
patch for 7.3

Here is a update of the patch from dist-git on the 7.3 branch. I tested it (just drop that file in SOURCES and run rhpkg local), and it fix the issue.
Comment 8 Bob Relyea 2016-06-27 22:09:49 UTC 
fixed in pcsc-lite-ccid-1.4.10-11.el7
Comment 13 Roshni 2016-08-05 17:59:23 UTC 
Following instructions in https://bugzilla.redhat.com/show_bug.cgi?id=1157226 to verify this bug,

1. yubikey is plugged in

2. I see the following
[rpattath@dhcp129-54 ~]$ echo $GPG_AGENT_INFO
/run/user/1000/keyring/gpg:0:1

[rpattath@dhcp129-54 ~]$ dmesg | grep "CCID"
[rpattath@dhcp129-54 ~]$

As per https://bugzilla.redhat.com/show_bug.cgi?id=1157226#c0 the above is not what is expected.
Comment 15 Bob Relyea 2016-08-17 00:57:11 UTC 
roshni. I think the gpg thing requires an enrolled key. You can see if the reader is working with:

make sure coolkey is installed.

modutil -list -dbdir /etc/pki/nssdb

You should see a slot for "Yubico Yubikey 4 OTP+U2F+CCID"

bob
Comment 16 Roshni 2016-08-19 19:00:24 UTC 
(In reply to Bob Relyea from comment #15)
> roshni. I think the gpg thing requires an enrolled key. You can see if the
> reader is working with:
> 
> make sure coolkey is installed.
> 
> modutil -list -dbdir /etc/pki/nssdb
> 
> You should see a slot for "Yubico Yubikey 4 OTP+U2F+CCID"
Using pcsc-lite-ccid-1.4.10-11.el7 I do not see the above when the yubikey is inserted
> 
> bob
Comment 17 Roshni 2016-08-23 19:19:30 UTC 
[root@dhcp129-54 ~]# rpm -qi pcsc-lite-ccid
Name        : pcsc-lite-ccid
Version     : 1.4.10
Release     : 12.el7
Architecture: x86_64
Install Date: Mon 01 Aug 2016 01:19:42 PM EDT
Group       : System Environment/Libraries
Size        : 547810
License     : LGPLv2+
Signature   : RSA/SHA256, Wed 27 Jul 2016 11:40:14 AM EDT, Key ID 938a80caf21541eb
Source RPM  : pcsc-lite-ccid-1.4.10-12.el7.src.rpm
Build Date  : Tue 05 Jul 2016 02:19:47 PM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pcsclite.alioth.debian.org/ccid.html
Summary     : Generic USB CCID smart card reader driver

Verification steps:

[root@dhcp129-54 gpshell-1.4.4]# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 004: ID 8087:0a2b Intel Corp. 
Bus 001 Device 006: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
Bus 001 Device 002: ID 17ef:6019 Lenovo 
Bus 001 Device 005: ID 04b3:3025 IBM Corp. NetVista Full Width Keyboard
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[root@dhcp129-54 gpshell-1.4.4]# modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
	library name: libcoolkeypk11.so
	 slots: 1 slot attached
	status: loaded

	 slot: Yubico Yubikey 4 OTP+U2F+CCID 00 00
	token: 
-----------------------------------------------------------
Comment 18 Roshni 2016-08-23 19:28:07 UTC 
Bob,

Are the verification steps in comment 17 sufficient to verify this bug?
Comment 19 Bob Relyea 2016-08-30 00:38:18 UTC 
yes!
Comment 20 Roshni 2016-09-18 21:28:57 UTC 
[root@dhcp129-34 ~]# rpm -qi pcsc-lite-ccid
Name        : pcsc-lite-ccid
Version     : 1.4.10
Release     : 12.el7
Architecture: x86_64
Install Date: Fri 16 Sep 2016 09:53:53 AM EDT
Group       : System Environment/Libraries
Size        : 547810
License     : LGPLv2+
Signature   : RSA/SHA256, Wed 27 Jul 2016 11:40:14 AM EDT, Key ID 938a80caf21541eb
Source RPM  : pcsc-lite-ccid-1.4.10-12.el7.src.rpm
Build Date  : Tue 05 Jul 2016 02:19:47 PM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pcsclite.alioth.debian.org/ccid.html
Summary     : Generic USB CCID smart card reader driver

[root@dhcp129-34 ~]# modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
	library name: /usr/lib64/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: Yubico Yubikey 4 OTP+U2F+CCID 00 00
	token: PIV_II (PIV Card Holder pin)
-----------------------------------------------------------

su and gdm login using the yubikey token were successful. http://blog-ftweedal.rhcloud.com/2016/08/smart-card-login-with-yubikey-neo/ was followed to store certs on the token.
Comment 22 errata-xmlrpc 2016-11-04 07:37:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2493.html