Yubico YubiKey udev rules and pcsc auth

Yubico YubiKey udev rules and pcsc auth

70-u2f.rules
[root@workstation rules.d]# cat 70-u2f.rules 
# Copyright (C) 2013-2015 Yubico AB
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser
# General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program; if not, see <http://www.gnu.org/licenses/>.

# this udev file should be used with udev 188 and newer
ACTION!="add|change", GOTO="u2f_end"

# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0121|0200|0402|0403|0406|0407|0410", TAG+="uaccess", GROUP="wheel"

LABEL="u2f_end"


#########################################################
The current user must belongs to wheel group 
usermod -aG wheel mariotpc
#########################################################

Useful commands
**********************
       udevadm control --reload-rules
  390  udevadm trigger
  391  udevadm monitor -u
  392  udevadm control --log-priority=debug
  393  journalctl -f



The next... change no to yes !!!

vim /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>The PCSC-lite Project</vendor>
  <vendor_url>https://pcsclite.apdu.fr/</vendor_url>
<!--  <icon_name>smart-card</icon_name> -->

  <action id="org.debian.pcsc-lite.access_pcsc">
    <description>Access to the PC/SC daemon</description>
    <message>Authentication is required to access the PC/SC daemon</message>
    <defaults>
      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

  <action id="org.debian.pcsc-lite.access_card">
    <description>Access to the smart card</description>
    <message>Authentication is required to access the smart card</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

</policyconfig>


*** some useful information - from ***
https://support.nitrokey.com/t/pkcs11-tool-is-a-udev-rule-required-for-centos-8/2728

*********************************
ADD 0402 TO next file
*********************************
/usr/lib/udev/rules.d
69-yubikey.rules:
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \

ACTION!="add|change", GOTO="yubico_end"

# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0402|0403|0405|0407|0410", \
    ENV{ID_SECURITY_TOKEN}="1"

LABEL="yubico_end"
~                    

https://pve.proxmox.com/wiki/USB_Devices_in_Virtual_Machines

Simple Way: pass the USB device ID to the guest
Assigning an Alcor memory stick connected to the host to VM 804.

Figure out in the host the Device Type by

lsusb | grep Alcor
The result is

Bus 002 Device 013: ID 058f:6387 Alcor Micro Corp. Flash Drive
Assign it to the VM by

qm set 804 -usb0 host=058f:6387
Shutdown the VM (if running) and start it again.

Last login: Fri Jun 16 18:24:29 2023 from 192.168.200.2
mlopez@pve:~$ su
Password:
root@pve:/home/mlopez# /usr/sbin/qm set 100 -usb0 host=1050:0402,usb3=yes