Talk: Yubikey

pcscd is not strictly required

I've had my fair share of problems with the pcscd, namely that it often required restarts to function. Fortunately I noticed that gpg-agent can work without it just fine. The only thing standing in my way was a missing udev rule for the Yubikey Neo:

    # Yubikey 4/5 U2F+CCID
    SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel"

I'm not putting this in the main article as it'd probably need an invasive edit since it mentions pcscd everywhere.

udev setup

I needed to set up udev to make the Yubikeys readable as well. My solution was to: 1 . Add libfido2 to services.dev.udev.packages 2. Create `users.groups.plugdev = {};` and add my user to the `plugdev` group.

Locking the screen with udev

1. YubiKey 5C has MODEL_ID=0403.
2. YubiKey 5 NFC has MODEL_ID=0407. (as already mentioned in the wiki)
3. YubiKey [C and not-C] Bio has MODEL_ID=0402` but the MODEL_ID field isn't present at all. The only thing that matches for me is the HID_NAME.

services.udev.extraRules = 
     # 0403 = Yubikey 4/5 OTP+U2F       = YubiKey 5C
     # 0407 = Yubikey 4/5 OTP+U2F+CCID  = YubiKey 5 NFC
     ACTION=="remove",\
      ENV{ID_BUS}=="usb",\
      ENV{ID_MODEL_ID}=="0403|0407",\
      ENV{ID_VENDOR_ID}=="1050",\
      ENV{ID_VENDOR}=="Yubico",\
      RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
   
     # 0402 = Yubikey 4/5 U2F           = YubiKey Bio - FIDO Edition
     # 0402 = Yubikey 4/5 U2F           = YubiKey C Bio - FIDO Edition
     ACTION=="remove",\
      ENV{HID_NAME}=="Yubico YubiKey FIDO",\
      RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
 ;