Using YubiKey in WSL2

Preface#

These days, I suddenly decided to set up WSL2, one of which is to use YubiKey in WSL2.

Coincidentally, I encountered some strange issues during this time and stumbled upon quite a few pitfalls, so I thought I would write an article to document it.

Note

This article is written with Arch Linux as the target system.

The Windows side solution is based on usbipd-win.

Prerequisites#

Installed ArchWSL
A YubiKey

Connection#

Windows Side#

Install usbipd-win.

winget install --interactive --exact dorssel.usbipd-win

After connecting the YubiKey, execute

usbipd list

The output at this time should be similar to

Connected:
BUSID  VID:PID    DEVICE                                                        STATE
1-6    1050:0407  USB Input Device, Microsoft Usbccid Smartcard Reader (WUDF)   Not shared
1-7    17ef:6019  USB Input Device                                                  Not shared
1-8    1a2c:20c0  USB Input Device                                                  Not shared

Remember the VID:PID, it will be useful later.

Next, execute

usbipd bind --busid=<BUSID>

Bind the device.

Then start WSL and run on the Windows side

usbipd attach --wsl --busid=<BUSID>

Attach the YubiKey to WSL.

Linux Side#

Install the required dependencies.

sudo pacman -S usbip usbutils

At this point, execute lsusb.

If the output contains the word YubiKey, congratulations, you have successfully connected the YubiKey to WSL.

Configuration#

Install yubikey-manager and start pcscd.service.

sudo pacman -S yubikey-manager pcsclite pcsc-tools
sudo systemctl enable --now pcscd.service

Execute the ykman info command, and if everything goes as expected, it should show an error saying No Yubikey detected.

And GPG also cannot read the Key.

At this point, we need to configure some udev rules.

First, we need to create a user group named scard and add our user to it.

sudo groupadd scard
sudo usermod -aG scard $whoami

Restart WSL and add the following files.

``` TEXT filename="/etc/udev/rules.d/10-security-key.rules" KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="users", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0" ``` ```TEXT filename="/etc/udev/rules.d/71-gnupg-ccid.rules" ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116|0111", MODE="660", GROUP="scard" ``` Here, the VENDOR and MODEL need to be modified according to your device.

Do you remember the VID we noted down earlier?

They correspond to VENDOR and MODEL respectively.

Use sudo udevadm trigger to reload the udev rules.

At this point, you will find that ykman info can now be used, but GPG still cannot read the Key.

This is due to Polkit restricting local client permissions, so we also need to add a Polkit rule.

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.isInGroup("wheel")) {
        return polkit.Result.YES;
    }
});
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.isInGroup("wheel")) {
        return polkit.Result.YES;
    }
});

Important

Before using the above rules, please ensure your user is in the wheel user group; otherwise, the rules will not work.

Then restart polkit.service.

sudo systemctl restart polkit.service

At this point, GPG should work normally.

Postscript#

I have to say, this thing is really troublesome. It took me half a day to find a solution, and I was exhausted.

This article is synchronized and updated to xLog by Mix Space. The original link is https://lar.moe/posts/tech/using-yubikey-in-wsl2