This page is hard to read or its content needs to be updated. Please improve this page and remove this box when you are done. Reasons:
- determine whether the information here is still applicable
- should we promote downloading and executing a script?
The steps described in this howto are not necessary if you run this udev.sh.
Friday 20 January 2006
This howto describes how to set up your smart card reader for use with the Fellowship smart card on GNU/Linux systems using udev functionality. Please note:
This is only an introductory document, aimed at a generic hard- and software setting involving GNU/Linux. For a full-length description please see the full-length Fellowship card Howto. If you run into problems specific to your GnuPG setup, you may want to read other GnuPG Howtos.
A smart card reader. A list of tested readers can be found here.
- Root privileges on your GNU/linux system.
- GnuPG 1.4.2 or higher
You will need to download two files for udev, and copy them to the udev configuration directories, in order to let it identify your card reader:
Installing Udev configs
Open a terminal and become root (you will be asked for your root password):
$ su -
On Ubuntu systems, you should run (and then you will be asked for the user password):
$ sudo su -
Then you will have to move the files from the directory you have saved them to, to the udev configuration directories (If the scripts directory does not exist create it):
# cd /home/directory/where/you/saved/the/file (change for the right path) # cp gnupg-ccid.rules /etc/udev/gnupg-ccid.rules # cp gnupg-ccid /etc/udev/scripts/gnupg-ccid # chmod +x /etc/udev/scripts/gnupg-ccid # ln -s /etc/udev/gnupg-ccid.rules /etc/udev/rules.d/gnupg-ccid.rules
All the configuration files are in the right place and with the right permissions by now.
Giving Users Access
You will now create a group scard, give this group permission to access the smart card reader, and include the users who should have access to the card reader to this group.
# addgroup scard # addgroup <yourusername> scard # exit
Done! Your smart card reader should be working now.
To give other users access to the card reader, add them to the scard group:
# addgroup <username> scard
Checking Your Card
If you want to take a look on what you have in your card, plug in the smart card reader, insert your Fellowship card and type:
$ gpg --card-status
Licensed under the GNU FDL
see discussion page for "old" comments and useful tips.
Getting Debug Information
Run gpg as super user in debug mode:
sudo gpg --debug 2048 --debug-ccid-driver -v --card-status
If the card is found as 'sudo'
You need to tweak the udev rules so that your normal user also has access. You can do this by:
finding out the USB ID for your card reader: run lsusb and the ID is displayed like "058f:9520"
add a line to the file /etc/udev/rules.d/z80_gnupg-ccid.rules similar to one of the first "ACTION" lines, placing the first half of the ID as the "idVendor" value, and the second half as the "idProduct" value.
restart Udev or your computer for the addition to take effect; the device is now made accessible with '0660; permissions, meaning that any user in the scard group has read/write access.
If your normal user still receives the error message "selecting openpgp failed: unknown command", gnome-keyring-daemon could be interfering, see How to set up your Fellowship card.
I recently got a fresh Ubuntu on Dell Latitude E5420 (certified hardware http://www.ubuntu.com/certification/hardware/201011-6891) with an internal smart card reader, and it started to work after I installed the daemon pcscd and got the device settings right with udev rules for device ID 0b97:7772 (O2 Micro, Inc. OZ776 CCID Smartcard Reader).
If no card is found at all
You might be missing a driver or the pcscd service. In Debian/Ubuntu make sure to install pcscd. List of supported drivers by pcscd at http://pcsclite.alioth.debian.org/ccid/section.html.
A common problem
Sometimes, the pcscd service, along with the gnome keyring, can cause problems running commands other than gpg --card-status when everything else is set up correctly. To rectify this, there are a few simple things that can be done.
Firstly, open up the list of Start up Applications, and uncheck GPG Password Agent. If you also use your smartcard for SSH, you may need to uncheck the SSH Password Agent, too. Though, this may need verifying.
Secondly, comment out the line in your ~/.gnupg/gpg.conf file that says "use-agent".
Lastly, uninstall pcscd, and install scdaemon instead. Possibly gnupg-agent, also. But again, this could do with verifying also.
Fingers crossed, after a logout/reboot, you should now have your smartcard up and running without having to use it under root.