Public bug reported:
Package: libfido2
Version: 1.16.0-2build1
Severity: wishlist / hardware support
Summary
=======
libfido2 is currently built on Ubuntu/Debian with only the Linux netlink NFC
backend. PC/SC NFC readers such as the ACS ACR1252 are therefore invisible to
fido2-token, ssh-keygen -K, and any OpenSSH FIDO authentication, even though the
reader is detected by pcscd and the upstream libfido2 CMake default is now
USE_PCSC=ON.
Proposed fix
============
Add -DUSE_PCSC=ON to the dh_auto_configure invocation in debian/rules.
This links libfido2 against libpcsclite and enables the experimental PC/SC
backend, which upstream maintains for exactly this class of NFC reader.
Hardware tested
===============
- Reader: ACS ACR1252 Dual Reader (USB ID 072f:223b)
- Token: YubiKey 5C NFC (firmware 5.7.4, AAGUID
d7781e5d-e353-46aa-afe2-3ca49f13332a)
- Host: Ubuntu resolute, OpenSSH_10.2p1, pcscd 2.4.1, libpcsclite1 2.4.1
Evidence
========
1. With the stock Ubuntu package (libfido2-1 1.16.0-2build1):
$ fido2-token -L
/dev/hidraw1: vendor=0x1050, product=0x0406 (Yubico YubiKey FIDO+CCID)
Only the USB HID key is listed; the ACR1252/NFC key is absent.
FIDO_DEBUG=1 ssh-keygen -K reports "run_manifest: found 0 nfc devices".
2. With libfido2 rebuilt from the Ubuntu source using -DUSE_PCSC=ON:
$ fido2-token -L
/dev/hidraw1: vendor=0x1050, product=0x0406 (Yubico YubiKey FIDO+CCID)
pcsc://slot1: vendor=0x0000, product=0x0000 (PC/SC ACS ACR1252 Dual Reader
[ACR1252 Dual Reader PICC] 01 00)
$ fido2-token -I pcsc://slot1
... transport strings: nfc, usb ...
... aaguid: d7781e5de35346aaafe23ca49f13332a ...
The rebuilt package's library also shows the expected NEEDED entry:
$ objdump -p libfido2.so.1.16.0 | grep NEEDED | grep pcsclite
NEEDED libpcsclite.so.1
3. The rebuilt binary .debs were produced successfully and, when installed
temporarily, made the ACR1252 visible system-wide without changing any
other configuration.
What was NOT tested
===================
A complete "ssh-keygen -K" resident-key download over NFC was not finished in
this session because the non-interactive shell could not provide the FIDO PIN
prompt reliably. The debug trace confirms CTAP2 traffic reached the
authenticator and the PIN-check step (dummy PIN returned CTAP2_ERR_PIN_INVALID,
0x31). A normal interactive terminal with the real PIN should complete the
resident-key download.
Patch
=====
The one-line change is attached (libfido2-use_pcsc.patch):
--- a/debian/rules
+++ b/debian/rules
@@ -7,7 +7,8 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all
override_dh_auto_configure:
dh_auto_configure -- -DUDEV_RULES_DIR=/lib/udev/rules.d \
- -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON
+ -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON \
+ -DUSE_PCSC=ON
override_dh_makeshlibs:
dh_makeshlibs -- -c4
Rationale
=========
Upstream has USE_PCSC=ON by default in current main. macOS and Windows already
use PC/SC as their general NFC path. On Linux this is the only supported way
to use readers that expose NFC via CCID/PCSC rather than the kernel netlink NFC
subsystem. Enabling it in the distro package broadens hardware compatibility
at the cost of one new dynamic dependency (libpcsclite, already present on
systems using smart cards).
References
==========
- libfido2 CMakeLists.txt (USE_PCSC defaults to ON):
https://github.com/Yubico/libfido2/blob/main/CMakeLists.txt
- Upstream discussion of PC/SC mode:
https://github.com/Yubico/libfido2/discussions/626
ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: libfido2-1 1.16.0-2build1
ProcVersionSignature: Ubuntu 7.0.0-22.22-generic 7.0.0
Uname: Linux 7.0.0-22-generic x86_64
ApportVersion: 2.34.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: KDE
Date: Mon Jun 15 19:18:59 2026
InstallationDate: Installed on 2025-05-16 (395 days ago)
InstallationMedia: Kubuntu 25.04 "Plucky Puffin" - Release amd64 (20250417)
SourcePackage: libfido2
UpgradeStatus: Upgraded to resolute on 2026-06-07 (8 days ago)
** Affects: libfido2 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug resolute
** Patch added: "Add -DUSE_PCSC=ON to the dh_auto_configure invocation in
debian/rules."
https://bugs.launchpad.net/bugs/2156796/+attachment/5977535/+files/libfido2-use_pcsc.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156796
Title:
[PATCH] Enable USE_PCSC=ON so libfido2 works with PC/SC NFC readers
(e.g. ACR1252)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/2156796/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
