USB/IP

Optional

usbutils

We simply need to install the usbipd-win software on our Windows machine.

Make sure to reopen any shell/terminal and check that uspipd.exe is available on your PATH.

Tip

You might need to perform the next step with elevated rights. Either open WSL USB / PowerShell as an Administrator, or install sudo from scoop for example:

scoop.exe install sudo

GUI

The process can be greatly simplified, by installing wsl-usb-gui (shortcut is called WSL USB) on the Windows side. You can do everything you desire from within the GUI, even set up auto attachments, without a hassle.

CLI

First, list available devices using

usbipd.exe list

Take note of the BUSID of the desired (smartcard) device.

Tip

You can also use the Hardware ID (VID:PID column) by using the -i flag instead of the -b one.

Then simply execute

usbipd.exe bind -b BUSID

replacing BUSID with the one you took note of earlier.

Note

It can be necessary to force this operation with the -f flag, in which case the device will be unavailable under Windows until you perform an unbind.

Now the only thing left to do is attaching the smartcard to WSL

usbipd.exe attach -w -b BUSID

You can even have it auto-attached with

usbipd.exe attach -w -a -b BUSID

Note

The bind procedure is persistent between reboots. The attach procedure however isn’t, necessitating a reattachement.

This also means forcing the bind using -f makes it unavailable until you explicitly do an unbind, when attach on the contrary, reinstates control to Windows whenever the device is no longer connected to WSL.

Tip

You can easily check if this worked by observing the usbipd.exe command output, or by utilizing lsusb from the usbutils package.

FIDO2

Despite all this, some utilities, for example ssh-keygen, utilize a direct smartcard access using e.g. the /dev/hidraw devices the USB/IP setup produces.

For that to work, you simply need to add an udev rule

/etc/udev/rules.d/99-yubikey.rules

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", TAG+="uaccess", GROUP="plugdev", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406"

You might need to change the vendor and/or product ID. You can easily check the IDs using the

lsusb

command.

Simply locate the Yubikey line in the output, and locate the IDs following the pattern: [Bus IDs]: ID <vendor>:<product> [Name of the device]

After that add your user to the plugdev group, restart WSL and you should be good to go.

sudo groupadd plugdev
sudo usermod -aG plugdev <username>