What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is
controlled by GPG agent. SSH key from Yubikey is automatically enrolled and
used for connection to git remote. And it "just works". It's been two weeks
that I can't get to that point, so I decided to ask for help here.
The most depressing fact is sometimes it works, and the other time it doesn't.
And I never know why. And I don't know how to fix it.
Current problem: ssh-add -L returns "Error connecting to agent: No such file or
directory".
I have followed [0] to generate and load GPG keys into Yubikey. It didn't work
well (I don't remember what exactly was failing, there has been a million
issues at this point and I don't know what I'm doing anymore), so I started to
dig deeper and tried information from [1] [2] [3]. The result of it is that I
can do a git pull once and it works, then I do another git pull and it doesn't.
What I have tried: relogging, launching new terminal, gpgconf --reload all,
systemctl restart pcscd, Yubikey replug. Everything alone and everything
together.
❯ inxi -Sz
System: Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro:
Manjaro Linux
❯ ykman info
Device type: YubiKey 4
Serial number: XXXXXXX
Firmware version: 4.3.5
Enabled USB interfaces: OTP+FIDO+CCID
Applications
OTP Enabled
FIDO U2F Enabled
OpenPGP Enabled
PIV Enabled
OATH Enabled
FIDO2 Not available
❯ ykman openpgp info
OpenPGP version: 2.1
Application version: 4.3.5
PIN tries remaining: 10
Reset code tries remaining: 0
Admin PIN tries remaining: 10
Touch policies
Signature key On
Encryption key On
Authentication key On
❯ gpg --version
gpg (GnuPG) 2.2.21
libgcrypt 1.8.6
❯ gpg -K
/home/ave/.gnupg/pubring.kbx
----------------------------
sec# rsa4096/0xF971F82552850CEC 2020-08-11 [C]
Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8 A955 F971 F825 5285 0CEC
uid [ultimate] Ave Milia <[email protected]>
ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S]
ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E]
ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A]
❯ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXX
Name of cardholder: Ave Milia
Language prefs ...: en
Salutation .......: Mr.
URL of public key :
https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 10 0 10
Signature counter : 5
Signature key ....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
created ....: 2020-08-11 20:13:49
Encryption key....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
created ....: 2020-08-11 20:14:37
Authentication key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
created ....: 2020-08-11 20:15:07
General key info..: sub rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia
<[email protected]>
sec# rsa4096/0xF971F82552850CEC created: 2020-08-11 expires: never
ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
card-no: XXXX XXXXXXXX
ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
card-no: XXXX XXXXXXXX
ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
card-no: XXXX XXXXXXXX
❯ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/run/user/1000/gnupg
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/ave/.gnupg
❯ grep -v "^#" .gnupg/gpg.conf
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP
Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
no-greeting
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
use-agent
throw-keyids
keyserver hkps://hkps.pool.sks-keyservers.net
❯ grep -v "^#" .gnupg/gpg-agent.conf
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-curses
❯ grep -v "^#" .gnupg/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
❯ ll /usr/lib/libpcsclite.so
lrwxrwxrwx 1 root root 20 19. čen 21.40 /usr/lib/libpcsclite.so ->
libpcsclite.so.1.0.0
❯ sudo systemctl status pcscd.service
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor
preset: disabled)
Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 54997 (pcscd)
Tasks: 5 (limit: 19134)
Memory: 1.8M
CGroup: /system.slice/pcscd.service
└─54997 /usr/bin/pcscd --foreground --auto-exit
srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon.
srp 22 17:47:28 ave-pc pcscd[54997]: 00000000
ifdhandler.c:150:CreateChannelByNameOrChannel() failed
srp 22 17:47:28 ave-pc pcscd[54997]: 00000069
readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed
(usb:1050/0407:libudev:0:/dev/bus/usb/003/011)
srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader()
Yubico YubiKey OTP+FIDO+CCID init failed.
srp 22 17:47:28 ave-pc pcscd[54997]: 00007224
ifdhandler.c:150:CreateChannelByNameOrChannel() failed
srp 22 17:47:28 ave-pc pcscd[54997]: 00000016
readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed
(usb:1050/0407:libudev:1:/dev/bus/usb/003/011)
srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader()
Yubico YubiKey OTP+FIDO+CCID init failed.
^^^ Despite pcscd errors, in my experience this is orthogonal to whether
Yubikey/GPG/SSH is in the mood for working correctly.
❯ cat /etc/opensc.conf
app default {
# Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC
# can handle both to access keys and certificates, but only one at a
time.
card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 {
name = "Yubikey 4";
# Select the PKI applet to use ("PIV-II" or "openpgp")
driver = "openpgp";
# Recover from other applications accessing a different applet
flags = "keep_alive";
}
}
❯ cat /usr/share/p11-kit/modules/opensc.module
module: opensc-pkcs11.so
❯ p11tool --list-tokens
Token 0:
URL:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
Label: Default Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 2:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00
Label: OpenPGP card (User PIN)
Type: Hardware token
Flags: Requires login
Manufacturer: Yubico
Model: PKCS#15 emulated
Serial: XXXXXXXXXXXX
Module: opensc-pkcs11.so
Token 3:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00
Label: OpenPGP card (User PIN (sig))
Type: Hardware token
Flags: Requires login
Manufacturer: Yubico
Model: PKCS#15 emulated
Serial: XXXXXXXXXXXX
Module: opensc-pkcs11.so
❯ pkcs11-tool -O --login
Using slot 0 with a present token (0x0)
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN:
Private Key Object; RSA
label: Encryption key
ID: 02
Usage: decrypt, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
label: Encryption key
ID: 02
Usage: encrypt, wrap
Access: none
Private Key Object; RSA
label: Authentication key
ID: 03
Usage: decrypt, sign, non-repudiation, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
label: Authentication key
ID: 03
Usage: encrypt, verify, wrap
Access: none
❯ Relevant part from .zshrc
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
❯ ssh-add -L
Error connecting to agent: No such file or directory
^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX
So, any ideas which tambourine should I pick this time?
[0] <https://github.com/drduh/YubiKey-Guide>
[1] <https://wiki.archlinux.org/index.php/GnuPG#SSH_agent>
[2] <https://wiki.archlinux.org/index.php/GnuPG#Smartcards>
[3] <https://wiki.archlinux.org/index.php/Smartcards>
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
