Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On 2017-02-09 06:38:18, NIIBE Yutaka wrote: > Antoine Beaupré writes: >> This reminds me - it sure looks like pcscd was crashing back >> there. Should I revert back to using pcscd to try and reproduce the >> problem and file a pcscd bug about this? > > Yes. I think that this is a different problem, and it's pcscd issue. Okay then - I have reported this as a bug against the pcscd package (#854703), hopefully it will get some traction there. Do note that what is happening with pcscd is that it is exiting on its own when I unplug the Yubikey: fév 08 21:36:15 curie pcscd[15485]: 0008 winscard_svc.c:1034:MSGCleanupClient() Starting suicide alarm in 60 seconds Maybe pcscd expects to be reactivated through the systemd socket instead of just running forever? Does scdaemon talk to the right socket (/var/run/pcscd/pcscd.comm, according to the systemd config file)? Thanks for any information, A. -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir - Lofofora
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Antoine Beaupré writes: > This reminds me - it sure looks like pcscd was crashing back > there. Should I revert back to using pcscd to try and reproduce the > problem and file a pcscd bug about this? Yes. I think that this is a different problem, and it's pcscd issue. --
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On 2017-02-09 06:15:21, NIIBE Yutaka wrote: > Antoine Beaupré writes: >>> If this works, the udev line should be included into scdaemon package in >>> future, so that each user doesn't need to configure. >> >> I confirm the udev hack works. > > No, this is not a hack. This is a configuration needed. This reminds me - it sure looks like pcscd was crashing back there. Should I revert back to using pcscd to try and reproduce the problem and file a pcscd bug about this? A. -- La guerre, c'est le massacre d'hommes qui ne se connaissent pas, au profit d'hommes qui se connaissent mais ne se massacreront pas. - Paul Valéry
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On 2017-02-09 06:15:21, NIIBE Yutaka wrote: > Thanks a lot for your confirmation. > > Antoine Beaupré writes: >>> If this works, the udev line should be included into scdaemon package in >>> future, so that each user doesn't need to configure. >> >> I confirm the udev hack works. > > No, this is not a hack. This is a configuration needed. Sorry for my imprecise vocabulary. This is all very obscure to me, so everything looks like a hack. :) > It seems for me that Yubico has been recommended use of PC/SC service. I don't know about this, but that's how I made it work the first time. I took this document as a source for how to make it work: https://blog.night-shade.org.uk/2015/04/ssh-support-in-gpg-agent-on-ubunt/ ... which suggests installing pcscd. > Since no one has reported for use of internal CCID driver, there is no > entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian. > > Now, since it is confirmed, we should add an entry. Thanks for the clarification! A. -- La propriété est un piège: ce que nous croyons posséder nous possède. - Alphonse Karr
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Thanks a lot for your confirmation. Antoine Beaupré writes: >> If this works, the udev line should be included into scdaemon package in >> future, so that each user doesn't need to configure. > > I confirm the udev hack works. No, this is not a hack. This is a configuration needed. It seems for me that Yubico has been recommended use of PC/SC service. Since no one has reported for use of internal CCID driver, there is no entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian. Now, since it is confirmed, we should add an entry. --
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On 2017-02-08 15:17:20, Daniel Kahn Gillmor wrote: > Can you confirm that: > > * disable-ccid is *not* set in scdaemon.conf confirmed. > * pcscd is purged confirmed. > * the same problem is present on 2.1.18-4 ? confirmed. pardon my french: root@curie:/home/anarcat# apt install scdaemon/unstable gnupg-agent/unstable gpgsm/unstable Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « scdaemon » Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gnupg-agent » Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gpgsm » Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « dirmngr » à cause de « gpgsm » Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gnupg » à cause de « dirmngr » Version choisie « 2.1.18-4 » (Debian:unstable [all]) pour « gnupg-l10n » à cause de « gnupg » The following additional packages will be installed: dirmngr gnupg Paquets suggérés : parcimonie xloadimage Paquets recommandés : gnupg-l10n Les paquets suivants seront mis à jour : dirmngr gnupg gnupg-agent gpgsm scdaemon 5 mis à jour, 0 nouvellement installés, 0 à enlever et 36 non mis à jour. Il est nécessaire de prendre 3 252 ko dans les archives. Après cette opération, 0 o d'espace disque supplémentaires seront utilisés. Souhaitez-vous continuer ? [O/n] Réception de:2 http://debian.mirror.constant.com/debian sid/main amd64 gnupg amd64 2.1.18-4 [1 126 kB] Réception de:3 http://mirrors.cat.pdx.edu/debian sid/main amd64 scdaemon amd64 2.1.18-4 [476 kB] Réception de:4 http://debian.mirror.constant.com/debian sid/main amd64 gpgsm amd64 2.1.18-4 [502 kB] Réception de:1 http://mirrors.ocf.berkeley.edu/debian sid/main amd64 dirmngr amd64 2.1.18-4 [595 kB] Réception de:5 http://mirrors.ocf.berkeley.edu/debian sid/main amd64 gnupg-agent amd64 2.1.18-4 [554 kB] 3 252 ko réceptionnés en 2s (1 294 ko/s) [master 95fac63] saving uncommitted changes in /etc prior to apt run Author: Antoine Beaupré 1 file changed, 1 insertion(+), 1 deletion(-) Récupération des rapports de bogue… Fait Analyse des informations Trouvé/Corrigé… Fait Lecture des fichiers de modifications (« changelog »)... Terminé (Lecture de la base de données... 291155 fichiers et répertoires déjà installés.) Préparation du dépaquetage de .../dirmngr_2.1.18-4_amd64.deb ... Dépaquetage de dirmngr (2.1.18-4) sur (2.1.18-3) ... Préparation du dépaquetage de .../gnupg_2.1.18-4_amd64.deb ... Dépaquetage de gnupg (2.1.18-4) sur (2.1.18-3) ... Préparation du dépaquetage de .../scdaemon_2.1.18-4_amd64.deb ... Dépaquetage de scdaemon (2.1.18-4) sur (2.1.18-3) ... Préparation du dépaquetage de .../gpgsm_2.1.18-4_amd64.deb ... Dépaquetage de gpgsm (2.1.18-4) sur (2.1.18-3) ... Préparation du dépaquetage de .../gnupg-agent_2.1.18-4_amd64.deb ... Dépaquetage de gnupg-agent (2.1.18-4) sur (2.1.18-3) ... Traitement des actions différées (« triggers ») pour install-info (6.3.0.dfsg.1-1+b1) ... Traitement des actions différées (« triggers ») pour man-db (2.7.6.1-2) ... Paramétrage de gnupg-agent (2.1.18-4) ... Paramétrage de dirmngr (2.1.18-4) ... Paramétrage de gnupg (2.1.18-4) ... Paramétrage de scdaemon (2.1.18-4) ... Paramétrage de gpgsm (2.1.18-4) ... Scanning processes... Scanning candidates... Scanning linux images... Running kernel seems to be up-to-date. Restarting services... Services being skipped: systemctl restart NetworkManager.service /etc/needrestart/restart.d/dbus.service systemctl restart lightdm.service systemctl restart systemd-journald.service systemctl restart systemd-logind.service systemctl restart wpa_supplicant.service No containers need to be restarted. User sessions running outdated binaries: anarcat @ session #2: emacs[1497], firefox.real[2085], pulseaudio[1306], xmonad-x86_64-l[1215] anarcat @ user manager service: at-spi-bus-laun[1291], gpg-agent[28488], systemd[1199] root@curie:/home/anarcat# apt purge pcscd Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait Le paquet suivant a été installé automatiquement et n'est plus nécessaire : libccid Veuillez utiliser « apt autoremove » pour le supprimer. Les paquets suivants seront ENLEVÉS : pcscd* 0 mis à jour, 0 nouvellement installés, 1 à enlever et 36 non mis à jour. Après cette opération, 205 ko d'espace disque seront libérés. Souhaitez-vous continuer ? [
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Control: tags 854616 -moreinfo +patch On 2017-02-09 05:33:38, NIIBE Yutaka wrote: > Hello, > > Thank you for reporting in detail. [...] > If this works, the udev line should be included into scdaemon package in > future, so that each user doesn't need to configure. I confirm the udev hack works. Thanks! A. -- Il faut respecter le noir. Rien ne le prostitue. Il est agent de l'esprit bien plus que la belle couleur de la palette ou du prisme. - Odilon Redon
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Hello,
Thank you for reporting in detail.
Antoine Beaupre wrote:
> In Bug#854005, I have described a distinct issue I have experience
> with my Yubikey since the upgrade of the GnuPG suite from 2.1.17 to
> 2.1.18, and in the case of pcscd, from 1.8.19-1 to 1.8.20-1.
[...]
> anything i can do to improve debugging here? note that I don't *need*
> pcscd at all. i don't actually know what it is or what it's for. just
> want this yubikey to work reliably. :)
While I don't know about pcscd crash, I explain how to use card reader /
token with internal ccid driver of GnuPG.
You need a configuration file to allow USB access by user, when you use
internal ccid driver of GnuPG.
Please create a file /etc/udev/rules.d/yubikey-neo-otp-ccid.rules
with the content of:
/etc/udev/rules.d/yubikey-neo-otp-ccid.rules
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", MODE="664", GROUP="plugdev"
And please add yourself as a group member of "plugdev".
In my case, I have this line in /etc/group:
plugdev:x:46:gniibe
If this works, the udev line should be included into scdaemon package in
future, so that each user doesn't need to configure.
--
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Control: tags 854616 + moreinfo Hi Anarcat-- thanks for all this documentation on #854616. I'd like to try to differentiate this report from #854005. #854005 is about problems with smartcards more generally. The new bug, #845616, should be focused specifically on the use case where pcscd is *not* involved (not even installed on the system), and disable-ccid is *not* set in scdaemon.conf. On Wed 2017-02-08 12:35:36 -0500, Antoine Beaupre wrote: > [1004]anarcat@curie:~$ LANG=C gpg --card-status > gpg: selecting openpgp failed: No such device > gpg: OpenPGP card not available: No such device […] > the scdaemon debug logs show this: > > 2017-02-08 12:24:58 scdaemon[27971] listening on socket > '/run/user/1000/gnupg/S.scdaemon' > 2017-02-08 12:24:58 scdaemon[27971] handler for fd -1 started > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK GNU Privacy Guard's > Smartcard server ready > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO socket_name > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D > /run/user/1000/gnupg/S.scdaemon > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- OPTION event-signal=12 > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO version > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D 2.1.18 > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- SERIALNO openpgp > 2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: BAI=11201 > 2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: new device=11201 > 2017-02-08 12:24:58 scdaemon[27971] ccid open error: skip > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> ERR 100696144 Aucun > périphérique de ce type > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- RESTART > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK Can you confirm that: * disable-ccid is *not* set in scdaemon.conf * pcscd is purged * the same problem is present on 2.1.18-4 ? Thanks, --dkg signature.asc Description: PGP signature
