Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On 2017-02-09 06:38:18, NIIBE Yutaka wrote: > Antoine Beaupréwrites: >> This reminds me - it sure looks like pcscd was crashing back >> there. Should I revert back to using pcscd to try and reproduce the >> problem and file a pcscd bug about this? > > Yes. I think that this is a different problem, and it's pcscd issue. Okay then - I have reported this as a bug against the pcscd package (#854703), hopefully it will get some traction there. Do note that what is happening with pcscd is that it is exiting on its own when I unplug the Yubikey: fév 08 21:36:15 curie pcscd[15485]: 0008 winscard_svc.c:1034:MSGCleanupClient() Starting suicide alarm in 60 seconds Maybe pcscd expects to be reactivated through the systemd socket instead of just running forever? Does scdaemon talk to the right socket (/var/run/pcscd/pcscd.comm, according to the systemd config file)? Thanks for any information, A. -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir - Lofofora
Bug#854616: [pkg-gnupg-maint] Bug#854616: Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On Wed 2017-02-08 16:15:21 -0500, NIIBE Yutaka wrote: > No, this is not a hack. This is a configuration needed. > > It seems for me that Yubico has been recommended use of PC/SC service. > Since no one has reported for use of internal CCID driver, there is no > entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian. > > Now, since it is confirmed, we should add an entry. Hi Gniibe-- Thanks for your work on sorting this out! If there are patches that should go into the scdaemon package for stretch, we should include, hopefully soon! If you want to roll a release of the gnupg2 package to update scdaemon, that's fine with me. Or if you'd rather push a series of patches to our shared git repository on alioth for an extra pair of eyes, i'm happy to review them when they're ready. or, send patches upstream and post commit IDs here, or send a separate patch go pkg-gnupg-maint, however you prefer :) There are a few other udev rule updates that seem to be pending in https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=scdaemon;dist=unstable and i think a patch (or series of patches) to include them all would be completely reasonable to aim for inclusion with stretch. Thanks for the smartcard wrangling! --dkg signature.asc Description: PGP signature
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Antoine Beaupréwrites: > This reminds me - it sure looks like pcscd was crashing back > there. Should I revert back to using pcscd to try and reproduce the > problem and file a pcscd bug about this? Yes. I think that this is a different problem, and it's pcscd issue. --
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On 2017-02-09 06:15:21, NIIBE Yutaka wrote: > Antoine Beaupréwrites: >>> If this works, the udev line should be included into scdaemon package in >>> future, so that each user doesn't need to configure. >> >> I confirm the udev hack works. > > No, this is not a hack. This is a configuration needed. This reminds me - it sure looks like pcscd was crashing back there. Should I revert back to using pcscd to try and reproduce the problem and file a pcscd bug about this? A. -- La guerre, c'est le massacre d'hommes qui ne se connaissent pas, au profit d'hommes qui se connaissent mais ne se massacreront pas. - Paul Valéry
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On 2017-02-09 06:15:21, NIIBE Yutaka wrote: > Thanks a lot for your confirmation. > > Antoine Beaupréwrites: >>> If this works, the udev line should be included into scdaemon package in >>> future, so that each user doesn't need to configure. >> >> I confirm the udev hack works. > > No, this is not a hack. This is a configuration needed. Sorry for my imprecise vocabulary. This is all very obscure to me, so everything looks like a hack. :) > It seems for me that Yubico has been recommended use of PC/SC service. I don't know about this, but that's how I made it work the first time. I took this document as a source for how to make it work: https://blog.night-shade.org.uk/2015/04/ssh-support-in-gpg-agent-on-ubunt/ ... which suggests installing pcscd. > Since no one has reported for use of internal CCID driver, there is no > entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian. > > Now, since it is confirmed, we should add an entry. Thanks for the clarification! A. -- La propriété est un piège: ce que nous croyons posséder nous possède. - Alphonse Karr
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Thanks a lot for your confirmation. Antoine Beaupréwrites: >> If this works, the udev line should be included into scdaemon package in >> future, so that each user doesn't need to configure. > > I confirm the udev hack works. No, this is not a hack. This is a configuration needed. It seems for me that Yubico has been recommended use of PC/SC service. Since no one has reported for use of internal CCID driver, there is no entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian. Now, since it is confirmed, we should add an entry. --
Processed: Re: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Processing control commands: > tags 854616 -moreinfo +patch Bug #854616 [scdaemon] scdaemon cannot access yubikey using ccid driver without pcscd Removed tag(s) moreinfo. Bug #854616 [scdaemon] scdaemon cannot access yubikey using ccid driver without pcscd Added tag(s) patch. -- 854616: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854616 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
On 2017-02-08 15:17:20, Daniel Kahn Gillmor wrote: > Can you confirm that: > > * disable-ccid is *not* set in scdaemon.conf confirmed. > * pcscd is purged confirmed. > * the same problem is present on 2.1.18-4 ? confirmed. pardon my french: root@curie:/home/anarcat# apt install scdaemon/unstable gnupg-agent/unstable gpgsm/unstable Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « scdaemon » Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gnupg-agent » Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gpgsm » Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « dirmngr » à cause de « gpgsm » Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gnupg » à cause de « dirmngr » Version choisie « 2.1.18-4 » (Debian:unstable [all]) pour « gnupg-l10n » à cause de « gnupg » The following additional packages will be installed: dirmngr gnupg Paquets suggérés : parcimonie xloadimage Paquets recommandés : gnupg-l10n Les paquets suivants seront mis à jour : dirmngr gnupg gnupg-agent gpgsm scdaemon 5 mis à jour, 0 nouvellement installés, 0 à enlever et 36 non mis à jour. Il est nécessaire de prendre 3 252 ko dans les archives. Après cette opération, 0 o d'espace disque supplémentaires seront utilisés. Souhaitez-vous continuer ? [O/n] Réception de:2 http://debian.mirror.constant.com/debian sid/main amd64 gnupg amd64 2.1.18-4 [1 126 kB] Réception de:3 http://mirrors.cat.pdx.edu/debian sid/main amd64 scdaemon amd64 2.1.18-4 [476 kB] Réception de:4 http://debian.mirror.constant.com/debian sid/main amd64 gpgsm amd64 2.1.18-4 [502 kB] Réception de:1 http://mirrors.ocf.berkeley.edu/debian sid/main amd64 dirmngr amd64 2.1.18-4 [595 kB] Réception de:5 http://mirrors.ocf.berkeley.edu/debian sid/main amd64 gnupg-agent amd64 2.1.18-4 [554 kB] 3 252 ko réceptionnés en 2s (1 294 ko/s) [master 95fac63] saving uncommitted changes in /etc prior to apt run Author: Antoine Beaupré1 file changed, 1 insertion(+), 1 deletion(-) Récupération des rapports de bogue… Fait Analyse des informations Trouvé/Corrigé… Fait Lecture des fichiers de modifications (« changelog »)... Terminé (Lecture de la base de données... 291155 fichiers et répertoires déjà installés.) Préparation du dépaquetage de .../dirmngr_2.1.18-4_amd64.deb ... Dépaquetage de dirmngr (2.1.18-4) sur (2.1.18-3) ... Préparation du dépaquetage de .../gnupg_2.1.18-4_amd64.deb ... Dépaquetage de gnupg (2.1.18-4) sur (2.1.18-3) ... Préparation du dépaquetage de .../scdaemon_2.1.18-4_amd64.deb ... Dépaquetage de scdaemon (2.1.18-4) sur (2.1.18-3) ... Préparation du dépaquetage de .../gpgsm_2.1.18-4_amd64.deb ... Dépaquetage de gpgsm (2.1.18-4) sur (2.1.18-3) ... Préparation du dépaquetage de .../gnupg-agent_2.1.18-4_amd64.deb ... Dépaquetage de gnupg-agent (2.1.18-4) sur (2.1.18-3) ... Traitement des actions différées (« triggers ») pour install-info (6.3.0.dfsg.1-1+b1) ... Traitement des actions différées (« triggers ») pour man-db (2.7.6.1-2) ... Paramétrage de gnupg-agent (2.1.18-4) ... Paramétrage de dirmngr (2.1.18-4) ... Paramétrage de gnupg (2.1.18-4) ... Paramétrage de scdaemon (2.1.18-4) ... Paramétrage de gpgsm (2.1.18-4) ... Scanning processes... Scanning candidates... Scanning linux images... Running kernel seems to be up-to-date. Restarting services... Services being skipped: systemctl restart NetworkManager.service /etc/needrestart/restart.d/dbus.service systemctl restart lightdm.service systemctl restart systemd-journald.service systemctl restart systemd-logind.service systemctl restart wpa_supplicant.service No containers need to be restarted. User sessions running outdated binaries: anarcat @ session #2: emacs[1497], firefox.real[2085], pulseaudio[1306], xmonad-x86_64-l[1215] anarcat @ user manager service: at-spi-bus-laun[1291], gpg-agent[28488], systemd[1199] root@curie:/home/anarcat# apt purge pcscd Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait Le paquet suivant a été installé automatiquement et n'est plus nécessaire : libccid Veuillez utiliser « apt autoremove » pour le supprimer. Les paquets suivants seront ENLEVÉS : pcscd* 0 mis à jour, 0 nouvellement installés, 1 à enlever et 36 non mis à jour. Après cette opération, 205 ko d'espace disque seront libérés.
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Control: tags 854616 -moreinfo +patch On 2017-02-09 05:33:38, NIIBE Yutaka wrote: > Hello, > > Thank you for reporting in detail. [...] > If this works, the udev line should be included into scdaemon package in > future, so that each user doesn't need to configure. I confirm the udev hack works. Thanks! A. -- Il faut respecter le noir. Rien ne le prostitue. Il est agent de l'esprit bien plus que la belle couleur de la palette ou du prisme. - Odilon Redon
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Hello, Thank you for reporting in detail. Antoine Beauprewrote: > In Bug#854005, I have described a distinct issue I have experience > with my Yubikey since the upgrade of the GnuPG suite from 2.1.17 to > 2.1.18, and in the case of pcscd, from 1.8.19-1 to 1.8.20-1. [...] > anything i can do to improve debugging here? note that I don't *need* > pcscd at all. i don't actually know what it is or what it's for. just > want this yubikey to work reliably. :) While I don't know about pcscd crash, I explain how to use card reader / token with internal ccid driver of GnuPG. You need a configuration file to allow USB access by user, when you use internal ccid driver of GnuPG. Please create a file /etc/udev/rules.d/yubikey-neo-otp-ccid.rules with the content of: /etc/udev/rules.d/yubikey-neo-otp-ccid.rules ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", MODE="664", GROUP="plugdev" And please add yourself as a group member of "plugdev". In my case, I have this line in /etc/group: plugdev:x:46:gniibe If this works, the udev line should be included into scdaemon package in future, so that each user doesn't need to configure. --
Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Control: tags 854616 + moreinfo Hi Anarcat-- thanks for all this documentation on #854616. I'd like to try to differentiate this report from #854005. #854005 is about problems with smartcards more generally. The new bug, #845616, should be focused specifically on the use case where pcscd is *not* involved (not even installed on the system), and disable-ccid is *not* set in scdaemon.conf. On Wed 2017-02-08 12:35:36 -0500, Antoine Beaupre wrote: > [1004]anarcat@curie:~$ LANG=C gpg --card-status > gpg: selecting openpgp failed: No such device > gpg: OpenPGP card not available: No such device […] > the scdaemon debug logs show this: > > 2017-02-08 12:24:58 scdaemon[27971] listening on socket > '/run/user/1000/gnupg/S.scdaemon' > 2017-02-08 12:24:58 scdaemon[27971] handler for fd -1 started > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK GNU Privacy Guard's > Smartcard server ready > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO socket_name > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D > /run/user/1000/gnupg/S.scdaemon > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- OPTION event-signal=12 > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO version > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D 2.1.18 > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- SERIALNO openpgp > 2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: BAI=11201 > 2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: new device=11201 > 2017-02-08 12:24:58 scdaemon[27971] ccid open error: skip > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> ERR 100696144 Aucun > périphérique de ce type > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- RESTART > 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK Can you confirm that: * disable-ccid is *not* set in scdaemon.conf * pcscd is purged * the same problem is present on 2.1.18-4 ? Thanks, --dkg signature.asc Description: PGP signature
Processed: Re: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Processing control commands: > tags 854616 + moreinfo Bug #854616 [scdaemon] scdaemon cannot access yubikey using ccid driver without pcscd Added tag(s) moreinfo. -- 854616: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854616 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Package: scdaemon Version: 2.1.18-3 Severity: grave In Bug#854005, I have described a distinct issue I have experience with my Yubikey since the upgrade of the GnuPG suite from 2.1.17 to 2.1.18, and in the case of pcscd, from 1.8.19-1 to 1.8.20-1. I am not sure what exactly is going on here. What I know is that I was able to configure my Yubikey to work in Jessie with GnuPG using a procedure I have documented here: https://anarc.at/blog/2015-12-14-yubikey-howto/ After installing a new workstation with Debian stretch, things were still working until the 2.1.18 release. The symptom is this: [996]anarcat@curie:~$ LANG=C gpg --card-status gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device At first, adding "disable-ccid" to scdaemon.conf fixes the issue. But after a while, the behavior returns. I have noticed that pcscd is gone when that happens. After advice received in 854005, I have tried to uninstall pcscd to try and let scdaemon handle the device. This also fails. Here's a trace of me purging pcscd, restarting gpg-agent and trying to connect to the card. [1001]anarcat@curie:~$ sudo apt purge pcscd Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait Le paquet suivant a été installé automatiquement et n'est plus nécessaire : libccid Veuillez utiliser « sudo apt autoremove » pour le supprimer. Les paquets suivants seront ENLEVÉS : pcscd* 0 mis à jour, 0 nouvellement installés, 1 à enlever et 23 non mis à jour. Après cette opération, 205 ko d'espace disque seront libérés. Souhaitez-vous continuer ? [O/n] (Lecture de la base de données... 291154 fichiers et répertoires déjà installés.) Suppression de pcscd (1.8.20-1) ... Warning: Stopping pcscd.service, but it can still be activated by: pcscd.socket Traitement des actions différées (« triggers ») pour man-db (2.7.6.1-2) ... (Lecture de la base de données... 291142 fichiers et répertoires déjà installés.) Purge des fichiers de configuration de pcscd (1.8.20-1) ... Traitement des actions différées (« triggers ») pour systemd (232-15) ... [master ab8bc2d] committing changes in /etc after apt run Author: Antoine Beaupré10 files changed, 155 deletions(-) delete mode 100755 init.d/pcscd delete mode 12 rc0.d/K01pcscd delete mode 12 rc1.d/K01pcscd delete mode 12 rc2.d/S01pcscd delete mode 12 rc3.d/S01pcscd delete mode 12 rc4.d/S01pcscd delete mode 12 rc5.d/S01pcscd delete mode 12 rc6.d/K01pcscd delete mode 12 systemd/system/sockets.target.wants/pcscd.socket [1002]anarcat@curie:~$ systemctl --user stop gpg-agent Warning: Stopping gpg-agent.service, but it can still be activated by: gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket [1003]anarcat@curie:~$ ps axf | grep gpg 27310 pts/4S+ 0:00 \_ grep gpg [1004]anarcat@curie:~$ LANG=C gpg --card-status gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device Here's the output proving gpg is stopped: fév 08 12:22:09 curie systemd[1199]: Stopping GnuPG cryptographic agent and passphrase cache... fév 08 12:22:09 curie systemd[1199]: Stopped GnuPG cryptographic agent and passphrase cache. fév 08 12:22:09 curie gpg-agent[21736]: scdaemon[21738] SIGTERM received - shutting down ... fév 08 12:22:09 curie gpg-agent[21736]: SIGTERM received - shutting down ... fév 08 12:22:09 curie gpg-agent[21736]: gpg-agent (GnuPG) 2.1.18scdaemon[21738] scdaemon (GnuPG) 2.1.18 stopped fév 08 12:22:09 curie gpg-agent[21736]: stopped Here's the error when i try to access the card then: fév 08 12:24:20 curie systemd[1199]: Started GnuPG cryptographic agent and passphrase cache. fév 08 12:24:20 curie gpg-agent[27960]: gpg-agent (GnuPG) 2.1.18 starting in supervised mode. fév 08 12:24:20 curie gpg-agent[27960]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent) fév 08 12:24:20 curie gpg-agent[27960]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh) fév 08 12:24:20 curie gpg-agent[27960]: using fd 5 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra) fév 08 12:24:20 curie gpg-agent[27960]: using fd 6 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser) fév 08 12:24:20 curie gpg-agent[27960]: listening on: std=3 extra=5 browser=6 ssh=4 fév 08 12:24:20 curie gpg-agent[27960]: scdaemon[27962] ccid open error: skip the scdaemon debug logs show this: 2017-02-08 12:24:58 scdaemon[27971] listening on socket '/run/user/1000/gnupg/S.scdaemon' 2017-02-08 12:24:58 scdaemon[27971] handler for fd -1 started 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK GNU Privacy Guard's Smartcard server ready 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO socket_name 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D /run/user/1000/gnupg/S.scdaemon 2017-02-08 12:24:58