Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Antoine Beaupré]

On 2017-02-09 06:38:18, NIIBE Yutaka wrote:
> Antoine Beaupré  writes:
>> This reminds me - it sure looks like pcscd was crashing back
>> there. Should I revert back to using pcscd to try and reproduce the
>> problem and file a pcscd bug about this?
>
> Yes.  I think that this is a different problem, and it's pcscd issue.

Okay then - I have reported this as a bug against the pcscd package
(#854703), hopefully it will get some traction there.

Do note that what is happening with pcscd is that it is exiting on its
own when I unplug the Yubikey:

fév 08 21:36:15 curie pcscd[15485]: 0008 
winscard_svc.c:1034:MSGCleanupClient() Starting suicide alarm in 60 seconds

Maybe pcscd expects to be reactivated through the systemd socket instead
of just running forever? Does scdaemon talk to the right socket
(/var/run/pcscd/pcscd.comm, according to the systemd config file)?

Thanks for any information,

A.

-- 
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir
- Lofofora

Bug#854616: [pkg-gnupg-maint] Bug#854616: Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Daniel Kahn Gillmor]

On Wed 2017-02-08 16:15:21 -0500, NIIBE Yutaka wrote:
> No, this is not a hack.  This is a configuration needed.
>
> It seems for me that Yubico has been recommended use of PC/SC service.
> Since no one has reported for use of internal CCID driver, there is no
> entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian.
>
> Now, since it is confirmed, we should add an entry.

Hi Gniibe--

Thanks for your work on sorting this out!  If there are patches that
should go into the scdaemon package for stretch, we should include,
hopefully soon!

If you want to roll a release of the gnupg2 package to update scdaemon,
that's fine with me.  Or if you'd rather push a series of patches to our
shared git repository on alioth for an extra pair of eyes, i'm happy to
review them when they're ready.

or, send patches upstream and post commit IDs here, or send a separate
patch go pkg-gnupg-maint, however you prefer :)

There are a few other udev rule updates that seem to be pending in
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=scdaemon;dist=unstable
and i think a patch (or series of patches) to include them all would be
completely reasonable to aim for inclusion with stretch.

Thanks for the smartcard wrangling!

   --dkg


signature.asc
Description: PGP signature

Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[NIIBE Yutaka]

Antoine Beaupré  writes:
> This reminds me - it sure looks like pcscd was crashing back
> there. Should I revert back to using pcscd to try and reproduce the
> problem and file a pcscd bug about this?

Yes.  I think that this is a different problem, and it's pcscd issue.
-- 

Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Antoine Beaupré]

On 2017-02-09 06:15:21, NIIBE Yutaka wrote:
> Antoine Beaupré  writes:
>>> If this works, the udev line should be included into scdaemon package in
>>> future, so that each user doesn't need to configure.
>>
>> I confirm the udev hack works.
>
> No, this is not a hack.  This is a configuration needed.

This reminds me - it sure looks like pcscd was crashing back
there. Should I revert back to using pcscd to try and reproduce the
problem and file a pcscd bug about this?

A.

-- 
La guerre, c'est le massacre d'hommes qui ne se connaissent pas,
au profit d'hommes qui se connaissent mais ne se massacreront pas.
- Paul Valéry

Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Antoine Beaupré]

On 2017-02-09 06:15:21, NIIBE Yutaka wrote:
> Thanks a lot for your confirmation.
>
> Antoine Beaupré  writes:
>>> If this works, the udev line should be included into scdaemon package in
>>> future, so that each user doesn't need to configure.
>>
>> I confirm the udev hack works.
>
> No, this is not a hack.  This is a configuration needed.

Sorry for my imprecise vocabulary. This is all very obscure to me, so
everything looks like a hack. :)

> It seems for me that Yubico has been recommended use of PC/SC service.

I don't know about this, but that's how I made it work the first time. I
took this document as a source for how to make it work:

https://blog.night-shade.org.uk/2015/04/ssh-support-in-gpg-agent-on-ubunt/

... which suggests installing pcscd.

> Since no one has reported for use of internal CCID driver, there is no
> entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian.
>
> Now, since it is confirmed, we should add an entry.

Thanks for the clarification!

A.

-- 
La propriété est un piège: ce que nous croyons posséder nous possède.
- Alphonse Karr

Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[NIIBE Yutaka]

Thanks a lot for your confirmation.

Antoine Beaupré  writes:
>> If this works, the udev line should be included into scdaemon package in
>> future, so that each user doesn't need to configure.
>
> I confirm the udev hack works.

No, this is not a hack.  This is a configuration needed.

It seems for me that Yubico has been recommended use of PC/SC service.
Since no one has reported for use of internal CCID driver, there is no
entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian.

Now, since it is confirmed, we should add an entry.
-- 

Processed: Re: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Debian Bug Tracking System]

Processing control commands:

> tags 854616 -moreinfo +patch
Bug #854616 [scdaemon] scdaemon cannot access yubikey using ccid driver without 
pcscd
Removed tag(s) moreinfo.
Bug #854616 [scdaemon] scdaemon cannot access yubikey using ccid driver without 
pcscd
Added tag(s) patch.

-- 
854616: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854616
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Antoine Beaupré]

On 2017-02-08 15:17:20, Daniel Kahn Gillmor wrote:
> Can you confirm that:
>
>  * disable-ccid is *not* set in scdaemon.conf

confirmed.

>  * pcscd is purged

confirmed.

>  * the same problem is present on 2.1.18-4 ?

confirmed.

pardon my french:

root@curie:/home/anarcat# apt install scdaemon/unstable gnupg-agent/unstable 
gpgsm/unstable
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances   
Lecture des informations d'état... Fait
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « scdaemon »
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gnupg-agent »
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gpgsm »
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « dirmngr » à cause 
de « gpgsm »
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gnupg » à cause 
de « dirmngr »
Version choisie « 2.1.18-4 » (Debian:unstable [all]) pour « gnupg-l10n » à 
cause de « gnupg »
The following additional packages will be installed:
  dirmngr gnupg
Paquets suggérés :
  parcimonie xloadimage
Paquets recommandés :
  gnupg-l10n
Les paquets suivants seront mis à jour :
  dirmngr gnupg gnupg-agent gpgsm scdaemon
5 mis à jour, 0 nouvellement installés, 0 à enlever et 36 non mis à jour.
Il est nécessaire de prendre 3 252 ko dans les archives.
Après cette opération, 0 o d'espace disque supplémentaires seront utilisés.
Souhaitez-vous continuer ? [O/n] 
Réception de:2 http://debian.mirror.constant.com/debian sid/main amd64 gnupg 
amd64 2.1.18-4 [1 126 kB]
Réception de:3 http://mirrors.cat.pdx.edu/debian sid/main amd64 scdaemon amd64 
2.1.18-4 [476 kB]
Réception de:4 http://debian.mirror.constant.com/debian sid/main amd64 gpgsm 
amd64 2.1.18-4 [502 kB]
Réception de:1 http://mirrors.ocf.berkeley.edu/debian sid/main amd64 dirmngr 
amd64 2.1.18-4 [595 kB]  
Réception de:5 http://mirrors.ocf.berkeley.edu/debian sid/main amd64 
gnupg-agent amd64 2.1.18-4 [554 kB]  
3 252 ko réceptionnés en 2s (1 294 ko/s)
[master 95fac63] saving uncommitted changes in /etc prior to apt run
 Author: Antoine Beaupré 
 1 file changed, 1 insertion(+), 1 deletion(-)
Récupération des rapports de bogue… Fait
Analyse des informations Trouvé/Corrigé… Fait
Lecture des fichiers de modifications (« changelog »)... Terminé
(Lecture de la base de données... 291155 fichiers et répertoires déjà 
installés.)
Préparation du dépaquetage de .../dirmngr_2.1.18-4_amd64.deb ...
Dépaquetage de dirmngr (2.1.18-4) sur (2.1.18-3) ...
Préparation du dépaquetage de .../gnupg_2.1.18-4_amd64.deb ...
Dépaquetage de gnupg (2.1.18-4) sur (2.1.18-3) ...
Préparation du dépaquetage de .../scdaemon_2.1.18-4_amd64.deb ...
Dépaquetage de scdaemon (2.1.18-4) sur (2.1.18-3) ...
Préparation du dépaquetage de .../gpgsm_2.1.18-4_amd64.deb ...
Dépaquetage de gpgsm (2.1.18-4) sur (2.1.18-3) ...
Préparation du dépaquetage de .../gnupg-agent_2.1.18-4_amd64.deb ...
Dépaquetage de gnupg-agent (2.1.18-4) sur (2.1.18-3) ...
Traitement des actions différées (« triggers ») pour install-info 
(6.3.0.dfsg.1-1+b1) ...
Traitement des actions différées (« triggers ») pour man-db (2.7.6.1-2) ...
Paramétrage de gnupg-agent (2.1.18-4) ...
Paramétrage de dirmngr (2.1.18-4) ...
Paramétrage de gnupg (2.1.18-4) ...
Paramétrage de scdaemon (2.1.18-4) ...
Paramétrage de gpgsm (2.1.18-4) ...
Scanning processes...   


Scanning candidates...  


Scanning linux images...


Running kernel seems to be up-to-date.
Restarting services...
Services being skipped:
 systemctl restart NetworkManager.service
 /etc/needrestart/restart.d/dbus.service
 systemctl restart lightdm.service
 systemctl restart systemd-journald.service
 systemctl restart systemd-logind.service
 systemctl restart wpa_supplicant.service
No containers need to be restarted.
User sessions running outdated binaries:
 anarcat @ session #2: emacs[1497], firefox.real[2085], pulseaudio[1306], 
xmonad-x86_64-l[1215]
 anarcat @ user manager service: at-spi-bus-laun[1291], gpg-agent[28488], 
systemd[1199]
root@curie:/home/anarcat# apt purge pcscd
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances   
Lecture des informations d'état... Fait
Le paquet suivant a été installé automatiquement et n'est plus nécessaire :
  libccid
Veuillez utiliser « apt autoremove » pour le supprimer.
Les paquets suivants seront ENLEVÉS :
  pcscd*
0 mis à jour, 0 nouvellement installés, 1 à enlever et 36 non mis à jour.
Après cette opération, 205 ko d'espace disque seront libérés.

Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Antoine Beaupré]

Control: tags 854616 -moreinfo +patch

On 2017-02-09 05:33:38, NIIBE Yutaka wrote:
> Hello,
>
> Thank you for reporting in detail.

[...]

> If this works, the udev line should be included into scdaemon package in
> future, so that each user doesn't need to configure.

I confirm the udev hack works.

Thanks!

A.

-- 
Il faut respecter le noir. Rien ne le prostitue. Il est agent de
l'esprit bien plus que la belle couleur de la palette ou du prisme.
- Odilon Redon

Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[NIIBE Yutaka]

Hello,

Thank you for reporting in detail.

Antoine Beaupre  wrote:
> In Bug#854005, I have described a distinct issue I have experience
> with my Yubikey since the upgrade of the GnuPG suite from 2.1.17 to
> 2.1.18, and in the case of pcscd, from 1.8.19-1 to 1.8.20-1.
[...]
> anything i can do to improve debugging here? note that I don't *need*
> pcscd at all. i don't actually know what it is or what it's for. just
> want this yubikey to work reliably. :)

While I don't know about pcscd crash, I explain how to use card reader /
token with internal ccid driver of GnuPG.

You need a configuration file to allow USB access by user, when you use
internal ccid driver of GnuPG.

Please create a file /etc/udev/rules.d/yubikey-neo-otp-ccid.rules
with the content of:

 /etc/udev/rules.d/yubikey-neo-otp-ccid.rules
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", MODE="664", GROUP="plugdev"


And please add yourself as a group member of "plugdev".

In my case, I have this line in /etc/group:

plugdev:x:46:gniibe

If this works, the udev line should be included into scdaemon package in
future, so that each user doesn't need to configure.
-- 

Bug#854616: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Daniel Kahn Gillmor]

Control: tags 854616 + moreinfo

Hi Anarcat--

thanks for all this documentation on #854616.  I'd like to try to
differentiate this report from #854005.

#854005 is about problems with smartcards more generally.

The new bug, #845616, should be focused specifically on the use case
where pcscd is *not* involved (not even installed on the system), and
disable-ccid is *not* set in scdaemon.conf.

On Wed 2017-02-08 12:35:36 -0500, Antoine Beaupre wrote:

> [1004]anarcat@curie:~$ LANG=C gpg --card-status
> gpg: selecting openpgp failed: No such device
> gpg: OpenPGP card not available: No such device
[…]
> the scdaemon debug logs show this:
>
> 2017-02-08 12:24:58 scdaemon[27971] listening on socket 
> '/run/user/1000/gnupg/S.scdaemon'
> 2017-02-08 12:24:58 scdaemon[27971] handler for fd -1 started
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK GNU Privacy Guard's 
> Smartcard server ready
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO socket_name
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D 
> /run/user/1000/gnupg/S.scdaemon
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- OPTION event-signal=12
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO version
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D 2.1.18
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- SERIALNO openpgp
> 2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: BAI=11201
> 2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: new device=11201
> 2017-02-08 12:24:58 scdaemon[27971] ccid open error: skip
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> ERR 100696144 Aucun 
> périphérique de ce type 
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- RESTART
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK

Can you confirm that:

 * disable-ccid is *not* set in scdaemon.conf
 * pcscd is purged
 * the same problem is present on 2.1.18-4 ?


Thanks,

--dkg


signature.asc
Description: PGP signature

Processed: Re: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Debian Bug Tracking System]

Processing control commands:

> tags 854616 + moreinfo
Bug #854616 [scdaemon] scdaemon cannot access yubikey using ccid driver without 
pcscd
Added tag(s) moreinfo.

-- 
854616: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854616
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd

[Antoine Beaupre]

Package: scdaemon
Version: 2.1.18-3
Severity: grave

In Bug#854005, I have described a distinct issue I have experience
with my Yubikey since the upgrade of the GnuPG suite from 2.1.17 to
2.1.18, and in the case of pcscd, from 1.8.19-1 to 1.8.20-1.

I am not sure what exactly is going on here. What I know is that I was
able to configure my Yubikey to work in Jessie with GnuPG using a
procedure I have documented here:

https://anarc.at/blog/2015-12-14-yubikey-howto/

After installing a new workstation with Debian stretch, things were
still working until the 2.1.18 release.

The symptom is this:

[996]anarcat@curie:~$ LANG=C gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

At first, adding "disable-ccid" to scdaemon.conf fixes the issue. But
after a while, the behavior returns.

I have noticed that pcscd is gone when that happens. After advice
received in 854005, I have tried to uninstall pcscd to try and let
scdaemon handle the device. This also fails. Here's a trace of me
purging pcscd, restarting gpg-agent and trying to connect to the card.

[1001]anarcat@curie:~$ sudo apt purge pcscd
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances   
Lecture des informations d'état... Fait
Le paquet suivant a été installé automatiquement et n'est plus nécessaire :
  libccid
Veuillez utiliser « sudo apt autoremove » pour le supprimer.
Les paquets suivants seront ENLEVÉS :
  pcscd*
0 mis à jour, 0 nouvellement installés, 1 à enlever et 23 non mis à jour.
Après cette opération, 205 ko d'espace disque seront libérés.
Souhaitez-vous continuer ? [O/n] 
(Lecture de la base de données... 291154 fichiers et répertoires déjà 
installés.)
Suppression de pcscd (1.8.20-1) ...
Warning: Stopping pcscd.service, but it can still be activated by:
  pcscd.socket
Traitement des actions différées (« triggers ») pour man-db (2.7.6.1-2) ...
(Lecture de la base de données... 291142 fichiers et répertoires déjà 
installés.)
Purge des fichiers de configuration de pcscd (1.8.20-1) ...
Traitement des actions différées (« triggers ») pour systemd (232-15) ...
[master ab8bc2d] committing changes in /etc after apt run
 Author: Antoine Beaupré 
 10 files changed, 155 deletions(-)
 delete mode 100755 init.d/pcscd
 delete mode 12 rc0.d/K01pcscd
 delete mode 12 rc1.d/K01pcscd
 delete mode 12 rc2.d/S01pcscd
 delete mode 12 rc3.d/S01pcscd
 delete mode 12 rc4.d/S01pcscd
 delete mode 12 rc5.d/S01pcscd
 delete mode 12 rc6.d/K01pcscd
 delete mode 12 systemd/system/sockets.target.wants/pcscd.socket
[1002]anarcat@curie:~$ systemctl --user stop gpg-agent
Warning: Stopping gpg-agent.service, but it can still be activated by:
  gpg-agent.socket
  gpg-agent-ssh.socket
  gpg-agent-extra.socket
  gpg-agent-browser.socket
[1003]anarcat@curie:~$ ps axf | grep gpg
27310 pts/4S+ 0:00  \_ grep gpg
[1004]anarcat@curie:~$ LANG=C gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

Here's the output proving gpg is stopped:

fév 08 12:22:09 curie systemd[1199]: Stopping GnuPG cryptographic agent and 
passphrase cache... 
fév 08 12:22:09 curie systemd[1199]: Stopped GnuPG cryptographic agent and 
passphrase cache. 
fév 08 12:22:09 curie gpg-agent[21736]: scdaemon[21738] SIGTERM received - 
shutting down ... 
fév 08 12:22:09 curie gpg-agent[21736]: SIGTERM received - shutting down ... 
fév 08 12:22:09 curie gpg-agent[21736]: gpg-agent (GnuPG) 2.1.18scdaemon[21738] 
scdaemon (GnuPG) 2.1.18 stopped 
fév 08 12:22:09 curie gpg-agent[21736]:  stopped

Here's the error when i try to access the card then:

fév 08 12:24:20 curie systemd[1199]: Started GnuPG cryptographic agent and 
passphrase cache. 
fév 08 12:24:20 curie gpg-agent[27960]: gpg-agent (GnuPG) 2.1.18 starting in 
supervised mode. 
fév 08 12:24:20 curie gpg-agent[27960]: using fd 3 for std socket 
(/run/user/1000/gnupg/S.gpg-agent) 
fév 08 12:24:20 curie gpg-agent[27960]: using fd 4 for ssh socket 
(/run/user/1000/gnupg/S.gpg-agent.ssh) 
fév 08 12:24:20 curie gpg-agent[27960]: using fd 5 for extra socket 
(/run/user/1000/gnupg/S.gpg-agent.extra) 
fév 08 12:24:20 curie gpg-agent[27960]: using fd 6 for browser socket 
(/run/user/1000/gnupg/S.gpg-agent.browser) 
fév 08 12:24:20 curie gpg-agent[27960]: listening on: std=3 extra=5 browser=6 
ssh=4 
fév 08 12:24:20 curie gpg-agent[27960]: scdaemon[27962] ccid open error: skip 

the scdaemon debug logs show this:

2017-02-08 12:24:58 scdaemon[27971] listening on socket 
'/run/user/1000/gnupg/S.scdaemon'
2017-02-08 12:24:58 scdaemon[27971] handler for fd -1 started
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK GNU Privacy Guard's 
Smartcard server ready
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO socket_name
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D 
/run/user/1000/gnupg/S.scdaemon
2017-02-08 12:24:58