Re: Card only available to root user
Hi Olav! Am 30.11.2011 05:06, schrieb Olav Seyfarth: > Hi anonymous "Crypto Stick" and OpenPGP card users on Linux, > >> You need an appropriate UDEV rule. On Debian you can install... > > Thanks for that link! > Will the package find its way to the official debian repositories? I hope so. I submitted a bug report and am waiting for the packet maintainer to integrate it. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648332 Regards, Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Wed, 30 Nov 2011 22:27, o...@enigmail.net said: > And: I can access --card-status as root, just not as user ... Set up your udev rules or whatever is used on your system to setup correct permissions for the USB device. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi Werner, > Omnikey based devices don't work with the v2 card on nin-Unix platforms. that should be mentioned in the SmartCard HowTo then. And: I can access --card-status as root, just not as user ... Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Dies ist eine elektronische Signatur - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJO1p+tAAoJEKGX32tq4e9WQ0kMAJQmqN3ouPpBXZXbwkUjI3Bb MK7A7DdJ+0ldsWEyTfC2iVFi292+vgtPFrwOdFA5IxaA1x3yz2k8WKEflc1W/NEv yK6lGFCT9Wn1NMK3978Ocvn2oLlROlkHrFegRSFGxn0EjdavgsBv9lEznVA8fBhw ccimNw06WNLiL8JLoBx7V6PsI9PZ7NidfEp+P8DGoCiXhRqtL3lWCV2xCG+Koelr zzcko31/HiHR5TROtfi3NIo+v39kc/P2ZZoj4jtbVgOeQ5eOFaFYDEwLzxPDNGY8 5k8gm7uGBK9qZvRtkmaXuycaybA9L04Wzl+5Fi8sZ8yUcv5RvnWvJ8jjNFfkAfHf YtW8kd+bDdSm0QHDRbpCGdAE4Bal3GC2KrYKipNR4MHhyLKBCU2kymHGpgAaJL5o dtjA4Yew7x67U1lzd//4yMUoQ6XFaQ6O5PMqo59SsPdNhkhHrCmf2UYjDuOyURdy NG64RwjT1fn+ePeSEdyvplHYn+KfuEFaZS5hTTvEyw== =DtGk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Tue, 29 Nov 2011 22:06, o...@enigmail.net said: > events. However, my PCMCIA based reader Omnikey CardMan 4040 (linked as > supported device on http://www.gnupg.org/howtos/card-howto/en/ch02s02.html) Omnikey based devices don't work with the v2 card on nin-Unix platforms. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Tue, Nov 29, 2011 at 10:06:45PM +0100, Olav Seyfarth wrote: > It seems the above files don't solve my problem since they all trigger on USB > events. However, my PCMCIA based reader Omnikey CardMan 4040 (linked as > supported device on http://www.gnupg.org/howtos/card-howto/en/ch02s02.html) > seems to be PCI based: > > lsusb doesn't list it, lspci lists > | 02:04.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev b6) > and lspcmcia yields > | Socket 0 Bridge:[yenta_cardbus] (bus ID: :02:04.0) > | Socket 0 Device 0: [cm4040_cs] (bus ID: 0.0) > > And I don't know where to look how to compile my own rules for cm4040_cs. > Any help appreciated. I haven't used this reader for years. But back then this udev rule worked for me: ACTION=="add", SUBSYSTEM=="cardman_4040", GROUP="scard", MODE="0660" IIRC the cs4040 created its own device entry /dev/cmx (or something similar) Michel signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi anonymous "Crypto Stick" and OpenPGP card users on Linux, > You need an appropriate UDEV rule. On Debian you can install... Thanks for that link! Will the package find its way to the official debian repositories? // Historical side note: Once Linux was famous to auto-detect all necessary // drivers automatically while DOS/Windows did not. Today, it seems, // situation has switched. > Alternatively / on other systems you might copy the following UDEV rule... Oh, I did not know of that, too, thanks. I also have a CryptoStick but prefer to use my Card since it may remain while transporting the laptop. (No, I am not concerned that anyone could steal it since I'd know it immediately and revoke.) After using debian (and sometimes Ubuntu) I thought I'd give Fedora 16 a try. I was thrilled to see that the fingerprint sensor was supported automatically but still using OpenPGP SmartCard requires quite some manual tweaking :-( I looked on the GnuPG homepage first but the HowTo at http://www.gnupg.org/howtos/card-howto/en/ch02s03.html#id2519429 has broken/missing links for the two files gnupg-ccid.rules and gnupg-ccid. I finally found the FSFE HowTo and tried the files from there https://wiki.fsfe.org/Card_howtos/Card_reader_setup_(udev) My user is member of the scard group. Yet I still have the same issue as Luis - access as root OK but not als user: | $ gpg --card-status | gpg: pcsc_establish_context failed: no service (0x8010001d) | gpg: Kartenleser ist nicht vorhanden | gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler | | # gpg --card-status | Application ID ...: D2760001240102050222 | Version ..: 2.0 | Manufacturer .: ZeitControl | [...] It seems the above files don't solve my problem since they all trigger on USB events. However, my PCMCIA based reader Omnikey CardMan 4040 (linked as supported device on http://www.gnupg.org/howtos/card-howto/en/ch02s02.html) seems to be PCI based: lsusb doesn't list it, lspci lists | 02:04.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev b6) and lspcmcia yields | Socket 0 Bridge: [yenta_cardbus] (bus ID: :02:04.0) | Socket 0 Device 0:[cm4040_cs] (bus ID: 0.0) And I don't know where to look how to compile my own rules for cm4040_cs. Any help appreciated. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Dies ist eine elektronische Signatur - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJO1UlfAAoJEKGX32tq4e9WlOAL/AhAXqsR1jF89ikpnv1ztt+T R3/I94fBb0RFlVbJkila4gNDGdN+a1jDxghuYOT687LFMiIK2vRMOSeluh/OT8hQ qhhRBioEoCqQrvmw5er+/cyhDRg93ukIYk8VCxlJRNx0av4+CxWN0GhpBkTCTAet AvZhEIOZy4bQlBaOW3ZlEgjx8FVqQiZ1CWagDFRwtH1YBleR8sVyMMtVWbdNNqe2 uabqvdaD1Hf36hXnTzhs5boVGdKcJoLEK2Do7Un3nvd6G7aMYPCSM3aIxD0V5JW4 vsZ1kgGkEv2ysYd9LqNHTALA1PLufNbzZfFjH8q0ua09Ig7Z7hlIu7wDKwMRzUhs EBGJ2qw+VlkBuMx3z/7X8ajRdUwsmiXHypPfAxF0dRxS80V2h0G/n8I0hXtrQj5Z paZYv8ap3u92A29TrabBNQE2eNYWWNK/eTIzl/CjB00/i4PB0Jj5mLL7xIrfUtV8 ToWPgk7xq+33vMz8vgVEzU/xbaUVOmnPoBZRtXxGxw== =1Lm1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
Hi Luis, sorry for the late reply. You need an appropriate UDEV rule. On Debian you can install the following package: https://www.assembla.com/spaces/cryptostick/documents/ds_EMCisGr4k7QeJe5cbCb/download/ds_EMCisGr4k7QeJe5cbCb Alternatively and on other systems you might copy the following UDEV rule to the directory /etc/udev/rules.d https://www.privacyfoundation.de/wiki/CryptoStickSoftware?action=AttachFile&do=view&target=40-cryptostick.rules Am 05.08.2011 05:49, schrieb Luis de Bethencourt: > On Thu, Aug 04, 2011 at 11:25:36PM +0200, Luis de Bethencourt wrote: >> Hi everybody and thanks for the help. >> >> I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). >> >> I can get/set the information of the card through the root user, but this is >> not good for everyday use. I think I have pinpointed the problem, scdaemon >> iny my machine doesn't like anybody but root. >> >> Here is a paste of a few commands to show the problem: >> >> luisbg@atlas ~ $ gpg --card-status >> gpg: selecting openpgp failed: Unsupported certificate >> gpg: OpenPGP card not available: Unsupported certificate >> >> luisbg@atlas ~ $ sudo gpg --card-status >> scdaemon[31077]: reading public key failed: Missing item in object >> scdaemon[31077]: reading public key failed: Missing item in object >> Application ID ...: D2760001240102050CC9 >> Version ..: 2.0 >> Manufacturer .: ZeitControl >> Serial number : 0CC9 >> Name of cardholder: Luis de Bethencourt >> Language prefs ...: en >> Sex ..: male >> URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D >> Login data ...: luisbg >> Signature PIN : not forced >> Key attributes ...: 2048R 2048R 2048R >> Max. PIN lengths .: 32 32 32 >> PIN retry counter : 3 0 3 >> Signature counter : 2 >> Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D >> created : 2011-07-26 12:22:00 >> Encryption key: [none] >> Authentication key: [none] >> General key info..: [none] >> scdaemon[31077]: updating slot 0 status: 0x->0x0007 (0->1) >> >> luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent >> OK Pleased to meet you >> SCD LEARN >> S SERIALNO D2760001240102050CC9 0 >> INQUIRE KNOWNCARDP D2760001240102050CC9 0 >> scdaemon[31088]: updating slot 0 status: 0x->0x0007 (0->1) >> >> >> Notice how I can check the status as root, and do SCD Learn as my user. But >> not >> check the status as my user (or sign my mails, which is the main problem). >> Also >> pcsc_scan works with my user, it shows the Serial number of the card. >> >> If it helps, I'm running gentoo with: >> gpg (GnuPG) 2.0.17 >> scdaemon (GnuPG) 2.0.17 >> pcsc-lite version 1.7.2 >> gpg-agent (GnuPG) 2.0.17 >> >> luisbg@atlas ~ $ gpgconf >> gpg:GPG for OpenPGP:/usr/bin/gpg2 >> gpg-agent:GPG Agent:/usr/bin/gpg-agent >> scdaemon:Smartcard Daemon:/usr/bin/scdaemon >> gpgsm:GPG for S/MIME:/usr/bin/gpgsm >> dirmngr:Directory Manager:/usr/bin/dirmngr >> >> >> Thanks a million for the help, >> Luis > > > By the way, I should mention I have replicated this issue in my two > gentoo-based > machines. > > But then got the card and reader working very easily in an other machine which > runs debian. So the hardware is OK. Unforunately for this case, my laptop is > one of the gentoo machines, and that is the machine I will make more use of > the > card. > > Thanks, > Luis > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Mon, Aug 08, 2011 at 07:57:44PM +0200, Werner Koch wrote: > On Mon, 8 Aug 2011 18:05, l...@debethencourt.com said: > > > this is very strange, that shows it as 2.0.17, but it still says that > > 'getinfo version' is not implemented. > > One if these GNOME tools is intercepting the connection and acts as a > MITM between gpg-connect-agent and gpg-agent. > > Check the owner of the socket decribed by $GPG_AGENT_INFO and if used > the socket ~/.gnupg/S.gpg-agent . > So it looks like GNOME's ssh-agent is interfering. How can I avoid this? Thanks, Luis > > Shalom-Salam, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Mon, 8 Aug 2011 18:05, l...@debethencourt.com said: > this is very strange, that shows it as 2.0.17, but it still says that > 'getinfo version' is not implemented. One if these GNOME tools is intercepting the connection and acts as a MITM between gpg-connect-agent and gpg-agent. Check the owner of the socket decribed by $GPG_AGENT_INFO and if used the socket ~/.gnupg/S.gpg-agent . Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Mon, Aug 08, 2011 at 09:38:49AM +0200, Werner Koch wrote: > On Sat, 6 Aug 2011 19:46, l...@debethencourt.com said: > > > gpg-connect-agent 'getinfo version' /bye > > ERR 100 not implemented > > You are running a *very* old version of gpg-agent (< 2.0.5) - or > something hijacked the connection to gpg-agent (seehorse? > gnome-keyring?) > > > Shalom-Salam, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > luisbg@atlas ~ $ gpg-connect-agent --version gpg-connect-agent (GnuPG) 2.0.17 this is very strange, that shows it as 2.0.17, but it still says that 'getinfo version' is not implemented. :S Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Sat, 6 Aug 2011 19:46, l...@debethencourt.com said: > gpg-connect-agent 'getinfo version' /bye > ERR 100 not implemented You are running a *very* old version of gpg-agent (< 2.0.5) - or something hijacked the connection to gpg-agent (seehorse? gnome-keyring?) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On 06/08/11 19:50, Luis de Bethencourt wrote: > Thanks for that information! I agree with you that if could also have a > similar > ACL in my gentoo machine it would work. Where is this set? Unfortunately, I don't know much, hardly anything, about ConsoleKit and friends. I suppose it is related to the following snippets out of the following files: /lib/udev/rules.d/60-gnupg.rules: ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1",\ ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" /lib/udev/rules.d/70-acl.rules: # smart-card readers ENV{ID_SMARTCARD_READER}=="*?", TAG+="udev-acl" [...] # apply ACL for all locally logged in users TAG=="udev-acl", TEST=="/var/run/ConsoleKit/database", \ RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}" Here I picked a somewhat random vendor/product-id that is matched in the first file. You might need a lot more configuration to get it working, I don't know. By the way, I added the \ in the snippet from the first file, but not in the second; that one was already there. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 10:59:28AM +0200, Peter Lebbing wrote: > On 05/08/11 03:02, Luis de Bethencourt wrote: > > device in debian: > > crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 > > > > device in gentoo: > > crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 > > > > my user is part of the pcscd group. I just checked. > > Look closely at the permissions for Debian. It has a plus-sign. This means > there > is an ACL. Probably ConsoleKit is adding you to the ACL when you log in. > > You can get the ACL with getfacl. Here is the output from my box: > > peter@tweek:~$ getfacl /dev/bus/usb/008/004 > getfacl: Removing leading '/' from absolute path names > # file: dev/bus/usb/008/004 > # owner: root > # group: pcscd > user::rw- > user:peter:rw- > group::rw- > mask::rw- > other::r-- > > Note how user peter has read/write as well. > > However, I've been fighting with access rights to the cardreader as well, so > please don't take this as correct. In fact, the whole pcscd group business > stopped working for me at some point, oddly enough. Some Debian update > conflicted with my own tinkering in udev. > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt Thanks for that information! I agree with you that if could also have a similar ACL in my gentoo machine it would work. Where is this set? Unfortunately I don't have access to the debian machine until next week, I'm at the Desktop Summit in Berlin. Ohh... if anyone is around I would be happy to meet them and sign their key :) Thanks, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 11:00:26AM +0200, Werner Koch wrote: > On Fri, 5 Aug 2011 10:31, l...@debethencourt.com said: > > > Missed this question the first time around... > > It is a SCM Microsystems SCR 335 > > Well that one works. It even works fine with the scdaemon internal > driver, thus try after stopping pcscd. > > >> When I do it as you say I get: > >> gpg-connect-agent 'scd learn --force' /bye > >> ERR 103 unknown command > >> > >> I always get that 'unknown command' error in all the variatons you > >> explained. > > Please run > > gpg-connect-agent 'getinfo version' /bye > gpg-connect-agent 'getinfo version' /bye ERR 100 not implemented > and > > gpg-connect-agent 'scd getinfo version' /bye > gpg-connect-agent 'scd getinfo version' /bye ERR 103 unknown command :S > > I've created this conf file both in my home and root's. > > Well under ~/.gnupg/ of course. > > > When I run gpg --card-status as my user, there is no file created. > > Is this really gpg2 (check using gpg --version). > gpg --version gpg (GnuPG) 2.0.17 > > But when I run it in root it does create this file. > > That smells like a file permission problem. > Both the user and root have access to where the log file should be dropped. By the way, since I'm not using a ccid script in /dev/ for the reader, where are the permissions of the device set? I see that the device is owned by root and group pcscd. Where could I change this? Thanks, Luis > > Is this confirmation that when running as root scdaemon is being spawned > > but when running as user it can't use scdaemon? > > No. > > > I can paste the content of that log file if you want it. Asking before doing > > so since it's a bit lengthy. > > Please send by private mail. Note that this may reveal PINs if you > entered one. > > > Shalom-Salam, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Thu, Aug 04, 2011 at 11:25:36PM +0200, Luis de Bethencourt wrote: > Hi everybody and thanks for the help. > > I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). > > I can get/set the information of the card through the root user, but this is > not good for everyday use. I think I have pinpointed the problem, scdaemon > iny my machine doesn't like anybody but root. > > Here is a paste of a few commands to show the problem: > > luisbg@atlas ~ $ gpg --card-status > gpg: selecting openpgp failed: Unsupported certificate > gpg: OpenPGP card not available: Unsupported certificate > > luisbg@atlas ~ $ sudo gpg --card-status > scdaemon[31077]: reading public key failed: Missing item in object > scdaemon[31077]: reading public key failed: Missing item in object > Application ID ...: D2760001240102050CC9 > Version ..: 2.0 > Manufacturer .: ZeitControl > Serial number : 0CC9 > Name of cardholder: Luis de Bethencourt > Language prefs ...: en > Sex ..: male > URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D > Login data ...: luisbg > Signature PIN : not forced > Key attributes ...: 2048R 2048R 2048R > Max. PIN lengths .: 32 32 32 > PIN retry counter : 3 0 3 > Signature counter : 2 > Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D > created : 2011-07-26 12:22:00 > Encryption key: [none] > Authentication key: [none] > General key info..: [none] > scdaemon[31077]: updating slot 0 status: 0x->0x0007 (0->1) > > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent > OK Pleased to meet you > SCD LEARN > S SERIALNO D2760001240102050CC9 0 > INQUIRE KNOWNCARDP D2760001240102050CC9 0 > scdaemon[31088]: updating slot 0 status: 0x->0x0007 (0->1) > > > Notice how I can check the status as root, and do SCD Learn as my user. But > not > check the status as my user (or sign my mails, which is the main problem). > Also > pcsc_scan works with my user, it shows the Serial number of the card. > > If it helps, I'm running gentoo with: > gpg (GnuPG) 2.0.17 > scdaemon (GnuPG) 2.0.17 > pcsc-lite version 1.7.2 > gpg-agent (GnuPG) 2.0.17 > > luisbg@atlas ~ $ gpgconf > gpg:GPG for OpenPGP:/usr/bin/gpg2 > gpg-agent:GPG Agent:/usr/bin/gpg-agent > scdaemon:Smartcard Daemon:/usr/bin/scdaemon > gpgsm:GPG for S/MIME:/usr/bin/gpgsm > dirmngr:Directory Manager:/usr/bin/dirmngr > > > Thanks a million for the help, > Luis By the way, I should mention I have replicated this issue in my two gentoo-based machines. But then got the card and reader working very easily in an other machine which runs debian. So the hardware is OK. Unforunately for this case, my laptop is one of the gentoo machines, and that is the machine I will make more use of the card. Thanks, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, 5 Aug 2011 10:31, l...@debethencourt.com said: > Missed this question the first time around... > It is a SCM Microsystems SCR 335 Well that one works. It even works fine with the scdaemon internal driver, thus try after stopping pcscd. >> When I do it as you say I get: >> gpg-connect-agent 'scd learn --force' /bye >> ERR 103 unknown command >> >> I always get that 'unknown command' error in all the variatons you explained. Please run gpg-connect-agent 'getinfo version' /bye and gpg-connect-agent 'scd getinfo version' /bye > I've created this conf file both in my home and root's. Well under ~/.gnupg/ of course. > When I run gpg --card-status as my user, there is no file created. Is this really gpg2 (check using gpg --version). > But when I run it in root it does create this file. That smells like a file permission problem. > Is this confirmation that when running as root scdaemon is being spawned > but when running as user it can't use scdaemon? No. > I can paste the content of that log file if you want it. Asking before doing > so since it's a bit lengthy. Please send by private mail. Note that this may reveal PINs if you entered one. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On 05/08/11 03:02, Luis de Bethencourt wrote: > device in debian: > crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 > > device in gentoo: > crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 > > my user is part of the pcscd group. I just checked. Look closely at the permissions for Debian. It has a plus-sign. This means there is an ACL. Probably ConsoleKit is adding you to the ACL when you log in. You can get the ACL with getfacl. Here is the output from my box: peter@tweek:~$ getfacl /dev/bus/usb/008/004 getfacl: Removing leading '/' from absolute path names # file: dev/bus/usb/008/004 # owner: root # group: pcscd user::rw- user:peter:rw- group::rw- mask::rw- other::r-- Note how user peter has read/write as well. However, I've been fighting with access rights to the cardreader as well, so please don't take this as correct. In fact, the whole pcscd group business stopped working for me at some point, oddly enough. Some Debian update conflicted with my own tinkering in udev. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 10:25:33AM +0200, Luis de Bethencourt wrote: > On Fri, Aug 05, 2011 at 09:32:35AM +0200, Werner Koch wrote: > > On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: > > > > > > luisbg@atlas ~ $ gpg --card-status > > > gpg: selecting openpgp failed: Unsupported certificate > > > > What kind of reader are you using? Missed this question the first time around... It is a SCM Microsystems SCR 335 > > > > > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent > > > > Now that is a strange command. The "gpg-connect-agent" argument is > > simply ignored. What you do is sto start a new gpg-agent in --server > > mode, that is without it listening on a socket but connected to the tty. > > > > You should first start gpg-agent after checking that no other one is > > running. For testing I do it this way > > > > $ gpg-agent --daemon sh > > > > This creates a new shell and if you terminate this shell (exit) the > > gpg-agent will terminate as well after a few seconds. Then use > > > > $ gpg-connect-agent > > SCD SERIALNO > > BYE > > > > or > > > > $ gpg-connect-agent 'SCD SERIALNO' /bye > > > > or to get all info from the card > > > > $ gpg-connect-agent 'scd learn --force' /bye > > > > When I do it as you say I get: > gpg-connect-agent 'scd learn --force' /bye > ERR 103 unknown command > > I always get that 'unknown command' error in all the variatons you explained. > > But it works when I do it through gpg-agent --server. > > > > > My guess at your problem is that there is another gpg-agent running > > which has the scdaemon open. The one you started under root? > > > > It looks like everytime I do gpg --card-status it spawns a new scdaemon. After > the card information you can see the following line: > > scdaemon[7684]: scdaemon (GnuPG) 2.0.17 stopped > > and ps doesn't show any scdaemon running after that. > > > To debug this you should put these lines into scdaemon.conf > > > > log-file /foo/bar/scd.log > > debug 2049 > > debug-ccid-driver > > verbose > > I've created this conf file both in my home and root's. When I run gpg --card-status as my user, there is no file created. But when I run it in root it does create this file. Is this confirmation that when running as root scdaemon is being spawned but when running as user it can't use scdaemon? I can paste the content of that log file if you want it. Asking before doing so since it's a bit lengthy. Thanks for all the help, Luis > > > > Salam-Shalom, > > > >Werner > > > > > > -- > > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > > Thanks for the help, > Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 09:32:35AM +0200, Werner Koch wrote: > On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: > > > > luisbg@atlas ~ $ gpg --card-status > > gpg: selecting openpgp failed: Unsupported certificate > > What kind of reader are you using? > > > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent > > Now that is a strange command. The "gpg-connect-agent" argument is > simply ignored. What you do is sto start a new gpg-agent in --server > mode, that is without it listening on a socket but connected to the tty. > > You should first start gpg-agent after checking that no other one is > running. For testing I do it this way > > $ gpg-agent --daemon sh > > This creates a new shell and if you terminate this shell (exit) the > gpg-agent will terminate as well after a few seconds. Then use > > $ gpg-connect-agent > SCD SERIALNO > BYE > > or > > $ gpg-connect-agent 'SCD SERIALNO' /bye > > or to get all info from the card > > $ gpg-connect-agent 'scd learn --force' /bye > When I do it as you say I get: gpg-connect-agent 'scd learn --force' /bye ERR 103 unknown command I always get that 'unknown command' error in all the variatons you explained. But it works when I do it through gpg-agent --server. > > My guess at your problem is that there is another gpg-agent running > which has the scdaemon open. The one you started under root? > It looks like everytime I do gpg --card-status it spawns a new scdaemon. After the card information you can see the following line: scdaemon[7684]: scdaemon (GnuPG) 2.0.17 stopped and ps doesn't show any scdaemon running after that. > To debug this you should put these lines into scdaemon.conf > > log-file /foo/bar/scd.log > debug 2049 > debug-ccid-driver > verbose > > > Salam-Shalom, > >Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > Thanks for the help, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: > > luisbg@atlas ~ $ gpg --card-status > gpg: selecting openpgp failed: Unsupported certificate What kind of reader are you using? > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent Now that is a strange command. The "gpg-connect-agent" argument is simply ignored. What you do is sto start a new gpg-agent in --server mode, that is without it listening on a socket but connected to the tty. You should first start gpg-agent after checking that no other one is running. For testing I do it this way $ gpg-agent --daemon sh This creates a new shell and if you terminate this shell (exit) the gpg-agent will terminate as well after a few seconds. Then use $ gpg-connect-agent SCD SERIALNO BYE or $ gpg-connect-agent 'SCD SERIALNO' /bye or to get all info from the card $ gpg-connect-agent 'scd learn --force' /bye My guess at your problem is that there is another gpg-agent running which has the scdaemon open. The one you started under root? To debug this you should put these lines into scdaemon.conf log-file /foo/bar/scd.log debug 2049 debug-ccid-driver verbose Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 01:07:19AM +0200, Hauke Laging wrote: > Am Freitag, 5. August 2011, 03:02:07 schrieb Luis de Bethencourt: > > device in debian: > > crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 > > > > device in gentoo: > > crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 > > > > my user is part of the pcscd group. I just checked. > > I have no certain problem in mind. My general advice is to check with strace > what's going on. Often the problem can easily be seen shortly before the > program abort. If not you may compare the outputs of the root and user calls. > I run strace both running gpg --card-status as user and root, but without the card reader plugged in to make it simpler and I noticed that it diverts right before at the end. Pasting where it diverts: user: read(3, "ERR 103 unknown command\n", 1002) = 24 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa69e8ad000 write(2, "gpg: selecting openpgp failed: U"..., 55gpg: selecting openpgp failed: Unsupported certificate ) = 55 write(2, "gpg: OpenPGP card not available:"..., 57gpg: OpenPGP card not available: Unsupported certificate ) = 57 munmap(0x7fa69e8af000, 32768) = 0 exit_group(2) = ? root: read(3, scdaemon[6104]: PC/SC OPEN failed: unknown PC/SC error code "ERR 100663404 Card error \n", 1002) = 31 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa70a56f000 write(2, "gpg: selecting openpgp failed: C"..., 42gpg: selecting openpgp failed: Card error ) = 42 write(2, "gpg: OpenPGP card not available:"..., 44gpg: OpenPGP card not available: Card error ) = 44 munmap(0x7fa70a571000, 32768) = 0 exit_group(2) = ? this are the few lines before the diversion: write(6, "OPTION allow-pinentry-notify", 28) = 28 write(6, "\n", 1) = 1 read(3, "OK\n", 1002) = 3 write(6, "SCD SERIALNO openpgp", 20)= 20 write(6, "\n", 1) = 1 not sure if this helps, or if anybody can read any problem here. I certainly can't :P Thanks, Luis > > CU > > Hauke > -- > PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
Am Freitag, 5. August 2011, 03:02:07 schrieb Luis de Bethencourt: > device in debian: > crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 > > device in gentoo: > crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 > > my user is part of the pcscd group. I just checked. I have no certain problem in mind. My general advice is to check with strace what's going on. Often the problem can easily be seen shortly before the program abort. If not you may compare the outputs of the root and user calls. CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 12:14:47AM +0200, Hauke Laging wrote: > Am Freitag, 5. August 2011, 01:49:21 schrieb Luis de Bethencourt: > > > I can get/set the information of the card through the root user > > > Notice how I can check the status as root, and do SCD Learn as my user. > > But= not > > check the status as my user (or sign my mails, which is the main problem). > > = Also > > pcsc_scan works with my user, it shows the Serial number of the card. > > Is this an access rights problem with the card reader device file? Different > defaults with Gentoo and Debian maybe? > device in debian: crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 device in gentoo: crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 my user is part of the pcscd group. I just checked. > Of course, this explanation does not make sense if pcsc_scan can access the > device. Is pcsc_scan installed with SUID or SGID? > -rwxr-xr-x 1 root root 15K Aug 4 22:47 /usr/bin/pcsc_scan no suid/guid as far as I can see. > > CU > > Hauke > -- > PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 Thanks for thinking about this :) Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
Am Freitag, 5. August 2011, 01:49:21 schrieb Luis de Bethencourt: > I can get/set the information of the card through the root user > Notice how I can check the status as root, and do SCD Learn as my user. > But= not > check the status as my user (or sign my mails, which is the main problem). > = Also > pcsc_scan works with my user, it shows the Serial number of the card. Is this an access rights problem with the card reader device file? Different defaults with Gentoo and Debian maybe? Of course, this explanation does not make sense if pcsc_scan can access the device. Is pcsc_scan installed with SUID or SGID? CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 01:49:21AM +0200, Luis de Bethencourt wrote: > Hi everybody and thanks for the help. > > I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). > > I can get/set the information of the card through the root user, but this is > not good for everyday use. I think I have pinpointed the problem, scdaemon > iny my machine doesn't like anybody but root. > > Here is a paste of a few commands to show the problem: > > luisbg@atlas ~ $ gpg --card-status > gpg: selecting openpgp failed: Unsupported certificate > gpg: OpenPGP card not available: Unsupported certificate > > luisbg@atlas ~ $ sudo gpg --card-status > scdaemon[31077]: reading public key failed: Missing item in object > scdaemon[31077]: reading public key failed: Missing item in object > Application ID ...: D2760001240102050CC9 > Version ..: 2.0 > Manufacturer .: ZeitControl > Serial number : 0CC9 > Name of cardholder: Luis de Bethencourt > Language prefs ...: en > Sex ..: male > URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D > Login data ...: luisbg > Signature PIN : not forced > Key attributes ...: 2048R 2048R 2048R > Max. PIN lengths .: 32 32 32 > PIN retry counter : 3 0 3 > Signature counter : 2 > Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D > created : 2011-07-26 12:22:00 > Encryption key: [none] > Authentication key: [none] > General key info..: [none] > scdaemon[31077]: updating slot 0 status: 0x->0x0007 (0->1) > > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent > OK Pleased to meet you > SCD LEARN > S SERIALNO D2760001240102050CC9 0 > INQUIRE KNOWNCARDP D2760001240102050CC9 0 > scdaemon[31088]: updating slot 0 status: 0x->0x0007 (0->1) > > > Notice how I can check the status as root, and do SCD Learn as my user. But= > not > check the status as my user (or sign my mails, which is the main problem). = > Also > pcsc_scan works with my user, it shows the Serial number of the card. > > If it helps, I'm running gentoo with: > gpg (GnuPG) 2.0.17 > scdaemon (GnuPG) 2.0.17 > pcsc-lite version 1.7.2 > gpg-agent (GnuPG) 2.0.17 > > luisbg@atlas ~ $ gpgconf=20 > gpg:GPG for OpenPGP:/usr/bin/gpg2 > gpg-agent:GPG Agent:/usr/bin/gpg-agent > scdaemon:Smartcard Daemon:/usr/bin/scdaemon > gpgsm:GPG for S/MIME:/usr/bin/gpgsm > dirmngr:Directory Manager:/usr/bin/dirmngr > > Thanks a million for the help, > Luis By the way, I should mention I have replicated this issue in my two gentoo-based machines. But then got the card and reader working very easily in an other machine which runs debian. So the hardware is OK. Unforunately for this case, my laptop is one of the gentoo machines, and that is the machine I will make more use of the card. Thanks, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users