Re: Unable to access Crypto Stick with gpg2
On Thu, 14 Feb 2013 22:03:45 +0100 Peter Lebbing pe...@digitalbrains.com wrote: /bin/ps -e -o pid,supgrp,args 1878 -/usr/sbin/pcscd pcscd will have GUID pcscd, so it's not a supplementary group. With $ ps -e -o pid,egroup,supgrp,args You'll most likely notice pcscd in the second column for that daemon. If I run scdaemon --daemon, then ps -e -o pid,egroup,supgrp,args, I get: 4415 jan adm,cdrom,sudo,dip,plugdev,lpadmin,samba scdaemon --daemon 1911 root -/usr/sbin/pcscd So no pcscd for the scdaemon. While searching for more information, I stumbled on this discussion thread from 2011: http://lists.gnupg.org/pipermail/gnupg-devel/2011-January/025911.html That seemed propose a patch that would make scdaemon behave better when a smart card is removed from the system (and not spam the syslog with endless errors and prevent further access to the card). Did this ever make it to a release of gnupg? Also, is there a known release of gpg2 that people use with OpenPGP cards that I could fall back to? Or a known Linux distribution+gnupg version combo I could try? (I would really like to sever my dependency to Microsoft Windows and move my correspondence to Linux but I need access to my signing keys before that can happen. :-/) -- Jan em...@janignatius.fi PGP Key: https://janignatius.fi/pgp PGP Key Fingerprint: 08EC 7FDC BAAA EEF5 AFE8 BEEC 8B71 471F 7F86 1262 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to access Crypto Stick with gpg2
Am Do 14.02.2013, 19:38:05 schrieb Jan Ignatius: Turns out it was mounted on /dev/bus/usb/001/005: crw-rw-r-- 1 root pcscd 189, 4 Feb 14 19:13 005 The access rights seem ok to me - the smart card daemon pcscd has full rights to the device. Does anyone have other ideas I could test out? The daemon group has... But is this group in the list of groups of the scdaemon process? That's not a SUID/SGID binary. So if you are not in this group then scdaemon started by you (or by gpg-agent started by you) won't be either. /bin/ps -e -o pid,supgrp,args Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to access Crypto Stick with gpg2
On Wed, 13 Feb 2013 23:32:29 +0100 Hauke Laging mailinglis...@hauke-laging.de wrote: Am Mi 13.02.2013, 20:16:01 schrieb Jan Ignatius: Coming back to your original proposal, could you give me some guidance on how i can check the user permissions for the Crypto Stick? I think that means that you have connected the device to bus 2 which is a USB 1.1 bus. The kernel has given the device the number 5. This is not always the same. If you disconnect and reconnect it will probably have the next number. No idea whether there is an overrun after 999 ;-) So you should see the access rights with ls -l /dev/bus/usb/002/005 Turns out it was mounted on /dev/bus/usb/001/005: crw-rw-r-- 1 root pcscd 189, 4 Feb 14 19:13 005 The access rights seem ok to me - the smart card daemon pcscd has full rights to the device. Does anyone have other ideas I could test out? A more directly gnupg related matter also came to light - after the card reading fails (see my earlier examples) and the scdaemon goes belly up it seems not to die peacefully: When I remove the Crypto Stick my syslog starts filling up with thousands identical entries as follows: Feb 14 19:22:43 Sibelius kernel: [ 846.570762] usb 1-1.2: USB disconnect, device number 5 Feb 14 19:22:43 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:43 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:44 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:44 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:45 Sibelius pcscd: eventhandler.c:303:EHStatusHandlerThread() Error communicating to: German Privacy Foundation Crypto Stick v1.2 00 00 Feb 14 19:22:45 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:45 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:46 Sibelius pcscd: eventhandler.c:303:EHStatusHandlerThread() Error communicating to: German Privacy Foundation Crypto Stick v1.2 00 00 Feb 14 19:22:47 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:47 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:48 Sibelius pcscd: eventhandler.c:303:EHStatusHandlerThread() Error communicating to: German Privacy Foundation Crypto Stick v1.2 00 00 Feb 14 19:22:48 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:48 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:49 Sibelius pcscd: eventhandler.c:303:EHStatusHandlerThread() Error communicating to: German Privacy Foundation Crypto Stick v1.2 00 00 Feb 14 19:22:49 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:49 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:50 Sibelius pcscd: eventhandler.c:303:EHStatusHandlerThread() Error communicating to: German Privacy Foundation Crypto Stick v1.2 00 00 Feb 14 19:22:51 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:51 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:52 Sibelius pcscd: eventhandler.c:303:EHStatusHandlerThread() Error communicating to: German Privacy Foundation Crypto Stick v1.2 00 00 Feb 14 19:22:52 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:52 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:53 Sibelius pcscd: eventhandler.c:303:EHStatusHandlerThread() Error communicating to: German Privacy Foundation Crypto Stick v1.2 00 00 Feb 14 19:22:54 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device Feb 14 19:22:54 Sibelius pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 617 Feb 14 19:22:55 Sibelius pcscd: eventhandler.c:303:EHStatusHandlerThread() Error communicating to: German Privacy Foundation Crypto Stick v1.2 00 00 Feb 14 19:22:55 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device ...Ad infinitum So I have to restart the machine to avoid bloating up the syslog. The same does not happen if I only plug in the stick and then remove it, without running gpg2, the only entries (for the disconnect) are as follows: Feb 14 19:34:44 Sibelius kernel: [ 206.379447] usb 1-1.2: USB disconnect, device number 5 Feb 14 19:34:44 Sibelius pcscd: ccid_usb.c:660:WriteUSB() write failed (1/5): -4 No such device -- Jan em...@janignatius.fi PGP Key: https://janignatius.fi/pgp PGP Key Fingerprint: 08EC 7FDC BAAA EEF5 AFE8 BEEC 8B71 471F 7F86 1262 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to access Crypto Stick with gpg2
The daemon group has... But is this group in the list of groups of the scdaemon process? That's not a SUID/SGID binary. You're confusing pcscd and scdaemon. OP doesn't use direct access by scdaemon, but rather a PC/SC daemon which is run from init, and to which the scdaemon connects. If the card reader is supported directly by GnuPG, it might be better to remove pcscd from the equation. And in that case, the ownership might indeed become an issue again when it's like this. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to access Crypto Stick with gpg2
On Thu, 14 Feb 2013 18:51:13 +0100 Hauke Laging mailinglis...@hauke-laging.de wrote: Am Do 14.02.2013, 19:38:05 schrieb Jan Ignatius: Turns out it was mounted on /dev/bus/usb/001/005: crw-rw-r-- 1 root pcscd 189, 4 Feb 14 19:13 005 The access rights seem ok to me - the smart card daemon pcscd has full rights to the device. Does anyone have other ideas I could test out? The daemon group has... But is this group in the list of groups of the scdaemon process? That's not a SUID/SGID binary. So if you are not in this group then scdaemon started by you (or by gpg-agent started by you) won't be either. /bin/ps -e -o pid,supgrp,args Hauke This is what I could find from the output of that command that seemed relevant for gpg: 1878 -/usr/sbin/pcscd 2666 adm,cdrom,sudo,dip,plugdev,lpadmin,samba /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/jan/.gnupg/gpg-agent-info-Sibelius /usr/bin/dbus-launch --exit-with-session x-session-manager 2683 adm,cdrom,sudo,dip,plugdev,lpadmin,samba mate-keyring-daemon --start --components=gpg 2781 adm,cdrom,sudo,dip,plugdev,lpadmin,samba /usr/bin/gnome-keyring-daemon --start --components=gpg As you can see, there are no entries for scdaemon. I've attached the full output for reference. If I run scdaemon manually (scdaemon --daemon), this is the entry from the ps-command: 7592 adm,cdrom,sudo,dip,plugdev,lpadmin,samba scdaemon --daemon Is the solution such that I need to get the scdaemon to be a part of the group pcscd? -- Jan em...@janignatius.fi PGP Key: https://janignatius.fi/pgp PGP Key Fingerprint: 08EC 7FDC BAAA EEF5 AFE8 BEEC 8B71 471F 7F86 1262 PID SUPGRP COMMAND 1 -/sbin/init 2 -[kthreadd] 3 -[ksoftirqd/0] 6 -[migration/0] 7 -[watchdog/0] 8 -[migration/1] 10 -[ksoftirqd/1] 11 -[watchdog/1] 12 -[migration/2] 14 -[ksoftirqd/2] 15 -[watchdog/2] 16 -[migration/3] 18 -[ksoftirqd/3] 19 -[watchdog/3] 20 -[cpuset] 21 -[khelper] 22 -[kdevtmpfs] 23 -[netns] 25 -[sync_supers] 26 -[bdi-default] 27 -[kintegrityd] 28 -[kblockd] 29 -[ata_sff] 30 -[khubd] 31 -[md] 34 -[khungtaskd] 35 -[kswapd0] 36 -[ksmd] 37 -[khugepaged] 38 -[fsnotify_mark] 39 -[ecryptfs-kthrea] 40 -[crypto] 49 -[kthrotld] 53 -[scsi_eh_0] 54 -[scsi_eh_1] 55 -[scsi_eh_2] 56 -[scsi_eh_3] 57 -[scsi_eh_4] 58 -[scsi_eh_5] 62 -[kworker/u:5] 63 -[kworker/u:6] 65 -[binder] 85 -[deferwq] 86 -[charger_manager] 87 -[devfreq_wq] 363 -[kdmflush] 365 -[kcryptd_io] 366 -[kcryptd] 378 -[kdmflush] 381 -[kdmflush] 403 -[jbd2/dm-1-8] 404 -[ext4-dio-unwrit] 425 -[flush-252:1] 638 -upstart-udev-bridge --daemon 655 -
Re: Unable to access Crypto Stick with gpg2
/bin/ps -e -o pid,supgrp,args 1878 -/usr/sbin/pcscd pcscd will have GUID pcscd, so it's not a supplementary group. With $ ps -e -o pid,egroup,supgrp,args You'll most likely notice pcscd in the second column for that daemon. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to access Crypto Stick with gpg2
Am Mi 13.02.2013, 07:46:31 schrieb Jan Ignatius: scdaemon[2740]: PC/SC OPEN failed: reader unavailable I think this is the relevant problem with thr rest being the result of that. What are the access rights for the reader? Can your user account access it? Perhaps you need a suitable udev rule. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to access Crypto Stick with gpg2
On Wed, 13 Feb 2013 11:55:59 +0100 Hauke Laging mailinglis...@hauke-laging.de wrote: Am Mi 13.02.2013, 07:46:31 schrieb Jan Ignatius: scdaemon[2740]: PC/SC OPEN failed: reader unavailable I think this is the relevant problem with thr rest being the result of that. What are the access rights for the reader? Can your user account access it? Perhaps you need a suitable udev rule. Hauke I may have missed something. I just restarted the machine (which I had not done when trying to get the stick to work), performed the same actions again and got a different result: $ gpg2 --card-status gpg: selecting openpgp failed: Unsupported certificate gpg: OpenPGP card not available: Unsupported certificate $ sudo gpg2 --card-status [sudo] password for jan: gpg: WARNING: unsafe ownership on configuration file `/home/jan/.gnupg/gpg.conf' Application ID ...: D2760001240102050C1D Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 0C1D Name of cardholder: Jan Ignatius Language prefs ...: en Sex ..: male URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 18 Signature key : 08EC 7FDC BAAA EEF5 AFE8 BEEC 8B71 471F 7F86 1262 created : 2012-07-25 18:21:13 Encryption key: F316 9042 B599 FE06 ABFC BB42 1D72 A9D5 F7EB DE4B created : 2012-07-25 18:21:13 Authentication key: B2EB 65F2 31F8 6B30 B917 06A7 1A8B 1F48 BEA5 709F created : 2012-07-25 18:21:13 General key info..: [none] scdaemon[3638]: updating slot 0 status: 0x-0x0007 (0-1) $ scdaemon[3638]: scdaemon (GnuPG) 2.0.19 stopped $ So at least gpg2 can access the card with sudo but the scdaemon dies after the first attempt. Coming back to your original proposal, could you give me some guidance on how i can check the user permissions for the Crypto Stick? I've only gotten as far as identifying the card by doing tail -f /var/log/syslog and then plugging in the device: Feb 13 19:59:59 Sibelius kernel: [ 145.733139] usb 1-1.2: new full-speed USB device number 5 using ehci_hcd Feb 13 19:59:59 Sibelius kernel: [ 145.826321] usb 1-1.2: New USB device found, idVendor=20a0, idProduct=4107 Feb 13 19:59:59 Sibelius kernel: [ 145.826330] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Feb 13 19:59:59 Sibelius kernel: [ 145.826337] usb 1-1.2: Product: Crypto Stick v1.2 Feb 13 19:59:59 Sibelius kernel: [ 145.826342] usb 1-1.2: Manufacturer: German Privacy Foundation Feb 13 19:59:59 Sibelius mtp-probe: checking bus 1, device 5: /sys/devices/pci:00/:00:1a.0/usb1/1-1/1-1.2 Feb 13 19:59:59 Sibelius mtp-probe: bus: 1, device: 5 was not an MTP device Feb 13 19:59:59 Sibelius kernel: [ 145.848956] WARNING! power/level is deprecated; use power/control instead Feb 13 19:59:59 Sibelius pcscd: ccid_usb.c:1054:ControlUSB() control failed (1/5): -9 Success But I am at loss on how to proceed from here. -- Jan em...@janignatius.fi PGP Key: https://janignatius.fi/pgp PGP Key Fingerprint: 08EC 7FDC BAAA EEF5 AFE8 BEEC 8B71 471F 7F86 1262 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to access Crypto Stick with gpg2
Am Mi 13.02.2013, 20:16:01 schrieb Jan Ignatius: Coming back to your original proposal, could you give me some guidance on how i can check the user permissions for the Crypto Stick? That's easy: lsusb shows you the bus and device number. ls -l /dev/bus/usb/002/ for all devices on bus 2 or ls -l /dev/bus/usb/002/006 for a single device, the 6th e.g. usb 1-1.2: new full-speed USB device number 5 I think that means that you have connected the device to bus 2 which is a USB 1.1 bus. The kernel has given the device the number 5. This is not always the same. If you disconnect and reconnect it will probably have the next number. No idea whether there is an overrun after 999 ;-) So you should see the access rights with ls -l /dev/bus/usb/002/005 You may configure udev so that a symlink is created (/dev/cryptostick-0 or the like) and that the device rights are set accordingly. But that is not GnuPG- specific. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users