Re: Trouble with GPG Cards for SSH when using FIDO2
Hello Werner, thanks again for your Help! I found some errors in the logs of `~/.gnupg/gpg-agend.log` which you can find in the attachments. By accident I stumbled over a solution which maybe give some idea what might go wrong, but which is wired in nature as well: Running `gpgconf -K all` and `systemctl restart pcscd` doesn't change anything immediately - but after a while (Minutes i guess) `ssh-add -L` then yields the keys. When that has happened I can even remove / add one/both of my keys and everything is updated accordingly. The confusing part is that it takes time until it works again, so maybe that Information can nail down the issue a little? Best and thanks for Help, Philipp > Werner Koch hat am 02.02.2024 10:02 CET geschrieben: > > > Hi! > > I would suggest that you put > > debug ipc > log-file /foo/bar/agent.log > > into gpg-agent.conf and > > debug cardio > log-file /foo/bar/scd.log > > into scdaemon.conf and restart them all (gpgconf -K all). You way of > course also run watchgnupg to see a combined log but sepearte log files > are good enough. The ssh handler has no dedicated debug statements and > thus any debug level is sufficient to see errors in the logs. If you > don't see anything in the logs you either need to use a socket proxt > (somewhere in the gnupg source is one) or add debug statements to > command-ssh.c. My guess is that the scdaemon log gives some hints. > > > Shalom-Salam, > >Werner > > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein Philipp Schmidt (Diplom-Designer) | knutschmidt.de (http://knutschmidt.de) | phil...@knutschmidt.de | +49 176 23 43 27 79 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trouble with GPG Cards for SSH when using FIDO2
Hello Werner, thanks a lot for your reply and all the useful commands. Please excuse the late reply, but this one is getting me crazy since I am not able to create a situation in which I can reliably reproduce the failure. I guess that is due to OS updates as well. Here are some of the edgy cases: - When I launch a bash right after startup `ssh-add -L` displays all the keys and they remain even after the usage of FIDO - When I come back from Lunch - waking up the box from logout - the keys are gone, even with the bash still open. - In case the keys are gone, none of the scripts you provided change anything. Maybe that is helpful here: The code from my `.bashrc`: ``` export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent ``` Adding `pscs-shared` completely breaks it, and it stops working. I will further try to clearly reproduce it. Any hints are welcome. THANKS FOR HELP! Best Philipp > Werner Koch hat am 15.01.2024 17:04 CET geschrieben: > > > On Mon, 15 Jan 2024 09:25, Philipp Schmidt said: > > > - Everything works fine until I use one of the keys for FIDO2 > > - Afterwards I cannot restore the service without a reboot > > Try to add > > pscs-shared > > to scdaemon.conf and gpgconf -R scdaemon. Does this change anything? > If not, add > > log-file /foo/scd.log > debug ipc,reader,card > > to scdaemon.conf and check the log file or send it to me. Make sure > that you did not enter the PIN as it would show up in the log. If this > does not give any hints, adding "debug cardio" will give even more > verbose output. > > > Salam-Shalom, > >Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein Philipp Schmidt (Diplom-Designer) | knutschmidt.de (http://knutschmidt.de) | phil...@knutschmidt.de | +49 176 23 43 27 79 public.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trouble with GPG Cards for SSH when using FIDO2
Hi! I would suggest that you put debug ipc log-file /foo/bar/agent.log into gpg-agent.conf and debug cardio log-file /foo/bar/scd.log into scdaemon.conf and restart them all (gpgconf -K all). You way of course also run watchgnupg to see a combined log but sepearte log files are good enough. The ssh handler has no dedicated debug statements and thus any debug level is sufficient to see errors in the logs. If you don't see anything in the logs you either need to use a socket proxt (somewhere in the gnupg source is one) or add debug statements to command-ssh.c. My guess is that the scdaemon log gives some hints. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trouble with GPG Cards for SSH when using FIDO2
On Mon, 15 Jan 2024 09:25, Philipp Schmidt said: > - Everything works fine until I use one of the keys for FIDO2 > - Afterwards I cannot restore the service without a reboot Try to add pscs-shared to scdaemon.conf and gpgconf -R scdaemon. Does this change anything? If not, add log-file /foo/scd.log debug ipc,reader,card to scdaemon.conf and check the log file or send it to me. Make sure that you did not enter the PIN as it would show up in the log. If this does not give any hints, adding "debug cardio" will give even more verbose output. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Trouble with GPG Cards for SSH when using FIDO2
Hello Everybody, since some update, about 2 Month ago, I started to run into trouble using my both yubi Keys. To be precise: I have setup gpg such that the ssh auth Agent can access the keys. That worked for a long time. For example: `ssh-add -L` always displayed both public keys. As mentioned before, now I am running into trouble, but not right from the start. As far as I could observe that, it happens always after I used one of the keys for a FIDO2 Authentification. After that `ssh-add -L` doesn't display any more keys and `gpg --card-status` says: ``` gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device ``` event though the keys are inserted. In such a case, the only thing that helps is a reboot. I really would like to provide more details, but I really do not know where to start. Basiline: - Everything works fine until I use one of the keys for FIDO2 - Afterwards I cannot restore the service without a reboot I am running Arch Linux with a new Kernel and GPG version 2.4.3 Thanks in ahead for any help! public.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg cards
> ahead and copied the very same keys from the backup to the second. But > trying to actually use does not work, I get an error like: 'please > insert card: […]' So. > > What can I do to make gpg use the card as well (if possible) ? You see the prompt because gpg knows that you aready used the first card and asks for that card. The alternative would be to check whether the currently inserted card can be used, despite that its serial number does not match. IIRC, we have implemented this in 2.3 to be released in th next few weeks. What you can do with 2.2 is to delet the stub file which stores the serial number: gpg --with-keygrip -K shows you the keygrip of the respective file. Now check whether the file ~/.gnupg/private-keys-v1.d/.key has the string "shadowed-private-key". If so, delete this file and run "gpg --card-status". Such a file might look like this: --8<---cut here---start->8--- Token: 276000124010200FFFE372F791 OPENPGP.1 Label: My signing yellow signing yoken Key: (shadowed-private-key (ecc (curve Ed25519)(flags eddsa)(q #40CFBE4795E91CD7A26185F23430A7445712DD93185C3023B4646E963010263697#) (shadowed t1-v1 (#D276000124010200FFFE372F791# OPENPGP.1 --8<---cut here---end--->8--- which can be edited, or it might be some binary gibberish. In any case you should be able to check for the "shadowed-private-key" string. Note that such a file exists for each key. > Another thing I would really love to know is: Is it possible to use > the gpg card as smartcard for the system login as well? Right now I am You can use the poldi PAM module but it is somewhat limited. For proper support we would need to modify the screen locker and the display manager. > Last but not least I am still on a quest for a setup to use Full Disk > Encryption and Security Token to actually decrypt the Disk on boot. I use my card for many years for an encrypted partition. The tool is called g13 but it is not very polished and not easy to install. When building gnupg add --enable-g13 to configure. We have an open task to write a bit of docuemntation: https://dev.gnupg.org/T3423 . What's also missing are features to replace or add OpenPGP keys to a partition so that you can use several cards or an symmetric key for decryption (of the actual dmcrypt key). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg cards
12021/00/27 02:03.62 ನಲ್ಲಿ, Philipp Schmidt ಬರೆದರು: > Hello Everybody! > > I have tried to something in the docs about this, but without success. For > quite a while now, I am using a yubikey as gpg card and that is working really > good. Since it is risky to have only one Key, I just purchased another one to > create a clone of the first. So I went ahead and copied the very same keys > from > the backup to the second. But trying to actually use does not work, I get an > error like: 'please insert card: […]' So. > > What can I do to make gpg use the card as well (if possible) ? Sorry, I don't know the answer to this one, since I've never tried it. One option is simply creating a separate key and encrypting to two distinct (sub)keys, which is what I would do. You don't want to have to get rid of _both_ keys if one is compromised in some way, and having two copies of the key makes it more likely that it will be compromised or lost or whatever. > Another thing I would really love to know is: Is it possible to use the gpg > card as smartcard for the system login as well? Right now I am using the PIV > functionality of the yubikey, but would really prefer to use one system. > Does anybody know if that is possible? What I do is use my Yubikey for U2F so it functions as a secondary form of authorization. I do this for both login and screen unlocking using the libpam-u2f module. It looks like you can use libpam-poldi (http://www.g10code.com/p-poldi.html) if you want to use your Yubikey GPG key for primary authentication, but YMMV. > Last but not least I am still on a quest for a setup to use Full Disk > Encryption and Security Token to actually decrypt the Disk on boot. > > Does anybody know if that is possible with a gpg card? Possibly, but I haven't really looked into it. > Thanks ahead for any kind of help. Here's a bit of (unsolicited) advice: don't put all your eggs in one basket. I wouldn't use my GPG key to unlock my hard drive, log in, and decrypt _everything_ without having a foolproof way to get back in. In my case, for example, I use my Yubikey for everything as follows: 1. To unlock my LUKS-encrypted hard drives, I enter part of the passphrase from memory and use the yubikey for the rest. The data hard drive has a backup passphrase I never use since it's primarily unlocked by a keyfile stored in /root. The system hard drive has a backup passphrase that I don't ever use, but I also don't care since I can easily re-install the system. 2. To login, I use my Yubikey as U2F. Assuming I can get into my system HDD, I can always de-activate the U2F module to be able to get back in if my Yubikey fails. 3. I use my Yubikey as the primary key for pass, my password manager. I encrypt to a backup key that never leaves my laptop so I can still access the passwords should my Yubikey fail. At *minimum*, you should have backup options for each thing you use the Yubikey for (assuming you don't want data loss). It's like with OTP codes - *always* save the backup codes :) Sincerely, Chiraag -- ಚಿರಾಗ್ ನಟರಾಜ್ Pronouns: he/him/his publickey - mailinglist@chiraag.me - b0c8d720.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg cards
Hi! Philipp Schmidt writes: I have tried to something in the docs about this, but without success. For quite a while now, I am using a yubikey as gpg card and that is working really good. Since it is risky to have only one Key, I just purchased another one to create a clone of the first. So I went ahead and copied the very same keys from the backup to the second. But trying to actually use does not work, I get an error like: 'please insert card: […]' So. This is a known issue, have a look here [0] What can I do to make gpg use the card as well (if possible) ? You can follow the guide in that repository and move your private key to the Yubikey (be careful, once there the key *cannot* be moved anywhere else) and configure gpg to retrieve the key there (I think by adding `use-agent` in the gpg.conf file). Feel free to have a look here [1] Another thing I would really love to know is: Is it possible to use the gpg card as smartcard for the system login as well? Right now I am using the PIV functionality of the yubikey, but would really prefer to use one system. AFAIK it is possible using the Yubikey PAM module [2] but never tested and I don't know if it works for all use cases. Last but not least I am still on a quest for a setup to use Full Disk Encryption and Security Token to actually decrypt the Disk on boot. Off the top of my head I can think of a setup using LUKS volumes but don't have specific advice on the matter. cheers, [0] https://github.com/drduh/YubiKey-Guide/issues/19#issuecomment-458663857 [1] https://git.sr.ht/~jman/dotfiles/tree/master/item/gnupg/.gnupg [2] https://developers.yubico.com/yubico-pam/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg cards
Hello Everybody! I have tried to something in the docs about this, but without success. For quite a while now, I am using a yubikey as gpg card and that is working really good. Since it is risky to have only one Key, I just purchased another one to create a clone of the first. So I went ahead and copied the very same keys from the backup to the second. But trying to actually use does not work, I get an error like: 'please insert card: […]' So. What can I do to make gpg use the card as well (if possible) ? Another thing I would really love to know is: Is it possible to use the gpg card as smartcard for the system login as well? Right now I am using the PIV functionality of the yubikey, but would really prefer to use one system. Does anybody know if that is possible? Last but not least I am still on a quest for a setup to use Full Disk Encryption and Security Token to actually decrypt the Disk on boot. Does anybody know if that is possible with a gpg card? Thanks ahead for any kind of help. Best philipp public.asc Description: application/pgp-keys signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users