RE: Provide user PIN to gpg-agent?

[Harbord Jonathan-EURITEC]

Niibe-san

Thank you so much for your help! It worked.

I was using gpg4win, which of course does not include v2.1. I need to download 
the windows version from gnupg.org.

I had some difficulty with the syntax of a windows batch file but eventually 
succeeded with

gpg-connect-agent.exe --run 

Where  contained:

OPTION pinentry-mode=loopback
/definqfile PASSPHRASE 
SCD CHECKPIN 
/bye


And where  was the ID of the card from gpg --card-status as you 
suggested,
and  was a file containing the PIN.

Thank you again for your kind advice.



-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of NIIBE 
Yutaka
Sent: 02 December 2015 03:07
To: gnupg-users@gnupg.org
Subject: Re: Provide user PIN to gpg-agent?

On 12/01/2015 10:50 PM, Harbord Jonathan-EURITEC wrote:
> Is it possible to pass the user PIN of a smartcard to gpg-agent in a command?
> 
> I'd like to stop the pinentry program appearing for an automated system.

Please note that I don't have any experience like that, and I don't generally 
recommend such a usage.

In general, we can provide a special application specific pinentry program for 
such a special purpose.

In GnuPG 2.1.x, there is allow-loopback-pinentry option.  When enabled it by 
.gnupg/gpg-agent.conf or as an argument invoking gpg-agent, we can do something 
like:

gpg-connect-agent \
"OPTION pinentry-mode=loopback"
'/definqfile PASSPHRASE /tmp/passphrase-for-smartcard' \
"SCD CHECKPIN " /bye


having a file /tmp/passphrase-for-smartcard, where  is the one in the 
output of 'gpg --card-status' like:

Application ID ...: D276000124010200F5170001

Substitute  by D276000124010200F5170001.

Please try.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon lockup with Yubikey NEO

[the2nd]

On 2015-12-02 14:26, NIIBE Yutaka wrote:

On 2015-12-02 at 12:36 +0100, the...@otpme.org wrote:

here is the output for a failed session and a working one (with
openssh
6.7p1).
Both times i started two ssh sessions, keeping the first one open.


Thank you very much.


No problem. I'm glad to help out and probably get a fix for this 
annoying issue. :)






Failed
gpg-agent.log - http://paste.ubuntu.com/13620856/


There are three connections from SSH:

  (1) handler 0x557c807ec310 for fd 8
  (2) handler 0x557c807eebb0 for fd 10
  (3) handler 0x557c807eeb80 for fd 10 (fd 10 re-used)

  token removed
  |
  v
   (1) -->
(2)-->
   (3)-->
  ** conflicting use


scd.log - http://paste.ubuntu.com/13620863/


There are two connections from gpg-agent:

  (a) chan_7 from (1)
  (b) chan_9 from (3)

  token removed
  |
  v
 (a) -->
(b)-->
   ** conflicting use


The connection from SSH remains in gpg-agent by some reason.  This is
the reason why the connection from gpg-agent remains in Scdaemon,
which results conflicting use.

Anyway, when Scdaemon detects card/token removal, it could finish
existing connection(s).  I'll consider fixing this.


Sounds good. Should i open a bug report for this?



I don't know the exact reason why connection from SSH remains, though.


I am unsure if it is yubikey specific but as it is working with older
openssh versions i guess its some bug thats related to any openssh
changes.


From the logs, I don't think it's yubikey specific.


If you say that this is not a gnupg issue i'll ask the yubico folks.
But it would be really great to get any hint what could be the
problem
from someone who is familiar with the technical details. :)


This is GnuPG issue, specifically, Scdaemon issue.



Is there any workaround we can apply to fix this issue? Currently i am 
using a self compiled ssh client binary of openssh 6.7p1 as workaround.


Thanks a lot for your help.

Regards
the2nd


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

question about gpg2 and passphrase

[Smith, Cathy]

I need to be able to decrypt a file using gpg2 in batch.  I have a customer who 
requires us to provide a public  key that is  RSA 2048 bit.  I have RHEL6 
available which provides gpg 2.0.14 to create the key pair.  However,  I’ve not 
been able to use gpg2 in batch to provide the passphrase to decrypt a file.  It 
wants an interactive prompt for the passphrase.  I’ve tried some things that 
I’ve read on-line without any success.Is there a way to configure gpg2 to 
accept a passphrase in batch?

Thanks for your help.


Cathy
--
Cathy L. Smith
IT Engineer, CISSP

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax:   509.375.4399
Email: cathy.sm...@pnnl.gov
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot revoke a certificate

[David]

I am trying to revoke a very old certificate that may be compromised.  I
generated a revocation certificate using the following gpg command with
no errors.  I did get a warning about MD5 being deprecated.

C:\Users\David> gpg --output kill7827.asc --gen-revoke 80942C8D
 
However, I cannot use it.  Here is the output:

C:\Users\David> gpg --import .\kill7827.asc
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: key 80942C8D: invalid revocation certificate: Invalid digest
algorithm - rejected
gpg: error reading `.\\kill7827.asc': Invalid digest algorithm
gpg: import from `.\\kill7827.asc' failed: Invalid digest algorithm
gpg: Total number processed: 0
C:\Users\David>

How do I force gpg to accept the revocation?  Or, how do I revoke the
old key?

Win10
GnuPG 2.0.29 (Gpg4Win 2.3.0)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon lockup with Yubikey NEO

[NIIBE Yutaka]

On 12/02/2015 11:35 PM, the...@otpme.org wrote:
> No problem. I'm glad to help out and probably get a fix for this annoying 
> issue. :)

Thanks for your patience.

>> Anyway, when Scdaemon detects card/token removal, it could finish
>> existing connection(s).  I'll consider fixing this.
> 
> Sounds good. Should i open a bug report for this?

Not needed.  It's fixed in master.  I'm going to backport this to 2.0.

The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3

> Is there any workaround we can apply to fix this issue? Currently i
> am using a self compiled ssh client binary of openssh 6.7p1 as
> workaround.

Well, I found another bug with PC/SC.  Because of this bug, it is
sometimes (not always) possible for gpg not to raise the error of
"Conflicting usage".  So, it would be a workaround to disable internal
ccid driver of GnuPG and to use PC/SC.  (I don't recommend, though.)

Here is a backport patch which I'm considering to apply to 2.0.

Thank you again for your cooperation fixing this long standing bug.

=
diff --git a/scd/apdu.c b/scd/apdu.c
index f9a1a2d..acca799 100644
--- a/scd/apdu.c
+++ b/scd/apdu.c
@@ -3136,7 +3136,13 @@ apdu_close_reader (int slot)
 return SW_HOST_NO_DRIVER;
   sw = apdu_disconnect (slot);
   if (sw)
-return sw;
+{
+  /*
+   * When the reader/token was removed it might come here.
+   * It should go through to call CLOSE_READER even if we got an error.
+   */
+  log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw);
+}
   if (reader_table[slot].close_reader)
 return reader_table[slot].close_reader (slot);
   return SW_HOST_NOT_SUPPORTED;
diff --git a/scd/app-common.h b/scd/app-common.h
index e48db3c..ac2c2e9 100644
--- a/scd/app-common.h
+++ b/scd/app-common.h
@@ -44,11 +44,6 @@ struct app_ctx_s {
  operations the particular function pointer is set to NULL */
   unsigned int ref_count;

-  /* Flag indicating that a reset has been done for that application
- and that this context is merely lingering and just should not be
- reused.  */
-  int no_reuse;
-
   /* Used reader slot. */
   int slot;

diff --git a/scd/app.c b/scd/app.c
index 742f937..380a347 100644
--- a/scd/app.c
+++ b/scd/app.c
@@ -190,9 +190,12 @@ application_notify_card_reset (int slot)
   /* FIXME: We are ignoring any error value here.  */
   lock_reader (slot, NULL);

-  /* Mark application as non-reusable.  */
+  /* Release the APP, as it's not reusable any more.  */
   if (lock_table[slot].app)
-lock_table[slot].app->no_reuse = 1;
+{
+  deallocate_app (lock_table[slot].app);
+  lock_table[slot].app = NULL;
+}

   /* Deallocate a saved application for that slot, so that we won't
  try to reuse it.  If there is no saved application, set a flag so
@@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char 
*name, app_t *r_app)
 return gpg_error (GPG_ERR_CONFLICT);
   }

-  /* Don't use a non-reusable marked application.  */
-  if (app && app->no_reuse)
-{
-  unlock_reader (slot);
-  log_info ("lingering application `%s' in use by reader %d"
-" - can't switch\n",
-app->apptype? app->apptype:"?", slot);
-  return gpg_error (GPG_ERR_CONFLICT);
-}
-
   /* If we don't have an app, check whether we have a saved
  application for that slot.  This is useful so that a card does
  not get reset even if only one session is using the card - this
@@ -506,15 +499,7 @@ release_application (app_t app)

   if (lock_table[slot].last_app)
 deallocate_app (lock_table[slot].last_app);
-  if (app->no_reuse)
-{
-  /* If we shall not re-use the application we can't save it for
- later use. */
-  deallocate_app (app);
-  lock_table[slot].last_app = NULL;
-}
-  else
-lock_table[slot].last_app = lock_table[slot].app;
+  lock_table[slot].last_app = lock_table[slot].app;
   lock_table[slot].app = NULL;
   unlock_reader (slot);
 }
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: question about gpg2 and passphrase

[gnupg]

Andrey Utkin wrote:

> On 02.12.2015 22:12, Smith, Cathy wrote:
> > I need to be able to decrypt a file using gpg2 in batch.  I have a
> > customer who requires us to provide a public  key that is  RSA 2048 bit.
> >  I have RHEL6 available which provides gpg 2.0.14 to create the key
> > pair.  However,  I’ve not been able to use gpg2 in batch to provide the
> > passphrase to decrypt a file.  It wants an interactive prompt for the
> > passphrase.  I’ve tried some things that I’ve read on-line without any
> > success.Is there a way to configure gpg2 to accept a passphrase in
> > batch?
> 
> Hi,
> Have you tried generating a key with empty passphrase?

Hi,

Warning: I am not an expert. I only just found out how to do this myself.

If it needs to always work with no intervention and it's safe to leave the
key unencrypted on disk permanently (unlikely) then having an empty
passphrase is definitely the easy option but if you can't leave the key
unencrypted on disk and decryption only needs to occur at certain known
times, and it's OK to have someone supply the passphrase in advance, then
the following approach might be more appropriate.

You can run gpg-agent explicitly as a daemon and use the
--allow-preset-passphrase option and then use gpg-preset-passphrase to load
a passphrase into it.

The gpg-agent command will probably also need the --write-env-file option to
store the gpg-agent socket details on disk so other, unrelated processes can
connect to the gpg-agent.

Here's an example gpg-agent command:

  $ gpg-agent \
  >   --homedir /PATH/TO/.gnupg \
  >   --write-env-file /PATH/TO/.gpg-agent-info \
  >   --allow-preset-passphrase \
  >   --max-cache-ttl 7200 \
  >   --daemon -- \
  >   bash --login

To load the passphrase from within the bash process started above
(the double --fingerprint is important because it shows the key we need):

  $ gpg_cache_id="`gpg --homedir /PATH/TO/.gnupg --fingerprint --fingerprint 
USER@DOMAIN | grep 'Key fingerprint' | tail -1 | sed -e 's/^[^=]\+=//' -e 's/ 
//g'`"
  $ systemd-ask-password 'Enter GPG passphrase:' | 
/usr/lib/gnupg2/gpg-preset-passphrase --preset "$gpg_cache_id"

To load the passphrase from an unrelated process, you would first need to do
the following to connect to the gpg-agent before loading the passphrase into
gpg-agent as described above:

  $ . /PATH/TO/.gpg-agent-info
  $ export GPG_AGENT_INFO

The process that needs to perform the decryption would also need to do the
above if it is from a process that is unrelated to the bash process started
by gpg-agent. e.g.:

  $ . /PATH/TO/.gpg-agent-info
  $ export GPG_AGENT_INFO
  # unset GPG_TTY # This is probably unnecessary
  $ gpg --batch --quiet --no-greeting --no-tty --use-agent \
  >   --homedir /PATH/TO/.gnupg --decrypt < ENCRYPTEDFILE > DECRYPTEDFILE

Note that the passphrase will stay resident in gpg-agent until gpg-agent
terminates, or until it is explicitly forgotten with:

  /usr/lib/gnupg2/gpg-preset-passphrase --forget "$gpg_cache_id"

or until the max-cache-ttl expires, whichever comes first. By default, this
is 7200 seconds (i.e. two hours) but it can be increased or decreased on the
gpg-agent command line.

It's probably a very bad idea to increase it too much and leave the
passphrase available permanently. If that were OK, you might as well use an
unencrypted key with no passphrase. But if it were OK, there'd be a
gpg-agent option to remove the TTL limit altogether, but there is no such
option.

Notes:
The gpg commands above (--fingerprint and --decrypt) should still work
if they were changed to gpg2. That's probably more sensible since gpg-agent
is a gpg2 thing but gpg works too so I use that.

If you don't have systemd-ask-password, you could use ssh-askpass but
it requires X11. It only takes a few lines of Perl to implement your own
askpass program if needed.

Also, don't set $DISPLAY to be empty before running gpg-preset-passphrase.
If you need to disable X11, unset DISPLAY instead or gpg-preset-passphrase
will give an error:

  gpg-preset-passphrase: problem setting the gpg-agent options
  gpg-preset-passphrase: caching passphrase failed: Invalid response

Also, the gpg-agent command can be run inside a screen or tmux session so
that you can detach from it and reattach to it again later to terminate it.

Also, I don't know about RHEL6. The above works on debian-8 and ubuntu-14.04.3
which have gpg2 2.0.26 and 2.0.22, respectively. Hopefully, it will all
work on RHEL6 with gpg2 2.0.14 as well.

Good luck,
raf


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why gpg 2.1.9 cannot export secret key without passphrase?

[Andrey Utkin]

Thank you for your hints Peter.

The following tiny changes allow exporting and importing to succeed

https://github.com/andrey-utkin/gnupg/commit/a3b539b6ef7c922b1f1f3f343fdc942086d96c4e

Is the approach of using "s2kmode = 0" and "protection sha1" together
correct? Shouldn't "protection none" be used?

-- 
OpenPGP usage is appreciated (it also helps your letter to bypass spam
filters). To email me with encryption easily, go
https://encrypt.to/0xC6FCDB11



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon lockup with Yubikey NEO

[Lance R. Vick]

I came up with the following udev rule which, while heavy handed, solves
these issues for me: https://gist.github.com/lrvick/d1a5a8e6cf0eefda69d7

On Wed, Dec 2, 2015 at 6:54 PM, NIIBE Yutaka  wrote:

> On 12/02/2015 11:35 PM, the...@otpme.org wrote:
> > No problem. I'm glad to help out and probably get a fix for this
> annoying issue. :)
>
> Thanks for your patience.
>
> >> Anyway, when Scdaemon detects card/token removal, it could finish
> >> existing connection(s).  I'll consider fixing this.
> >
> > Sounds good. Should i open a bug report for this?
>
> Not needed.  It's fixed in master.  I'm going to backport this to 2.0.
>
> The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
>
> > Is there any workaround we can apply to fix this issue? Currently i
> > am using a self compiled ssh client binary of openssh 6.7p1 as
> > workaround.
>
> Well, I found another bug with PC/SC.  Because of this bug, it is
> sometimes (not always) possible for gpg not to raise the error of
> "Conflicting usage".  So, it would be a workaround to disable internal
> ccid driver of GnuPG and to use PC/SC.  (I don't recommend, though.)
>
> Here is a backport patch which I'm considering to apply to 2.0.
>
> Thank you again for your cooperation fixing this long standing bug.
>
> =
> diff --git a/scd/apdu.c b/scd/apdu.c
> index f9a1a2d..acca799 100644
> --- a/scd/apdu.c
> +++ b/scd/apdu.c
> @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot)
>  return SW_HOST_NO_DRIVER;
>sw = apdu_disconnect (slot);
>if (sw)
> -return sw;
> +{
> +  /*
> +   * When the reader/token was removed it might come here.
> +   * It should go through to call CLOSE_READER even if we got an
> error.
> +   */
> +  log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw);
> +}
>if (reader_table[slot].close_reader)
>  return reader_table[slot].close_reader (slot);
>return SW_HOST_NOT_SUPPORTED;
> diff --git a/scd/app-common.h b/scd/app-common.h
> index e48db3c..ac2c2e9 100644
> --- a/scd/app-common.h
> +++ b/scd/app-common.h
> @@ -44,11 +44,6 @@ struct app_ctx_s {
>   operations the particular function pointer is set to NULL */
>unsigned int ref_count;
>
> -  /* Flag indicating that a reset has been done for that application
> - and that this context is merely lingering and just should not be
> - reused.  */
> -  int no_reuse;
> -
>/* Used reader slot. */
>int slot;
>
> diff --git a/scd/app.c b/scd/app.c
> index 742f937..380a347 100644
> --- a/scd/app.c
> +++ b/scd/app.c
> @@ -190,9 +190,12 @@ application_notify_card_reset (int slot)
>/* FIXME: We are ignoring any error value here.  */
>lock_reader (slot, NULL);
>
> -  /* Mark application as non-reusable.  */
> +  /* Release the APP, as it's not reusable any more.  */
>if (lock_table[slot].app)
> -lock_table[slot].app->no_reuse = 1;
> +{
> +  deallocate_app (lock_table[slot].app);
> +  lock_table[slot].app = NULL;
> +}
>
>/* Deallocate a saved application for that slot, so that we won't
>   try to reuse it.  If there is no saved application, set a flag so
> @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char
> *name, app_t *r_app)
>  return gpg_error (GPG_ERR_CONFLICT);
>}
>
> -  /* Don't use a non-reusable marked application.  */
> -  if (app && app->no_reuse)
> -{
> -  unlock_reader (slot);
> -  log_info ("lingering application `%s' in use by reader %d"
> -" - can't switch\n",
> -app->apptype? app->apptype:"?", slot);
> -  return gpg_error (GPG_ERR_CONFLICT);
> -}
> -
>/* If we don't have an app, check whether we have a saved
>   application for that slot.  This is useful so that a card does
>   not get reset even if only one session is using the card - this
> @@ -506,15 +499,7 @@ release_application (app_t app)
>
>if (lock_table[slot].last_app)
>  deallocate_app (lock_table[slot].last_app);
> -  if (app->no_reuse)
> -{
> -  /* If we shall not re-use the application we can't save it for
> - later use. */
> -  deallocate_app (app);
> -  lock_table[slot].last_app = NULL;
> -}
> -  else
> -lock_table[slot].last_app = lock_table[slot].app;
> +  lock_table[slot].last_app = lock_table[slot].app;
>lock_table[slot].app = NULL;
>unlock_reader (slot);
>  }
> --
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Lance R. Vick
__
Cell  -  407.283.7596
Gtalk -  la...@lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__
___
Gnupg-users mailing list
Gnupg-users@gnupg.org

Re: question about gpg2 and passphrase

[Andrey Utkin]

On 02.12.2015 22:12, Smith, Cathy wrote:
> I need to be able to decrypt a file using gpg2 in batch.  I have a
> customer who requires us to provide a public  key that is  RSA 2048 bit.
>  I have RHEL6 available which provides gpg 2.0.14 to create the key
> pair.  However,  I’ve not been able to use gpg2 in batch to provide the
> passphrase to decrypt a file.  It wants an interactive prompt for the
> passphrase.  I’ve tried some things that I’ve read on-line without any
> success.Is there a way to configure gpg2 to accept a passphrase in
> batch?

Hi,
Have you tried generating a key with empty passphrase?



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-preset-passphrase: problem setting the gpg-agent options [caused by empty $DISPLAY]

[gnupg]

Hi,

ubuntu-14.04.3 LTS
gnupg-1.4.16-1ubuntu2.3
gnupg2-2.0.22-3ubuntu1.3
gnupg-agent-2.0.22-3ubuntu1.3

I've just started using gpg-agent and gpg-preset-passphrase to store a
passphrase briefly.

Yesterday, this was working fine on two hosts.
Today, it stopped working on one of them.

The gpg-agent command looks like:

  $ /usr/bin/screen -- \
  > /usr/bin/sudo -u thing --set-home -- \
  > /usr/bin/gpg-agent \
  > --homedir /etc/thing/.gnupg \
  > --write-env-file /etc/thing/run/.gpg-agent-info \
  > --allow-preset-passphrase \
  > --daemon -- \
  > /bin/bash --login

And the gpg-preset-passphrase command looks like:

  $ gpg_cache_id="`/usr/bin/gpg --homedir /etc/thing/.gnupg --fingerprint 
--fingerprint th...@example.com | grep 'Key fingerprint' | tail -1 | sed -e 
's/^[^=]\+=//' -e 's/ //g'`"
  $ my-ask-password 'Enter the GPG passphrase:' | 
/usr/lib/gnupg2/gpg-preset-passphrase --preset "$gpg_cache_id"
  
The gpg-preset-passphrase command is executed from within the .bash_login
script that is executed by bash that is run by gpg-agent in the first
command above.

So yesterday, this worked perfectly. Today, when I try it, I get:

  Enter the GPG passphrase:
  gpg-preset-passphrase: problem setting the gpg-agent options
  gpg-preset-passphrase: caching passphrase failed: Invalid response

Is there any way to find out what the problem was? I couldn't find any
log messages with more information and adding the -v option to
gpg-preset-passphrase didn't add anything.

There's nothing wrong with the cache id. It hasn't changed since yesterday.

Hang on, I've found out what caused it:

  $ DISPLAY=

Yesterday, I was logged into the problem host from the same LAN so I had
$DISPLAY set. Today, I'm logged in from further way and cleared $DISPLAY to
prevent slow X11 traffic.

When I turn off X11, I do it by setting DISPLAY to the empty string. That has
always worked for all other programs but it seems that gpg-preset-passphrase
is assuming that if $DISPLAY exists, then it must contain something useful
and, if not, it runs into problems. At least that's what it seems like.

If I do the following instead:

  $ unset DISPLAY

Then gpg-preset-passphrase works fine.

It seems to me to be a buglet in gpg-preset-passphrase because it's the only
program I've encountered that doesn't treat an empty $DISPLAY the same as an
absent $DISPLAY.

This also applies to:

debian-8
gnupg-1.4.18-7
gnupg2-2.0.26-6
gnupg-agent-2.0.26-6

But at least I know now what not to do to keep it working. :-)

cheers,
raf


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon lockup with Yubikey NEO

[the2nd]

Hi,

here is the output for a failed session and a working one (with openssh 
6.7p1).

Both times i started two ssh sessions, keeping the first one open.

Failed
gpg-agent.log - http://paste.ubuntu.com/13620856/
scd.log - http://paste.ubuntu.com/13620863/

OK
gpg-agent.log - http://paste.ubuntu.com/13621007/
scd.log - http://paste.ubuntu.com/13621013/


I am unsure if it is yubikey specific but as it is working with older 
openssh versions i guess its some bug thats related to any openssh 
changes.
The log always shows "error getting default authentication keyID of 
card: Conflicting use" when the problem occurs.

If you say that this is not a gnupg issue i'll ask the yubico folks.
But it would be really great to get any hint what could be the problem 
from someone who is familiar with the technical details. :)


regards
the2nd


On 2015-12-02 08:16, NIIBE Yutaka wrote:

On 2015-12-01 at 11:55 +0100, the...@otpme.org wrote:

There is just one gpg-agent + scdaemon.


OK.


Do you keep the first SSH session open when re-plugging the yubikey?


I don't use Yubikey.  I use OpenPGPcard with card reader and Gnuk
Token.  If you think your problem is Yubikey specific, it would be
good to ask Yubikey community.

I keep the SSH session when I remove my token, re-insert it and.  I
also tried with the setting of 'ForwardAgent yes' in .ssh/config and
used SSH to another remote host.  But I can't reproduce.

To debug your situation, please add 'verbose' in your
.gnupg/gpg-agent.conf and create a file .gnupg/scdaemon.conf with:

=
debug-level guru
debug-all
log-file/tmp/scd.log
=

Before your experiment, please set your PIN by default one, because
the scd.log file will include your PIN information.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon lockup with Yubikey NEO

[NIIBE Yutaka]

On 2015-12-02 at 12:36 +0100, the...@otpme.org wrote:
> here is the output for a failed session and a working one (with
> openssh 
> 6.7p1).
> Both times i started two ssh sessions, keeping the first one open.

Thank you very much.


> Failed
> gpg-agent.log - http://paste.ubuntu.com/13620856/

There are three connections from SSH:

  (1) handler 0x557c807ec310 for fd 8
  (2) handler 0x557c807eebb0 for fd 10
  (3) handler 0x557c807eeb80 for fd 10 (fd 10 re-used)

  token removed
  | 
  v
   (1) -->
(2)-->
   (3)-->
  ** conflicting use

> scd.log - http://paste.ubuntu.com/13620863/

There are two connections from gpg-agent:

  (a) chan_7 from (1)
  (b) chan_9 from (3)

  token removed
  | 
  v
 (a) -->
(b)-->
   ** conflicting use


The connection from SSH remains in gpg-agent by some reason.  This is
the reason why the connection from gpg-agent remains in Scdaemon,
which results conflicting use.

Anyway, when Scdaemon detects card/token removal, it could finish
existing connection(s).  I'll consider fixing this.

I don't know the exact reason why connection from SSH remains, though.

> I am unsure if it is yubikey specific but as it is working with older
> openssh versions i guess its some bug thats related to any openssh 
> changes.

From the logs, I don't think it's yubikey specific.

> If you say that this is not a gnupg issue i'll ask the yubico folks.
> But it would be really great to get any hint what could be the
> problem 
> from someone who is familiar with the technical details. :)

This is GnuPG issue, specifically, Scdaemon issue.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users