Re: scdaemon lockup with Yubikey NEO

[Lance R. Vick]

I came up with the following udev rule which, while heavy handed, solves
these issues for me: https://gist.github.com/lrvick/d1a5a8e6cf0eefda69d7

On Wed, Dec 2, 2015 at 6:54 PM, NIIBE Yutaka <gni...@fsij.org> wrote:

> On 12/02/2015 11:35 PM, the...@otpme.org wrote:
> > No problem. I'm glad to help out and probably get a fix for this
> annoying issue. :)
>
> Thanks for your patience.
>
> >> Anyway, when Scdaemon detects card/token removal, it could finish
> >> existing connection(s).  I'll consider fixing this.
> >
> > Sounds good. Should i open a bug report for this?
>
> Not needed.  It's fixed in master.  I'm going to backport this to 2.0.
>
> The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
>
> > Is there any workaround we can apply to fix this issue? Currently i
> > am using a self compiled ssh client binary of openssh 6.7p1 as
> > workaround.
>
> Well, I found another bug with PC/SC.  Because of this bug, it is
> sometimes (not always) possible for gpg not to raise the error of
> "Conflicting usage".  So, it would be a workaround to disable internal
> ccid driver of GnuPG and to use PC/SC.  (I don't recommend, though.)
>
> Here is a backport patch which I'm considering to apply to 2.0.
>
> Thank you again for your cooperation fixing this long standing bug.
>
> =
> diff --git a/scd/apdu.c b/scd/apdu.c
> index f9a1a2d..acca799 100644
> --- a/scd/apdu.c
> +++ b/scd/apdu.c
> @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot)
>  return SW_HOST_NO_DRIVER;
>sw = apdu_disconnect (slot);
>if (sw)
> -return sw;
> +{
> +  /*
> +   * When the reader/token was removed it might come here.
> +   * It should go through to call CLOSE_READER even if we got an
> error.
> +   */
> +  log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw);
> +}
>if (reader_table[slot].close_reader)
>  return reader_table[slot].close_reader (slot);
>return SW_HOST_NOT_SUPPORTED;
> diff --git a/scd/app-common.h b/scd/app-common.h
> index e48db3c..ac2c2e9 100644
> --- a/scd/app-common.h
> +++ b/scd/app-common.h
> @@ -44,11 +44,6 @@ struct app_ctx_s {
>   operations the particular function pointer is set to NULL */
>unsigned int ref_count;
>
> -  /* Flag indicating that a reset has been done for that application
> - and that this context is merely lingering and just should not be
> - reused.  */
> -  int no_reuse;
> -
>/* Used reader slot. */
>int slot;
>
> diff --git a/scd/app.c b/scd/app.c
> index 742f937..380a347 100644
> --- a/scd/app.c
> +++ b/scd/app.c
> @@ -190,9 +190,12 @@ application_notify_card_reset (int slot)
>/* FIXME: We are ignoring any error value here.  */
>lock_reader (slot, NULL);
>
> -  /* Mark application as non-reusable.  */
> +  /* Release the APP, as it's not reusable any more.  */
>if (lock_table[slot].app)
> -lock_table[slot].app->no_reuse = 1;
> +{
> +  deallocate_app (lock_table[slot].app);
> +  lock_table[slot].app = NULL;
> +}
>
>/* Deallocate a saved application for that slot, so that we won't
>   try to reuse it.  If there is no saved application, set a flag so
> @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char
> *name, app_t *r_app)
>  return gpg_error (GPG_ERR_CONFLICT);
>}
>
> -  /* Don't use a non-reusable marked application.  */
> -  if (app && app->no_reuse)
> -{
> -  unlock_reader (slot);
> -  log_info ("lingering application `%s' in use by reader %d"
> -" - can't switch\n",
> -app->apptype? app->apptype:"?", slot);
> -  return gpg_error (GPG_ERR_CONFLICT);
> -}
> -
>/* If we don't have an app, check whether we have a saved
>   application for that slot.  This is useful so that a card does
>   not get reset even if only one session is using the card - this
> @@ -506,15 +499,7 @@ release_application (app_t app)
>
>if (lock_table[slot].last_app)
>  deallocate_app (lock_table[slot].last_app);
> -  if (app->no_reuse)
> -{
> -  /* If we shall not re-use the application we can't save it for
> - later use. */
> -      deallocate_app (app);
> -  lock_table[slot].last_app = NULL;
> -}
> -  else
> -lock_table[slot].last_app = lock_table[slot].app;
> +  lock_table[slot].last_app = lock_table[slot].app;
>lock_table[slot].app = NULL;
>unlock_reader (slot);
>  }
> --
>
> ___
> Gnupg-us

Re: scdaemon lockup with Yubikey NEO

[Lance R. Vick]

This happens to me constantly as well. I my case I frequently need to kill
and restart gpg-agent to get things working again on both Arch Linux and
Gentoo.

On Sat, Nov 21, 2015 at 4:41 AM, the2nd <the...@otpme.org> wrote:

> Hi Ben,
>
> We have a similar Problem since we've upgraded from Ubuntu 15.04 to
> 15.10.  When starting gpg-agent with --log-file the log show the following:
>
> 2015-05-30 13:49:36 gpg-agent[3600] error accessing card: Conflicting use
> 2015-05-30 13:49:36 gpg-agent[3600] smartcard signing failed:
> Conflicting use
> 2015-05-30 13:49:38 gpg-agent[3600] error getting default authentication
> keyID of card: Conflicting use
>
> I've asked the list serval times about this issue but got now answer yet.
> So i dont have a solution but it may be interesting if your problem is the
> same...
>
> Regards
> The2nd
>
>
>  Ursprüngliche Nachricht 
> Von: Ben Warren
> Datum:11.20.2015 16:26 (GMT+01:00)
> An: gnupg-users@gnupg.org
> Betreff: scdaemon lockup with Yubikey NEO
>
> Hi,
>
> I’ve noticed several other problem reports that seem similar, hopefully
> they’re all related and there’s a simple fix.
>
> The problem:
>
> After an indeterminate amount of time (sometimes minutes, sometimes
> hours), any GPG operation that uses my Yubikey NEO device hangs.  The two
> most common operations are SSH authentication and git signing.  The
> following sequence gets things going again:
>
> $ killall -SIGKILL scdaemon
>
> $ gpg2 —card-status
>
> System particulars:
>
>
>- Host OS is OS-X Yosemite, although it is also present on Mavericks
>(haven’t tried El Capitan yet)
>- GPG 2.1.5
>- Using the Yubikey’s authentication subkey to login to remote Linux
>hosts
>- Using the Yubikey’s signing subkey for git signing operations, both
>local and remote
>- Using gpg-agent for forwarding both GPG and SSH (great features,
>BTW!)
>
>
> GPG configuration file:
>
> $ cat ~/.gnupg/gpg-agent.conf
>
> default-cache-ttl 1
>
> ignore-cache-for-signing
>
> no-allow-external-cache
>
> max-cache-ttl 1
>
> extra-socket ${HOME}/.gnupg/S.gpg-extra-agent
>
> debug-all
>
> log-file ${HOME}/.gnupg/mygpglogfile.log
>
> enable-ssh-support
>
>
> I’ll be happy to help debug this, but need some guidance.
>
>
> thanks,
>
> Ben
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>


-- 
Lance R. Vick
__
Cell  -  407.283.7596
Gtalk -  la...@lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

[Lance R. Vick]

I only ever tried this on 2.0.0 as far as older versions go, and that was
similarly broken. I didn't bother documenting as I saw there were some
smartcard updates in 2.1.4 so I upgraded.

Just now had another variation (on 2.1.4):

1. start gpg-agent
2. populate SSH_AUTH_SOCK
3. ssh successfully
4. remove yubikey
5. insert yubikey
6. attempt to ssh - Permission Denied (Publickey)
7. `gpg --card status` - no card present
8. `gpg --card status` (again) - Got usual card output
9. ssh successfully again


On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch w...@gnupg.org wrote:

 On Wed, 17 Jun 2015 18:17, si...@josefsson.org said:

  I've seen the error many times, also when I used a g10code smartcard,
  but lately things have been smooth.  I think there have been a couple of

 Old versions of GnuPG assumed that there is a card reader which can tell
 you whether a card has been removed or inserted.  However USB tokens are
 different in that you insert/remove the entire reader.  gniibe fixed
 these problems some time ago.


 Salam-Shalom,

Werner

 --
 Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users




-- 
Lance R. Vick
__
Cell  -  407.283.7596
Gtalk -  la...@lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

[Lance R. Vick]

Another example I just had happen:

1. start gpg-agent
2. populate SSH_AUTH_SOCK
3. ssh successfully
4. remove yubikey
5. insert yubikey
6. attempt to ssh - Permission Denied (Publickey)
7. `gpg --card status` - no card present
8. `gpg --card status` - no card present
9. `gpg --card status` - no card present
11. (...etc. it refused to come back this time)
12. killall gpg-agent
13. `gpg --card status` (again) - Got usual card output
14. ssh successfully again

On Thu, Jun 18, 2015 at 10:56 AM, Lance R. Vick la...@lrvick.net wrote:

 I only ever tried this on 2.0.0 as far as older versions go, and that was
 similarly broken. I didn't bother documenting as I saw there were some
 smartcard updates in 2.1.4 so I upgraded.

 Just now had another variation (on 2.1.4):

 1. start gpg-agent
 2. populate SSH_AUTH_SOCK
 3. ssh successfully
 4. remove yubikey
 5. insert yubikey
 6. attempt to ssh - Permission Denied (Publickey)
 7. `gpg --card status` - no card present
 8. `gpg --card status` (again) - Got usual card output
 9. ssh successfully again


 On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch w...@gnupg.org wrote:

 On Wed, 17 Jun 2015 18:17, si...@josefsson.org said:

  I've seen the error many times, also when I used a g10code smartcard,
  but lately things have been smooth.  I think there have been a couple of

 Old versions of GnuPG assumed that there is a card reader which can tell
 you whether a card has been removed or inserted.  However USB tokens are
 different in that you insert/remove the entire reader.  gniibe fixed
 these problems some time ago.


 Salam-Shalom,

Werner

 --
 Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users




 --
 Lance R. Vick
 __
 Cell  -  407.283.7596
 Gtalk -  la...@lrvick.net
 Website   -  http://lrvick.net
 PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
 keyserver -  subkeys.pgp.net
 __




-- 
Lance R. Vick
__
Cell  -  407.283.7596
Gtalk -  la...@lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

[Lance R. Vick]

scd apdu 00 f1 00 00 is just a way to return a version number from a
Yubikey GPG smartcard. Any other GPG commands fail as well, such as
sign/encrypt/auth, until 'gpg --card-status'  is run to wake the card back
up.

I would expect that when I perform a gpg command, it should query
gpg-agent, which sees the stub of my key, then starts up/refreshes
scdaemon/gpg-agent as needed, detects card, executes my action against the
card.This works on a first insertion as-is, just not on a
removal/re-insertion.

Is there no way for a running gpg-agent to check for smartcard presence on
the fly?


On Wed, Jun 17, 2015 at 4:55 AM, NIIBE Yutaka gni...@fsij.org wrote:

 Hello,

 On 06/17/2015 07:41 AM, Lance R. Vick wrote:
  Every time I insert my yubikey into a system I must do 'gpg
  --card-status' to make gpg-agent aware it exists again.

 Please pardon my ignorance, I don't have Yubikey at hand.

 Is the following common use cases of Yubikey?

  Using: gpg/gpg-agent 2.1.4
 
  Expected Results:
 
  1. Insert yubikey
  2. Issue version command to gpg agent
  3. Version is reported
  4. Remove and re-insert key
  5. Issue version command to gpg agent
  6. version is reported

 And... is the following to get version of Yubikey?

  [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye
  D[]  01 00 08 90 00 .
  OK

 Yes, it only works after gpg --card-status or something.

 In the current implementation, gpg-agent invokes scdaemon on demand.
 (gpg-agent doesn't detect insertion of device or card.)

 I don't understand from where scd apdu 00 f1 00 00 came.

 Could you please share the reason why you consider it works well?
 --




-- 
Lance R. Vick
__
Cell  -  407.283.7596
Gtalk -  la...@lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

[Lance R. Vick]

Very confused by this. Every time I insert my yubikey into a system I must
do 'gpg --card-status' to make gpg-agent aware it exists again.

Using: gpg/gpg-agent 2.1.4

Expected Results:

1. Insert yubikey
2. Issue version command to gpg agent
3. Version is reported
4. Remove and re-insert key
5. Issue version command to gpg agent
6. version is reported

Actual Results:

1. Insert yubikey
2. Issue version command to gpg agent
3. Version is reported
4. Remove and re-insert key
5. Issue version command to gpg agent
6. Card not present error

Current workaround when error is reached:

1. Issue 'gpg --card-status'
2. Issue version command to gpg agent
3. Version is reported

Stock gpg configs other than 'enable-ssh-support' in .gnupg/gpg-agent.conf

I have the following in my .zlogin to setup ssh env:

```
envfile=$HOME/.gnupg/gpg-agent.env
if [[ ! -e $envfile ]] || [[ ! -e $HOME/.gnupg/S.gpg-agent ]]; then
gpg-agent --daemon --enable-ssh-support  $envfile
fi
eval $(cat $envfile)
export SSH_AUTH_SOCK   # enable gpg-agent for ssh

```

Output of me reproducing this issue:

```
[lrvick@tsar ~]$ # key inserted
[lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye
D[]  01 00 08 90 00 .
OK

[lrvick@tsar ~]$ gpg --card-status

Application ID ...: D27600012401020603364644
Version ..: 2.0
Manufacturer .: Yubico
Serial number : 03364644
Name of cardholder: Lance Vick
Language prefs ...: en
Sex ..: male
URL of public key :
http://pgp.mit.edu/pks/lookup?op=vindexsearch=0xE90A401336C8AAA9
Login data ...: lrvick
Signature PIN : forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 6
Signature key : 387A 3684 2D5A A336 0A05  193E 8D5B 2F41 F664 44E5
  created : 2015-03-19 08:41:47
Encryption key: 1F43 D8C3 9A32 F33A EC7A  6527 5301 06BD D94A 0B8A
  created : 2015-03-19 08:43:20
Authentication key: 7FDA 0082 EF1E 9A5B 9EB6  B63F D362 694A F189 271D
  created : 2015-03-19 08:45:19
General key info..: sub  rsa2048/F66444E5 2015-03-19 Lance R. Vick
(Personal) la...@lrvick.net
sec#  rsa4096/36C8AAA9  created: 2009-05-09  expires: never
ssb  rsa2048/F66444E5  created: 2015-03-19  expires: never
card-no: 0006 03364644
ssb  rsa2048/D94A0B8A  created: 2015-03-19  expires: never
card-no: 0006 03364644
ssb  rsa2048/F189271D  created: 2015-03-19  expires: never
card-no: 0006 03364644
ssb#  rsa4096/A649FFDA  created: 2009-05-09  expires: never
ssb#  rsa4096/4D08A9A6  created: 2015-02-01  expires: never

[lrvick@tsar ~]$ # key removed
[lrvick@tsar ~]$ # key inserted

[lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye
ERR 100663408 Card not present SCD

[lrvick@tsar ~]$ gpg --card-status

Application ID ...: D27600012401020603364644
Version ..: 2.0
Manufacturer .: Yubico
Serial number : 03364644
Name of cardholder: Lance Vick
Language prefs ...: en
Sex ..: male
URL of public key :
http://pgp.mit.edu/pks/lookup?op=vindexsearch=0xE90A401336C8AAA9
Login data ...: lrvick
Signature PIN : forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 6
Signature key : 387A 3684 2D5A A336 0A05  193E 8D5B 2F41 F664 44E5
  created : 2015-03-19 08:41:47
Encryption key: 1F43 D8C3 9A32 F33A EC7A  6527 5301 06BD D94A 0B8A
  created : 2015-03-19 08:43:20
Authentication key: 7FDA 0082 EF1E 9A5B 9EB6  B63F D362 694A F189 271D
  created : 2015-03-19 08:45:19
General key info..: sub  rsa2048/F66444E5 2015-03-19 Lance R. Vick
(Personal) la...@lrvick.net
sec#  rsa4096/36C8AAA9  created: 2009-05-09  expires: never
ssb  rsa2048/F66444E5  created: 2015-03-19  expires: never
card-no: 0006 03364644
ssb  rsa2048/D94A0B8A  created: 2015-03-19  expires: never
card-no: 0006 03364644
ssb  rsa2048/F189271D  created: 2015-03-19  expires: never
card-no: 0006 03364644
ssb#  rsa4096/A649FFDA  created: 2009-05-09  expires: never
ssb#  rsa4096/4D08A9A6  created: 2015-02-01  expires: never

[lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye
D[]  01 00 08 90 00 .
OK

[lrvick@tsar ~]$ gpg --version
gpg (GnuPG) 2.1.4
libgcrypt 1.6.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384