Re: scdaemon lockup with Yubikey NEO
I came up with the following udev rule which, while heavy handed, solves these issues for me: https://gist.github.com/lrvick/d1a5a8e6cf0eefda69d7 On Wed, Dec 2, 2015 at 6:54 PM, NIIBE Yutaka <gni...@fsij.org> wrote: > On 12/02/2015 11:35 PM, the...@otpme.org wrote: > > No problem. I'm glad to help out and probably get a fix for this > annoying issue. :) > > Thanks for your patience. > > >> Anyway, when Scdaemon detects card/token removal, it could finish > >> existing connection(s). I'll consider fixing this. > > > > Sounds good. Should i open a bug report for this? > > Not needed. It's fixed in master. I'm going to backport this to 2.0. > > The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3 > > > Is there any workaround we can apply to fix this issue? Currently i > > am using a self compiled ssh client binary of openssh 6.7p1 as > > workaround. > > Well, I found another bug with PC/SC. Because of this bug, it is > sometimes (not always) possible for gpg not to raise the error of > "Conflicting usage". So, it would be a workaround to disable internal > ccid driver of GnuPG and to use PC/SC. (I don't recommend, though.) > > Here is a backport patch which I'm considering to apply to 2.0. > > Thank you again for your cooperation fixing this long standing bug. > > = > diff --git a/scd/apdu.c b/scd/apdu.c > index f9a1a2d..acca799 100644 > --- a/scd/apdu.c > +++ b/scd/apdu.c > @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot) > return SW_HOST_NO_DRIVER; >sw = apdu_disconnect (slot); >if (sw) > -return sw; > +{ > + /* > + * When the reader/token was removed it might come here. > + * It should go through to call CLOSE_READER even if we got an > error. > + */ > + log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw); > +} >if (reader_table[slot].close_reader) > return reader_table[slot].close_reader (slot); >return SW_HOST_NOT_SUPPORTED; > diff --git a/scd/app-common.h b/scd/app-common.h > index e48db3c..ac2c2e9 100644 > --- a/scd/app-common.h > +++ b/scd/app-common.h > @@ -44,11 +44,6 @@ struct app_ctx_s { > operations the particular function pointer is set to NULL */ >unsigned int ref_count; > > - /* Flag indicating that a reset has been done for that application > - and that this context is merely lingering and just should not be > - reused. */ > - int no_reuse; > - >/* Used reader slot. */ >int slot; > > diff --git a/scd/app.c b/scd/app.c > index 742f937..380a347 100644 > --- a/scd/app.c > +++ b/scd/app.c > @@ -190,9 +190,12 @@ application_notify_card_reset (int slot) >/* FIXME: We are ignoring any error value here. */ >lock_reader (slot, NULL); > > - /* Mark application as non-reusable. */ > + /* Release the APP, as it's not reusable any more. */ >if (lock_table[slot].app) > -lock_table[slot].app->no_reuse = 1; > +{ > + deallocate_app (lock_table[slot].app); > + lock_table[slot].app = NULL; > +} > >/* Deallocate a saved application for that slot, so that we won't > try to reuse it. If there is no saved application, set a flag so > @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char > *name, app_t *r_app) > return gpg_error (GPG_ERR_CONFLICT); >} > > - /* Don't use a non-reusable marked application. */ > - if (app && app->no_reuse) > -{ > - unlock_reader (slot); > - log_info ("lingering application `%s' in use by reader %d" > -" - can't switch\n", > -app->apptype? app->apptype:"?", slot); > - return gpg_error (GPG_ERR_CONFLICT); > -} > - >/* If we don't have an app, check whether we have a saved > application for that slot. This is useful so that a card does > not get reset even if only one session is using the card - this > @@ -506,15 +499,7 @@ release_application (app_t app) > >if (lock_table[slot].last_app) > deallocate_app (lock_table[slot].last_app); > - if (app->no_reuse) > -{ > - /* If we shall not re-use the application we can't save it for > - later use. */ > - deallocate_app (app); > - lock_table[slot].last_app = NULL; > -} > - else > -lock_table[slot].last_app = lock_table[slot].app; > + lock_table[slot].last_app = lock_table[slot].app; >lock_table[slot].app = NULL; >unlock_reader (slot); > } > -- > > ___ > Gnupg-us
Re: scdaemon lockup with Yubikey NEO
This happens to me constantly as well. I my case I frequently need to kill and restart gpg-agent to get things working again on both Arch Linux and Gentoo. On Sat, Nov 21, 2015 at 4:41 AM, the2nd <the...@otpme.org> wrote: > Hi Ben, > > We have a similar Problem since we've upgraded from Ubuntu 15.04 to > 15.10. When starting gpg-agent with --log-file the log show the following: > > 2015-05-30 13:49:36 gpg-agent[3600] error accessing card: Conflicting use > 2015-05-30 13:49:36 gpg-agent[3600] smartcard signing failed: > Conflicting use > 2015-05-30 13:49:38 gpg-agent[3600] error getting default authentication > keyID of card: Conflicting use > > I've asked the list serval times about this issue but got now answer yet. > So i dont have a solution but it may be interesting if your problem is the > same... > > Regards > The2nd > > > Ursprüngliche Nachricht > Von: Ben Warren > Datum:11.20.2015 16:26 (GMT+01:00) > An: gnupg-users@gnupg.org > Betreff: scdaemon lockup with Yubikey NEO > > Hi, > > I’ve noticed several other problem reports that seem similar, hopefully > they’re all related and there’s a simple fix. > > The problem: > > After an indeterminate amount of time (sometimes minutes, sometimes > hours), any GPG operation that uses my Yubikey NEO device hangs. The two > most common operations are SSH authentication and git signing. The > following sequence gets things going again: > > $ killall -SIGKILL scdaemon > > $ gpg2 —card-status > > System particulars: > > >- Host OS is OS-X Yosemite, although it is also present on Mavericks >(haven’t tried El Capitan yet) >- GPG 2.1.5 >- Using the Yubikey’s authentication subkey to login to remote Linux >hosts >- Using the Yubikey’s signing subkey for git signing operations, both >local and remote >- Using gpg-agent for forwarding both GPG and SSH (great features, >BTW!) > > > GPG configuration file: > > $ cat ~/.gnupg/gpg-agent.conf > > default-cache-ttl 1 > > ignore-cache-for-signing > > no-allow-external-cache > > max-cache-ttl 1 > > extra-socket ${HOME}/.gnupg/S.gpg-extra-agent > > debug-all > > log-file ${HOME}/.gnupg/mygpglogfile.log > > enable-ssh-support > > > I’ll be happy to help debug this, but need some guidance. > > > thanks, > > Ben > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
I only ever tried this on 2.0.0 as far as older versions go, and that was similarly broken. I didn't bother documenting as I saw there were some smartcard updates in 2.1.4 so I upgraded. Just now had another variation (on 2.1.4): 1. start gpg-agent 2. populate SSH_AUTH_SOCK 3. ssh successfully 4. remove yubikey 5. insert yubikey 6. attempt to ssh - Permission Denied (Publickey) 7. `gpg --card status` - no card present 8. `gpg --card status` (again) - Got usual card output 9. ssh successfully again On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch w...@gnupg.org wrote: On Wed, 17 Jun 2015 18:17, si...@josefsson.org said: I've seen the error many times, also when I used a g10code smartcard, but lately things have been smooth. I think there have been a couple of Old versions of GnuPG assumed that there is a card reader which can tell you whether a card has been removed or inserted. However USB tokens are different in that you insert/remove the entire reader. gniibe fixed these problems some time ago. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
Another example I just had happen: 1. start gpg-agent 2. populate SSH_AUTH_SOCK 3. ssh successfully 4. remove yubikey 5. insert yubikey 6. attempt to ssh - Permission Denied (Publickey) 7. `gpg --card status` - no card present 8. `gpg --card status` - no card present 9. `gpg --card status` - no card present 11. (...etc. it refused to come back this time) 12. killall gpg-agent 13. `gpg --card status` (again) - Got usual card output 14. ssh successfully again On Thu, Jun 18, 2015 at 10:56 AM, Lance R. Vick la...@lrvick.net wrote: I only ever tried this on 2.0.0 as far as older versions go, and that was similarly broken. I didn't bother documenting as I saw there were some smartcard updates in 2.1.4 so I upgraded. Just now had another variation (on 2.1.4): 1. start gpg-agent 2. populate SSH_AUTH_SOCK 3. ssh successfully 4. remove yubikey 5. insert yubikey 6. attempt to ssh - Permission Denied (Publickey) 7. `gpg --card status` - no card present 8. `gpg --card status` (again) - Got usual card output 9. ssh successfully again On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch w...@gnupg.org wrote: On Wed, 17 Jun 2015 18:17, si...@josefsson.org said: I've seen the error many times, also when I used a g10code smartcard, but lately things have been smooth. I think there have been a couple of Old versions of GnuPG assumed that there is a card reader which can tell you whether a card has been removed or inserted. However USB tokens are different in that you insert/remove the entire reader. gniibe fixed these problems some time ago. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
scd apdu 00 f1 00 00 is just a way to return a version number from a Yubikey GPG smartcard. Any other GPG commands fail as well, such as sign/encrypt/auth, until 'gpg --card-status' is run to wake the card back up. I would expect that when I perform a gpg command, it should query gpg-agent, which sees the stub of my key, then starts up/refreshes scdaemon/gpg-agent as needed, detects card, executes my action against the card.This works on a first insertion as-is, just not on a removal/re-insertion. Is there no way for a running gpg-agent to check for smartcard presence on the fly? On Wed, Jun 17, 2015 at 4:55 AM, NIIBE Yutaka gni...@fsij.org wrote: Hello, On 06/17/2015 07:41 AM, Lance R. Vick wrote: Every time I insert my yubikey into a system I must do 'gpg --card-status' to make gpg-agent aware it exists again. Please pardon my ignorance, I don't have Yubikey at hand. Is the following common use cases of Yubikey? Using: gpg/gpg-agent 2.1.4 Expected Results: 1. Insert yubikey 2. Issue version command to gpg agent 3. Version is reported 4. Remove and re-insert key 5. Issue version command to gpg agent 6. version is reported And... is the following to get version of Yubikey? [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye D[] 01 00 08 90 00 . OK Yes, it only works after gpg --card-status or something. In the current implementation, gpg-agent invokes scdaemon on demand. (gpg-agent doesn't detect insertion of device or card.) I don't understand from where scd apdu 00 f1 00 00 came. Could you please share the reason why you consider it works well? -- -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
Very confused by this. Every time I insert my yubikey into a system I must do 'gpg --card-status' to make gpg-agent aware it exists again. Using: gpg/gpg-agent 2.1.4 Expected Results: 1. Insert yubikey 2. Issue version command to gpg agent 3. Version is reported 4. Remove and re-insert key 5. Issue version command to gpg agent 6. version is reported Actual Results: 1. Insert yubikey 2. Issue version command to gpg agent 3. Version is reported 4. Remove and re-insert key 5. Issue version command to gpg agent 6. Card not present error Current workaround when error is reached: 1. Issue 'gpg --card-status' 2. Issue version command to gpg agent 3. Version is reported Stock gpg configs other than 'enable-ssh-support' in .gnupg/gpg-agent.conf I have the following in my .zlogin to setup ssh env: ``` envfile=$HOME/.gnupg/gpg-agent.env if [[ ! -e $envfile ]] || [[ ! -e $HOME/.gnupg/S.gpg-agent ]]; then gpg-agent --daemon --enable-ssh-support $envfile fi eval $(cat $envfile) export SSH_AUTH_SOCK # enable gpg-agent for ssh ``` Output of me reproducing this issue: ``` [lrvick@tsar ~]$ # key inserted [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye D[] 01 00 08 90 00 . OK [lrvick@tsar ~]$ gpg --card-status Application ID ...: D27600012401020603364644 Version ..: 2.0 Manufacturer .: Yubico Serial number : 03364644 Name of cardholder: Lance Vick Language prefs ...: en Sex ..: male URL of public key : http://pgp.mit.edu/pks/lookup?op=vindexsearch=0xE90A401336C8AAA9 Login data ...: lrvick Signature PIN : forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 6 Signature key : 387A 3684 2D5A A336 0A05 193E 8D5B 2F41 F664 44E5 created : 2015-03-19 08:41:47 Encryption key: 1F43 D8C3 9A32 F33A EC7A 6527 5301 06BD D94A 0B8A created : 2015-03-19 08:43:20 Authentication key: 7FDA 0082 EF1E 9A5B 9EB6 B63F D362 694A F189 271D created : 2015-03-19 08:45:19 General key info..: sub rsa2048/F66444E5 2015-03-19 Lance R. Vick (Personal) la...@lrvick.net sec# rsa4096/36C8AAA9 created: 2009-05-09 expires: never ssb rsa2048/F66444E5 created: 2015-03-19 expires: never card-no: 0006 03364644 ssb rsa2048/D94A0B8A created: 2015-03-19 expires: never card-no: 0006 03364644 ssb rsa2048/F189271D created: 2015-03-19 expires: never card-no: 0006 03364644 ssb# rsa4096/A649FFDA created: 2009-05-09 expires: never ssb# rsa4096/4D08A9A6 created: 2015-02-01 expires: never [lrvick@tsar ~]$ # key removed [lrvick@tsar ~]$ # key inserted [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye ERR 100663408 Card not present SCD [lrvick@tsar ~]$ gpg --card-status Application ID ...: D27600012401020603364644 Version ..: 2.0 Manufacturer .: Yubico Serial number : 03364644 Name of cardholder: Lance Vick Language prefs ...: en Sex ..: male URL of public key : http://pgp.mit.edu/pks/lookup?op=vindexsearch=0xE90A401336C8AAA9 Login data ...: lrvick Signature PIN : forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 6 Signature key : 387A 3684 2D5A A336 0A05 193E 8D5B 2F41 F664 44E5 created : 2015-03-19 08:41:47 Encryption key: 1F43 D8C3 9A32 F33A EC7A 6527 5301 06BD D94A 0B8A created : 2015-03-19 08:43:20 Authentication key: 7FDA 0082 EF1E 9A5B 9EB6 B63F D362 694A F189 271D created : 2015-03-19 08:45:19 General key info..: sub rsa2048/F66444E5 2015-03-19 Lance R. Vick (Personal) la...@lrvick.net sec# rsa4096/36C8AAA9 created: 2009-05-09 expires: never ssb rsa2048/F66444E5 created: 2015-03-19 expires: never card-no: 0006 03364644 ssb rsa2048/D94A0B8A created: 2015-03-19 expires: never card-no: 0006 03364644 ssb rsa2048/F189271D created: 2015-03-19 expires: never card-no: 0006 03364644 ssb# rsa4096/A649FFDA created: 2009-05-09 expires: never ssb# rsa4096/4D08A9A6 created: 2015-02-01 expires: never [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye D[] 01 00 08 90 00 . OK [lrvick@tsar ~]$ gpg --version gpg (GnuPG) 2.1.4 libgcrypt 1.6.3 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384