Alternatives for Omnikey

2017-01-06 Thread Teemu Likonen 
gnupg-users dirk [2017-01-06 10:06:40+01] wrote:

> I was under the impression the OmniKey 3121 is a real reader since it
> is on the how to [1].
>
> What would be a good alternative bevore I buy another bad one.

I don't know about official recommendations but I have Yubikey 4¹ and
Nitrokey Pro² and they work fine. Software packages scdaemon and pcscd
(libccid 1.4.20) are needed but otherwise the keys work out-of-the-box
in Debian GNU/Linux 8 (Jessie).


1. https://www.yubico.com/products/yubikey-hardware/
2. https://shop.nitrokey.com/shop

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader

2017-01-06 Thread gnupg-users . dirk 
Hi all,

thank you Damien and Werner for your recent replies.
Even if the reader is performing o.k. now to my amassment.
When I used the feature to create the keys on the card I ran to some
strange and not reproducible problems.
I think this is what Werner refers to. Once I decided to create the keys
on my PC and uploaded them to the Card everything works fine.

For the time being I think the solution is to go for scd-event. This
obviously beats to tail the logs. I will try this as soon I will get to it.

However - for me it really looks like the scdaemon or gpg-agent are not
handling the existing events correctly. It might be worth looking into
it as well.
I will not rule out misconfiguration by ubuntu or myself.

Recent publications are giving up on PGP/GPG which is clearly wrong in
my humble opinion. The key questions is for all crypto -> how to
securely store your key.
Even if SmartCards and alike (Yubikey) are "old fashioned" and geek
technology I think for security they are irreplaceable.

Thanks and best regards

Dirk


On 06.01.2017 20:23, Werner Koch wrote:
> On Fri,  6 Jan 2017 14:52, dgouttegat...@incenp.org said:
>
>> For what is worth, I have two such readers, which are working
>> flawlessly with the ccid driver [1] and with 2048-bit keys. I have not
>> tried them with the internal driver.
> IIRC, I added some workarounds but eventually gave up due to too many
> problems.  Key generation always failed with Omnikey based readers and
> signature creation only works in some cases.  
>
> I have a whole bunch of those readers and they are all crap.  Well,
> except for the Cherry keyboard, it does work well in the server room
> (w/o card).
>
>> the file $GNUPGHOME/scd-event exists and is executable, it will be
>> called on every card reader status change.
> I was about to tell this, too ;-)
>
>
> Salam-Shalom,
>
>Werner
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader

2017-01-06 Thread Werner Koch 
On Fri,  6 Jan 2017 14:52, dgouttegat...@incenp.org said:

> For what is worth, I have two such readers, which are working
> flawlessly with the ccid driver [1] and with 2048-bit keys. I have not
> tried them with the internal driver.

IIRC, I added some workarounds but eventually gave up due to too many
problems.  Key generation always failed with Omnikey based readers and
signature creation only works in some cases.  

I have a whole bunch of those readers and they are all crap.  Well,
except for the Cherry keyboard, it does work well in the server room
(w/o card).

> the file $GNUPGHOME/scd-event exists and is executable, it will be
> called on every card reader status change.

I was about to tell this, too ;-)


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp6N3ShYkfPx.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader

2017-01-06 Thread Damien Goutte-Gattat 

On 01/06/2017 10:06 AM, gnupg-users.d...@o.banes.ch wrote:

I was under the impression the OmniKey 3121 is a real reader since it is
on the how to [1].


For what is worth, I have two such readers, which are working flawlessly 
with the ccid driver [1] and with 2048-bit keys. I have not tried them 
with the internal driver.




What would be a good alternative bevore I buy another bad one.


I also have a SCM 3500 reader from SCM Microsystems (now Identiv), again 
working flawlessly with the ccid driver.




p.s. in the meantime a made a script which tails the scdaemon.log and
waits for "Removal of a card:"
and then kills the gpg-agent. Not a proper solution - but working so far.


Instead of watching the log, you could use a feature of Scdaemon: if the 
file $GNUPGHOME/scd-event exists and is executable, it will be called on 
every card reader status change.


For example, to act upon card removal, you could have the following:

  #!/bin/sh

  case "$8" in
  NOCARD)
  # do something
  ;;
  esac

See doc/examples/scd-event in GnuPG's source for more details of what 
this script can do.



Damien


[1] http://pcsclite.alioth.debian.org/ccid.html



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader

2017-01-06 Thread gnupg-users . dirk 
Hi Andrew,

thanks for you input. And I will gave it a try.

1) deactivated my script
2) added udev rule ACTION=="add", SUBSYSTEM=="usb",
ATTR{idVendor}=="076b", ATTR{idProduct}=="3022", RUN+="/usr/sbin/service
pcscd restart"
3) testdrive - reader unplug - plug in (USB)

Jan 06 13:55:00 compd kernel: usb 1-5: USB disconnect, device number 7
Jan 06 13:55:00 compd systemd[1]: smartcard.target: Unit not needed
anymore. Stopping.
Jan 06 13:55:00 compd systemd[1]: Stopped target Smart Card.
Jan 06 13:55:00 compd pcscd[2532]:  ccid_usb.c:783:WriteUSB()
write failed (1/7): -4 LIBUSB_ERROR_NO_DEVICE
Jan 06 13:55:03 compd kernel: usb 1-5: new full-speed USB device number
8 using xhci_hcd
Jan 06 13:55:03 compd kernel: usb 1-5: New USB device found,
idVendor=076b, idProduct=3022
Jan 06 13:55:03 compd kernel: usb 1-5: New USB device strings: Mfr=1,
Product=2, SerialNumber=0
Jan 06 13:55:03 compd kernel: usb 1-5: Product: Smart Card Reader USB
Jan 06 13:55:03 compd kernel: usb 1-5: Manufacturer: OMNIKEY AG
Jan 06 13:55:03 compd mtp-probe[2713]: checking bus 1, device 8:
"/sys/devices/pci:00/:00:14.0/usb1/1-5"
Jan 06 13:55:03 compd mtp-probe[2713]: bus: 1, device: 8 was not an MTP
device
Jan 06 13:55:03 compd systemd[1]: Stopping PC/SC Smart Card Daemon...
Jan 06 13:55:03 compd systemd[1]: pcscd.service: Main process exited,
code=exited, status=1/FAILURE
Jan 06 13:55:03 compd systemd[1]: Stopped PC/SC Smart Card Daemon.
Jan 06 13:55:03 compd systemd[1]: pcscd.service: Unit entered failed state.
Jan 06 13:55:03 compd systemd[1]: pcscd.service: Failed with result
'exit-code'.
Jan 06 13:55:03 compd systemd[1]: Started PC/SC Smart Card Daemon.
Jan 06 13:55:03 compd systemd[1]: Reached target Smart Card.

=> works for replugging USB.

4) testrun without unpluging the reader only pulling the card from the
reader
dirk@compd:~$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
dirk@compd:~$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
dirk@compd:~$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
dirk@compd:~$ gpg --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error


=> no usb activty in syslog =>Failed

5)Works again

Your use case was you plugin the usb Card reader with a an ID-1 Card
(SIM). I have a fulle sized ID-000 card (Credit Card Size). I never
unplug the reader.


thanks
best regards Dirk

On 06.01.2017 12:23, Andrew Gallagher wrote:
> On 06/01/17 09:30, Kristian Fiskerstrand wrote:
>> On 01/06/2017 10:06 AM, gnupg-users.d...@o.banes.ch wrote:
>>> p.s. in the meantime a made a script which tails the scdaemon.log and
>>> waits for "Removal of a card:"
>>> and then kills the gpg-agent. Not a proper solution - but working so far.
>> Why not use udev rule to watch for removal event?
> Indeed.
>
> Dirk,
>
> I suspect you don't need to kill gpg-agent, just pcscd. I had to do the
> same thing when I used an ACS USB reader on my work laptop, because it
> already had a built in full-size reader that I couldn't use (I had
> already punched out the SIM) but which would override the (removable)
> USB reader because it was always found at startup.
>
> Put the following in /etc/udev/rules.d/99-local.rules (one line) :
>
> ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="072f",
> ATTR{idProduct}=="90cc", RUN+="/usr/sbin/service pcscd restart"
>
> You will need to change the idVendor and idProduct to match your
> hardware - these can be found using `lsusb` while the reader is plugged in.
>
> A
>
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader

2017-01-06 Thread gnupg-users . dirk 
Hi Kristian,

it is not the reader (USB Device) which is removed. It is the Card in
the reader.
I would not know how to monitor this with udev.  Is this possible ?

Best regards

Dirk

On 06.01.2017 10:30, Kristian Fiskerstrand wrote:
On 01/06/2017 10:06 AM, gnupg-users.d...@o.banes.ch wrote:
> p.s. in the meantime a made a script which tails the scdaemon.log and
> waits for "Removal of a card:"
> and then kills the gpg-agent. Not a proper solution - but working so far.
Why not use udev rule to watch for removal event?




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader

2017-01-06 Thread Andrew Gallagher 
On 06/01/17 09:30, Kristian Fiskerstrand wrote:
> On 01/06/2017 10:06 AM, gnupg-users.d...@o.banes.ch wrote:
>> p.s. in the meantime a made a script which tails the scdaemon.log and
>> waits for "Removal of a card:"
>> and then kills the gpg-agent. Not a proper solution - but working so far.
> 
> Why not use udev rule to watch for removal event?

Indeed.

Dirk,

I suspect you don't need to kill gpg-agent, just pcscd. I had to do the
same thing when I used an ACS USB reader on my work laptop, because it
already had a built in full-size reader that I couldn't use (I had
already punched out the SIM) but which would override the (removable)
USB reader because it was always found at startup.

Put the following in /etc/udev/rules.d/99-local.rules (one line) :

ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="072f",
ATTR{idProduct}=="90cc", RUN+="/usr/sbin/service pcscd restart"

You will need to change the idVendor and idProduct to match your
hardware - these can be found using `lsusb` while the reader is plugged in.

A




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader

2017-01-06 Thread Kristian Fiskerstrand 
On 01/06/2017 10:06 AM, gnupg-users.d...@o.banes.ch wrote:
> p.s. in the meantime a made a script which tails the scdaemon.log and
> waits for "Removal of a card:"
> and then kills the gpg-agent. Not a proper solution - but working so far.

Why not use udev rule to watch for removal event?

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Dura necessitas
Necessity is harsh



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader

2017-01-06 Thread gnupg-users . dirk 
Hi Werner,

thanks for your reply.
I was under the impression the OmniKey 3121 is a real reader since it is
on the how to [1].

What would be a good alternative bevore I buy another bad one.

And I have problems understanding how the issue is connected to the key
length.

The Problem as I see it from user perspective:
Everything works fine with my 4096 RSA keys (agent, Card access,
en/decryption/authentication) until I pull the card.
When I insert it it again pcscd knows of it but the agent somehow does
not "retry".
I kill the agent (which also kills the scdaemon ) and then everything is
fine again.
Seems unrelated to key length since the general access does not work.

I'm happy to provide some logs.

best regards

Dirk

p.s. in the meantime a made a script which tails the scdaemon.log and
waits for "Removal of a card:"
and then kills the gpg-agent. Not a proper solution - but working so far.

[1] https://www.gnupg.org/howtos/card-howto/en/ch02s02.html

> Omnikey readers simply don't work correctly with 2k keys or larger.  Get
> a real reader and not that messy hardware which needs its proprietary
> Windows driver to work correctly which standard key lengths.
>
>
> Salam-Shalom,
>
>Werner
>



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users