Re: Yubikey Card Error "sign_and_send_pubkey: signing failed: agent refused operation"

2018-08-15 Thread Lawrence Larabee 
> I've got a new Yubikey NEO that I am trying to set up for SSH authentication 
> [...] PIN entry works correctly, but after this everything fails with an 
> error 100663404 and returns "signing failed: agent refused operation" 

For closure, this problem has been solved. I had too many PIN failures, so the 
stick was rejecting further attempts. Resetting the pin counter using gnupg 
--card-edit, admin, passwd fixed the problem. Now I am able to use my Yubikey 
and gpg-agent for SSH login. 

LL 
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Yubikey Card Error "sign_and_send_pubkey: signing failed: agent refused operation"

2018-08-07 Thread Lawrence Larabee 
I've got a new Yubikey NEO that I am trying to set up for SSH authentication. 
I've already personalized the card and loaded the keys, following all the 
creation rules (2048-bit max RSA, etc.) and loaded all the packages I am 
supposed to load. However I can't make it work. My platform is AMD64 GNU/Linux 
Ubuntu 16.04 running the Lubuntu flavor. I have tried it on two different 
machines with this same configuration.

I have verified that I am not running ssh-agent or gnome-keyring, as I have 
read these can interfere. 

"ssh-agent -L" shows my key 

I run 
export GPG_TTY="$(tty)" 
export SSH_AUTH_SOCK=/home/$USER/.gnupg/S.gpg-agent.ssh 
gpg - connect - agent updatestartuptty /bye 

I confirm that gpg-agent is running and that the auth sock environment variable 
is pointing to the correct place. 

gpg-agent.conf is: 

default-cache-ttl 36000 
pinentry-program /usr/bin/pinentry-gtk-2 
no-grab 
enable-ssh-support 

(tried disabling no-grab, no difference) 

scdaemon.conf: 

reader-port "Yubico Yubikey NEO OTP CCID 00 00" 
card-timeout 1 

(these don't make a difference, but some threads said to try it. it does same 
thing without the scdaemon options)

I turned on debugging, here is a dump of attempting to connect via SSH: 

@:~$ ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 
@ 
no slots 
gpg-agent[24850]: ssh handler 0x7fa474d1a700 for fd 5 started 
gpg-agent[24850]: ssh request handler for request_identities (11) started 
gpg-agent[24850]: new connection to SCdaemon established (reusing) 
gpg-agent[24850]: DBG: chan_6 -> GETATTR $AUTHKEYID 
gpg-agent[24850]: DBG: chan_6 <- S $AUTHKEYID OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> GETATTR SERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S SERIALNO  
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> READKEY OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- [  ...(286 byte(s) skipped) ] 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> GETATTR $DISPSERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S $DISPSERIALNO  
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: ssh request handler for request_identities (11) ready 
gpg-agent[24850]: ssh request handler for sign_request (13) started 
gpg-agent[24850]: DBG: chan_6 -> SERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S SERIALNO  0 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: detected card with S/N  
gpg-agent[24850]: DBG: encoded hash:  
gpg-agent[24850]: DBG: chan_6 -> SETDATA  
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> PKAUTH OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- INQUIRE NEEDPIN ||Please enter the PIN 
gpg-agent[24850]: starting a new PIN Entry 
gpg-agent[24850]: DBG: connection to PIN entry established 
gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 started 
gpg-agent[24850]: DBG: chan_10 -> OK Pleased to meet you, process 24850 
gpg-agent[24850]: DBG: chan_8 <- OK Pleased to meet you, process 24850 
gpg-agent[24850]: DBG: chan_8 -> GETINFO pid 
gpg-agent[24850]: DBG: chan_10 <- GETINFO pid 
gpg-agent[24850]: DBG: chan_10 -> D 24850 
gpg-agent[24850]: DBG: chan_10 -> OK 
gpg-agent[24850]: DBG: chan_8 <- D 24850 
gpg-agent[24850]: DBG: chan_8 <- OK 
gpg-agent[24850]: DBG: chan_8 -> BYE 
gpg-agent[24850]: DBG: chan_10 <- BYE 
gpg-agent[24850]: DBG: chan_10 -> OK closing connection 
gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 terminated 
gpg-agent[24850]: DBG: chan_6 -> [  ...(76 byte(s) skipped) ] 
gpg-agent[24850]: DBG: chan_6 -> END 
gpg-agent[24850]: DBG: chan_6 <- ERR 100663404 Card error  
gpg-agent[24850]: smartcard signing failed: Card error 
gpg-agent[24850]: ssh sign request failed: Card error  
gpg-agent[24850]: ssh request handler for sign_request (13) ready 
sign_and_send_pubkey: signing failed: agent refused operation 
@'s password: 

As you can see, PIN entry works correctly, but after this everything fails with 
an error 100663404 and returns "signing failed: agent refused operation" 

I have Googled this extensively and have tried everything I can find to try to 
resolve this, but I've run out of things to try. 

Please help, 
LL 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users