Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
Lance R. Vick la...@lrvick.net writes: I only ever tried this on 2.0.0 as far as older versions go, and that was similarly broken. I didn't bother documenting as I saw there were some smartcard updates in 2.1.4 so I upgraded. Just now had another variation (on 2.1.4): 1. start gpg-agent 2. populate SSH_AUTH_SOCK 3. ssh successfully 4. remove yubikey 5. insert yubikey 6. attempt to ssh - Permission Denied (Publickey) 7. `gpg --card status` - no card present 8. `gpg --card status` (again) - Got usual card output 9. ssh successfully again What mode is your YubiKey NEO in? If it is in the OTP/CCID combo mode, and you touch it, it will eject the CCID interface, issue an OTP, and then re-insert itself to CCID after a small timeout. Just an idea. Can you always reproduce the above, or is it timing dependent? Does the problem occur if you wait 20 seconds before doing every step? Being able to reproduce this on someone else's system would be a good step towards fixing it. /Simon On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch w...@gnupg.org wrote: On Wed, 17 Jun 2015 18:17, si...@josefsson.org said: I've seen the error many times, also when I used a g10code smartcard, but lately things have been smooth. I think there have been a couple of Old versions of GnuPG assumed that there is a card reader which can tell you whether a card has been removed or inserted. However USB tokens are different in that you insert/remove the entire reader. gniibe fixed these problems some time ago. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
Hello, Thank you for more information. On 06/19/2015 06:57 AM, Lance R. Vick wrote: Another example I just had happen: 1. start gpg-agent 2. populate SSH_AUTH_SOCK 3. ssh successfully 4. remove yubikey 5. insert yubikey 6. attempt to ssh - Permission Denied (Publickey) 7. `gpg --card status` - no card present 8. `gpg --card status` - no card present 9. `gpg --card status` - no card present 11. (...etc. it refused to come back this time) 12. killall gpg-agent 13. `gpg --card status` (again) - Got usual card output 14. ssh successfully again This is not reproducible here. The second SSH (#6) just works. My environment is GnuPG 2.1.5 on Debian GNU/Linux, and I use in-stock CCID driver (I don't install PC/SC service). Please let me know if you have PC/SC service or not. If yes, could you please let me know the version of pcscd and libccid (if you are using GNU system or Mac OS). Are there any other programs which might access Yubikey? Or, do you have multiple gpg-agent(s) / scdaemon(s), by chance, when you get such an error? -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
I only ever tried this on 2.0.0 as far as older versions go, and that was similarly broken. I didn't bother documenting as I saw there were some smartcard updates in 2.1.4 so I upgraded. Just now had another variation (on 2.1.4): 1. start gpg-agent 2. populate SSH_AUTH_SOCK 3. ssh successfully 4. remove yubikey 5. insert yubikey 6. attempt to ssh - Permission Denied (Publickey) 7. `gpg --card status` - no card present 8. `gpg --card status` (again) - Got usual card output 9. ssh successfully again On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch w...@gnupg.org wrote: On Wed, 17 Jun 2015 18:17, si...@josefsson.org said: I've seen the error many times, also when I used a g10code smartcard, but lately things have been smooth. I think there have been a couple of Old versions of GnuPG assumed that there is a card reader which can tell you whether a card has been removed or inserted. However USB tokens are different in that you insert/remove the entire reader. gniibe fixed these problems some time ago. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
Another example I just had happen: 1. start gpg-agent 2. populate SSH_AUTH_SOCK 3. ssh successfully 4. remove yubikey 5. insert yubikey 6. attempt to ssh - Permission Denied (Publickey) 7. `gpg --card status` - no card present 8. `gpg --card status` - no card present 9. `gpg --card status` - no card present 11. (...etc. it refused to come back this time) 12. killall gpg-agent 13. `gpg --card status` (again) - Got usual card output 14. ssh successfully again On Thu, Jun 18, 2015 at 10:56 AM, Lance R. Vick la...@lrvick.net wrote: I only ever tried this on 2.0.0 as far as older versions go, and that was similarly broken. I didn't bother documenting as I saw there were some smartcard updates in 2.1.4 so I upgraded. Just now had another variation (on 2.1.4): 1. start gpg-agent 2. populate SSH_AUTH_SOCK 3. ssh successfully 4. remove yubikey 5. insert yubikey 6. attempt to ssh - Permission Denied (Publickey) 7. `gpg --card status` - no card present 8. `gpg --card status` (again) - Got usual card output 9. ssh successfully again On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch w...@gnupg.org wrote: On Wed, 17 Jun 2015 18:17, si...@josefsson.org said: I've seen the error many times, also when I used a g10code smartcard, but lately things have been smooth. I think there have been a couple of Old versions of GnuPG assumed that there is a card reader which can tell you whether a card has been removed or inserted. However USB tokens are different in that you insert/remove the entire reader. gniibe fixed these problems some time ago. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
On Wed, 17 Jun 2015 18:17, si...@josefsson.org said: I've seen the error many times, also when I used a g10code smartcard, but lately things have been smooth. I think there have been a couple of Old versions of GnuPG assumed that there is a card reader which can tell you whether a card has been removed or inserted. However USB tokens are different in that you insert/remove the entire reader. gniibe fixed these problems some time ago. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
On 06/17/2015 06:41 PM, Lance R. Vick wrote: scd apdu 00 f1 00 00 is just a way to return a version number from a Yubikey GPG smartcard. Thank you for clarification. In that case, I think that adding learn works. Like: $ gpg-connect-agent --hex learn scd apdu 00 f1 00 00 /bye The learn command is something equivalent of gpg --card-status internally. Any other GPG commands fail as well, such as sign/encrypt/auth, until 'gpg --card-status' is run to wake the card back up. I think you mean any direct commands of gpg-agent. Or there is some confusion. Gpg frontend certainly works well for --sign, --decrypt after you remove your token and insert it again. Please try: (1) Insert token (2) Run gpg --card-status (3) Remove token (4) Run gpg --sign or gpg --decrypt SSH authentication also works well after removal/insertion. Note that it all works for me with Gnuk Token or OpenPGPcard with a card reader. I would expect that when I perform a gpg command, it should query gpg-agent, which sees the stub of my key, then starts up/refreshes scdaemon/gpg-agent as needed, detects card, executes my action against the card. Yes, it does. Is there no way for a running gpg-agent to check for smartcard presence on the fly? You can use learn command. It fails if there's no smartcard/token. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
scd apdu 00 f1 00 00 is just a way to return a version number from a Yubikey GPG smartcard. Any other GPG commands fail as well, such as sign/encrypt/auth, until 'gpg --card-status' is run to wake the card back up. I would expect that when I perform a gpg command, it should query gpg-agent, which sees the stub of my key, then starts up/refreshes scdaemon/gpg-agent as needed, detects card, executes my action against the card.This works on a first insertion as-is, just not on a removal/re-insertion. Is there no way for a running gpg-agent to check for smartcard presence on the fly? On Wed, Jun 17, 2015 at 4:55 AM, NIIBE Yutaka gni...@fsij.org wrote: Hello, On 06/17/2015 07:41 AM, Lance R. Vick wrote: Every time I insert my yubikey into a system I must do 'gpg --card-status' to make gpg-agent aware it exists again. Please pardon my ignorance, I don't have Yubikey at hand. Is the following common use cases of Yubikey? Using: gpg/gpg-agent 2.1.4 Expected Results: 1. Insert yubikey 2. Issue version command to gpg agent 3. Version is reported 4. Remove and re-insert key 5. Issue version command to gpg agent 6. version is reported And... is the following to get version of Yubikey? [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye D[] 01 00 08 90 00 . OK Yes, it only works after gpg --card-status or something. In the current implementation, gpg-agent invokes scdaemon on demand. (gpg-agent doesn't detect insertion of device or card.) I don't understand from where scd apdu 00 f1 00 00 came. Could you please share the reason why you consider it works well? -- -- Lance R. Vick __ Cell - 407.283.7596 Gtalk - la...@lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/17/2015 06:17 PM, Simon Josefsson wrote: NIIBE Yutaka gni...@fsij.org writes: Gpg frontend certainly works well for --sign, --decrypt after you remove your token and insert it again. Please try: (1) Insert token (2) Run gpg --card-status (3) Remove token (4) Run gpg --sign or gpg --decrypt SSH authentication also works well after removal/insertion. Note that it all works for me with Gnuk Token or OpenPGPcard with a card reader. Removing/inserting YubiKey NEO works fine for me with GnuPG 2.0.x from Jessie. Could this be a GnuPG 2.1.x issue? Lance, did this work with older GnuPG versions? No issue here at least using Gentoo's gnupg-2.1.5 ebuild with IUSE:{smartcard,usb} using either yubikey or openpgp smartcard, - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Dura necessitas Necessity is harsh -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJVgaPhAAoJECULev7WN52Fy8MH/3aaaoYf7J8Ygo/SINasPCR6 1oJmMPTeA3EmKTvZKFWcbxljUZHLMBzWr2ID9/qmrfyBDc8VsazEdx8wd1iydxXe SFBckh2V281fvQMPwJzovnNV8BciqD/YkAYoIXG502MpEVRmQCyPi97wUzAq1xUx aK8nFT6U2Fg935SIC3AftX+wJapLKzvc/M9yrwANePKiLcVv8Ni/5KhecQYoJmsD BdnwBNlAt82dnWJaTf8yw/2YCmpVFbia9rA+3LVEXzwRAh73xlU6Ozakuo+obm1j fNsD2JCXaPUu7jTceA55cEXbHWbd35gpTfeu9hRI5Zi1mTV4BkVP7+qJofm0+9A= =0pB7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
NIIBE Yutaka gni...@fsij.org writes: Gpg frontend certainly works well for --sign, --decrypt after you remove your token and insert it again. Please try: (1) Insert token (2) Run gpg --card-status (3) Remove token (4) Run gpg --sign or gpg --decrypt SSH authentication also works well after removal/insertion. Note that it all works for me with Gnuk Token or OpenPGPcard with a card reader. Removing/inserting YubiKey NEO works fine for me with GnuPG 2.0.x from Jessie. Could this be a GnuPG 2.1.x issue? Lance, did this work with older GnuPG versions? I've seen the error many times, also when I used a g10code smartcard, but lately things have been smooth. I think there have been a couple of gpg-agent/scdaemon fixes going in to make unplug/insert resume fine. /Simon signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent unable to see yubikey until manually re-running `gpg --card-status`
Very confused by this. Every time I insert my yubikey into a system I must do 'gpg --card-status' to make gpg-agent aware it exists again. Using: gpg/gpg-agent 2.1.4 Expected Results: 1. Insert yubikey 2. Issue version command to gpg agent 3. Version is reported 4. Remove and re-insert key 5. Issue version command to gpg agent 6. version is reported Actual Results: 1. Insert yubikey 2. Issue version command to gpg agent 3. Version is reported 4. Remove and re-insert key 5. Issue version command to gpg agent 6. Card not present error Current workaround when error is reached: 1. Issue 'gpg --card-status' 2. Issue version command to gpg agent 3. Version is reported Stock gpg configs other than 'enable-ssh-support' in .gnupg/gpg-agent.conf I have the following in my .zlogin to setup ssh env: ``` envfile=$HOME/.gnupg/gpg-agent.env if [[ ! -e $envfile ]] || [[ ! -e $HOME/.gnupg/S.gpg-agent ]]; then gpg-agent --daemon --enable-ssh-support $envfile fi eval $(cat $envfile) export SSH_AUTH_SOCK # enable gpg-agent for ssh ``` Output of me reproducing this issue: ``` [lrvick@tsar ~]$ # key inserted [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye D[] 01 00 08 90 00 . OK [lrvick@tsar ~]$ gpg --card-status Application ID ...: D27600012401020603364644 Version ..: 2.0 Manufacturer .: Yubico Serial number : 03364644 Name of cardholder: Lance Vick Language prefs ...: en Sex ..: male URL of public key : http://pgp.mit.edu/pks/lookup?op=vindexsearch=0xE90A401336C8AAA9 Login data ...: lrvick Signature PIN : forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 6 Signature key : 387A 3684 2D5A A336 0A05 193E 8D5B 2F41 F664 44E5 created : 2015-03-19 08:41:47 Encryption key: 1F43 D8C3 9A32 F33A EC7A 6527 5301 06BD D94A 0B8A created : 2015-03-19 08:43:20 Authentication key: 7FDA 0082 EF1E 9A5B 9EB6 B63F D362 694A F189 271D created : 2015-03-19 08:45:19 General key info..: sub rsa2048/F66444E5 2015-03-19 Lance R. Vick (Personal) la...@lrvick.net sec# rsa4096/36C8AAA9 created: 2009-05-09 expires: never ssb rsa2048/F66444E5 created: 2015-03-19 expires: never card-no: 0006 03364644 ssb rsa2048/D94A0B8A created: 2015-03-19 expires: never card-no: 0006 03364644 ssb rsa2048/F189271D created: 2015-03-19 expires: never card-no: 0006 03364644 ssb# rsa4096/A649FFDA created: 2009-05-09 expires: never ssb# rsa4096/4D08A9A6 created: 2015-02-01 expires: never [lrvick@tsar ~]$ # key removed [lrvick@tsar ~]$ # key inserted [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye ERR 100663408 Card not present SCD [lrvick@tsar ~]$ gpg --card-status Application ID ...: D27600012401020603364644 Version ..: 2.0 Manufacturer .: Yubico Serial number : 03364644 Name of cardholder: Lance Vick Language prefs ...: en Sex ..: male URL of public key : http://pgp.mit.edu/pks/lookup?op=vindexsearch=0xE90A401336C8AAA9 Login data ...: lrvick Signature PIN : forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 6 Signature key : 387A 3684 2D5A A336 0A05 193E 8D5B 2F41 F664 44E5 created : 2015-03-19 08:41:47 Encryption key: 1F43 D8C3 9A32 F33A EC7A 6527 5301 06BD D94A 0B8A created : 2015-03-19 08:43:20 Authentication key: 7FDA 0082 EF1E 9A5B 9EB6 B63F D362 694A F189 271D created : 2015-03-19 08:45:19 General key info..: sub rsa2048/F66444E5 2015-03-19 Lance R. Vick (Personal) la...@lrvick.net sec# rsa4096/36C8AAA9 created: 2009-05-09 expires: never ssb rsa2048/F66444E5 created: 2015-03-19 expires: never card-no: 0006 03364644 ssb rsa2048/D94A0B8A created: 2015-03-19 expires: never card-no: 0006 03364644 ssb rsa2048/F189271D created: 2015-03-19 expires: never card-no: 0006 03364644 ssb# rsa4096/A649FFDA created: 2009-05-09 expires: never ssb# rsa4096/4D08A9A6 created: 2015-02-01 expires: never [lrvick@tsar ~]$ gpg-connect-agent --hex scd apdu 00 f1 00 00 /bye D[] 01 00 08 90 00 . OK [lrvick@tsar ~]$ gpg --version gpg (GnuPG) 2.1.4 libgcrypt 1.6.3 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384,