On Saturday, August 22, 2020 6:09 PM, Ave Milia via Gnupg-users <gnupg-users@gnupg.org> wrote:
> What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is > controlled by GPG agent. SSH key from Yubikey is automatically enrolled and > used for connection to git remote. And it "just works". It's been two weeks > that I can't get to that point, so I decided to ask for help here. > > The most depressing fact is sometimes it works, and the other time it > doesn't. And I never know why. And I don't know how to fix it. > > Current problem: ssh-add -L returns "Error connecting to agent: No such file > or directory". > > I have followed [0] to generate and load GPG keys into Yubikey. It didn't > work well (I don't remember what exactly was failing, there has been a > million issues at this point and I don't know what I'm doing anymore), so I > started to dig deeper and tried information from [1] [2] [3]. The result of > it is that I can do a git pull once and it works, then I do another git pull > and it doesn't. > > What I have tried: relogging, launching new terminal, gpgconf --reload all, > systemctl restart pcscd, Yubikey replug. Everything alone and everything > together. > > ❯ inxi -Sz > System: Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: > Manjaro Linux > > ❯ ykman info > Device type: YubiKey 4 > Serial number: XXXXXXX > Firmware version: 4.3.5 > Enabled USB interfaces: OTP+FIDO+CCID > > Applications > OTP Enabled > FIDO U2F Enabled > OpenPGP Enabled > PIV Enabled > OATH Enabled > FIDO2 Not available > > ❯ ykman openpgp info > OpenPGP version: 2.1 > Application version: 4.3.5 > > PIN tries remaining: 10 > Reset code tries remaining: 0 > Admin PIN tries remaining: 10 > > Touch policies > Signature key On > Encryption key On > Authentication key On > > ❯ gpg --version > gpg (GnuPG) 2.2.21 > libgcrypt 1.8.6 > > ❯ gpg -K > /home/ave/.gnupg/pubring.kbx > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > sec# rsa4096/0xF971F82552850CEC 2020-08-11 [C] > Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8 A955 F971 F825 5285 0CEC > uid [ultimate] Ave Milia avemi...@protonmail.com > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S] > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E] > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A] > > ❯ gpg --card-status > Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 > Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > Application type .: OpenPGP > Version ..........: 2.1 > Manufacturer .....: Yubico > Serial number ....: XXXXXXX > Name of cardholder: Ave Milia > Language prefs ...: en > Salutation .......: Mr. > URL of public key : > https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC > Login data .......: [not set] > Signature PIN ....: not forced > Key attributes ...: rsa4096 rsa4096 rsa4096 > Max. PIN lengths .: 127 127 127 > PIN retry counter : 10 0 10 > Signature counter : 5 > Signature key ....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:13:49 > Encryption key....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:14:37 > Authentication key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:15:07 > General key info..: sub rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia > avemi...@protonmail.com > sec# rsa4096/0xF971F82552850CEC created: 2020-08-11 expires: never > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > > card-no: XXXX XXXXXXXX > > > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > > card-no: XXXX XXXXXXXX > > > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > > card-no: XXXX XXXXXXXX > > > ❯ gpgconf --list-dirs > sysconfdir:/etc/gnupg > bindir:/usr/bin > libexecdir:/usr/lib/gnupg > libdir:/usr/lib/gnupg > datadir:/usr/share/gnupg > localedir:/usr/share/locale > socketdir:/run/user/1000/gnupg > dirmngr-socket:/run/user/1000/gnupg/S.dirmngr > agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh > agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra > agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser > agent-socket:/run/user/1000/gnupg/S.gpg-agent > homedir:/home/ave/.gnupg > > ❯ grep -v "^#" .gnupg/gpg.conf > personal-cipher-preferences AES256 AES192 AES > personal-digest-preferences SHA512 SHA384 SHA256 > personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed > default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP > Uncompressed > cert-digest-algo SHA512 > s2k-digest-algo SHA512 > s2k-cipher-algo AES256 > charset utf-8 > fixed-list-mode > no-comments > no-emit-version > no-greeting > keyid-format 0xlong > list-options show-uid-validity > verify-options show-uid-validity > with-fingerprint > require-cross-certification > no-symkey-cache > use-agent > throw-keyids > keyserver hkps://hkps.pool.sks-keyservers.net > > ❯ grep -v "^#" .gnupg/gpg-agent.conf > enable-ssh-support > default-cache-ttl 60 > max-cache-ttl 120 > pinentry-program /usr/bin/pinentry-curses > > ❯ grep -v "^#" .gnupg/scdaemon.conf > pcsc-driver /usr/lib/libpcsclite.so > card-timeout 5 > disable-ccid > > ❯ ll /usr/lib/libpcsclite.so > lrwxrwxrwx 1 root root 20 19. čen 21.40 /usr/lib/libpcsclite.so -> > libpcsclite.so.1.0.0 > > ❯ sudo systemctl status pcscd.service > ● pcscd.service - PC/SC Smart Card Daemon > Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor > preset: disabled) > Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago > TriggeredBy: ● pcscd.socket > Docs: man:pcscd(8) > Main PID: 54997 (pcscd) > Tasks: 5 (limit: 19134) > Memory: 1.8M > CGroup: /system.slice/pcscd.service > └─54997 /usr/bin/pcscd --foreground --auto-exit > > srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon. > srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 > ifdhandler.c:150:CreateChannelByNameOrChannel() failed > srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 > readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed > (usb:1050/0407:libudev:0:/dev/bus/usb/003/011) > srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 > readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. > srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 > ifdhandler.c:150:CreateChannelByNameOrChannel() failed > srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 > readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed > (usb:1050/0407:libudev:1:/dev/bus/usb/003/011) > srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 > readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. > > ^^^ Despite pcscd errors, in my experience this is orthogonal to whether > Yubikey/GPG/SSH is in the mood for working correctly. > > ❯ cat /etc/opensc.conf > app default { > # Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC > # can handle both to access keys and certificates, but only one at a time. > card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 { > name = "Yubikey 4"; > # Select the PKI applet to use ("PIV-II" or "openpgp") > driver = "openpgp"; > # Recover from other applications accessing a different applet > flags = "keep_alive"; > } > } > > ❯ cat /usr/share/p11-kit/modules/opensc.module > module: opensc-pkcs11.so > > ❯ p11tool --list-tokens > Token 0: > URL: > pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust > Label: System Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > Token 1: > URL: > pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust > Label: Default Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > Token 2: > URL: > pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00 > Label: OpenPGP card (User PIN) > Type: Hardware token > Flags: Requires login > Manufacturer: Yubico > Model: PKCS#15 emulated > Serial: XXXXXXXXXXXX > Module: opensc-pkcs11.so > > Token 3: > URL: > pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00 > Label: OpenPGP card (User PIN (sig)) > Type: Hardware token > Flags: Requires login > Manufacturer: Yubico > Model: PKCS#15 emulated > Serial: XXXXXXXXXXXX > Module: opensc-pkcs11.so > > ❯ pkcs11-tool -O --login > Using slot 0 with a present token (0x0) > Logging in to "OpenPGP card (User PIN)". > Please enter User PIN: > Private Key Object; RSA > label: Encryption key > ID: 02 > Usage: decrypt, unwrap > Access: sensitive, always sensitive, never extractable, local > Public Key Object; RSA 4096 bits > label: Encryption key > ID: 02 > Usage: encrypt, wrap > Access: none > Private Key Object; RSA > label: Authentication key > ID: 03 > Usage: decrypt, sign, non-repudiation, unwrap > Access: sensitive, always sensitive, never extractable, local > Public Key Object; RSA 4096 bits > label: Authentication key > ID: 03 > Usage: encrypt, verify, wrap > Access: none > > ❯ Relevant part from .zshrc > unset SSH_AGENT_PID > if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then > export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" > fi > export GPG_TTY=$(tty) > gpg-connect-agent updatestartuptty /bye >/dev/null > > ❯ ssh-add -L > Error connecting to agent: No such file or directory > > ^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX > > So, any ideas which tambourine should I pick this time? Todays tambourine turned out to be transitioning to systemd services as per [4] and attempting to do something about gpg-agent-ssh.socket. For me, systemd units are more pleasant to work with, because there is a single standard way to query them and to see their logs. Now, this took extra time, because apparently restart on a .socket didn't work, most probably because of space radiation. Or maybe just systemd things. Anyway. Stop and latter start restarted the socket and I attempted to use git, which hinted me to the next error I already knew. Which is the requirement to have `gpg-connect-agent updatestartuptty /bye` in shellrc file [5] (I removed the previous paste above, leaving only SSH_AUTH_SOCK export). This is what works in .zshrc as of now: export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null I should also point attention to the fact that `gpgconf --kill/reload gpg-agent/all`, attempted probably a hundred times by now, had no impact on the borked socket. Perhaps I was doing something wrong. Or not. > > [0] https://github.com/drduh/YubiKey-Guide > [1] https://wiki.archlinux.org/index.php/GnuPG#SSH_agent > [2] https://wiki.archlinux.org/index.php/GnuPG#Smartcards > [3] https://wiki.archlinux.org/index.php/Smartcards [4] <https://eklitzke.org/using-gpg-agent-effectively> [5] <https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html> > > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
