Mailing List Archive

On Samstag, 29. Januar 2022 22:24:03 CET Felix E. Klee wrote:
> I would like to set up a YubiKey 5C NFC for SSH, but it doesn’t get
> detected by GnuPG:
>
> $ ykman config usb -l
> OTP
> FIDO U2F
> FIDO2
> OATH
> PIV
> OpenPGP
> YubiHSM Auth
> $ cat .gnupg/scdaemon.conf
> reader-port Yubico Yubi

Are you sure "Yubico Yubi" is the correct value for the reader-port option?
Did you try without specifying this option?

Regards,
Ingo

Ingo Klöcker <kloecker@kde.org> writes:
> Are you sure "Yubico Yubi" is the correct value for the reader-port
> option?

It’s what is suggested in the official [Troubleshooting Issues with
GPG][1]. They also suggest:

Yubico Yubikey

That doesn’t work either. As I realized before, their guides are not up
to date. [Elsewhere][2] I found that one can scan for devices:

$ gpgconf --kill gpg-agent
$ ykman config usb -l
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP
YubiHSM Auth
$ pcsc_scan -n
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader... |

That just hangs, same when prefixed with `sudo`.

> Did you try without specifying this option?

Yes.

$ rm .gnupg/scdaemon.conf
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

By the way, to make `ykman` see the key, I had to add a udev rule:

$ cat /etc/udev/rules.d/10-security-key.rules
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0666", GROUP="users", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407"

Any idea what else I can try?

[1]:
https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG
[2]: https://blog.programster.org/yubikey-link-with-gpg


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sonntag, 30. Januar 2022 12:22:24 CET Felix E. Klee wrote:
> Ingo Klöcker <kloecker@kde.org> writes:
> > Are you sure "Yubico Yubi" is the correct value for the reader-port
> > option?
>
> It’s what is suggested in the official [Troubleshooting Issues with
> GPG][1]. They also suggest:
>
> Yubico Yubikey
>
> That doesn’t work either. As I realized before, their guides are not up
> to date.

> > Did you try without specifying this option?
>
> Yes.
>
> $ rm .gnupg/scdaemon.conf
> $ gpgconf --kill gpg-agent
> $ gpg --card-status
> gpg: selecting card failed: No such device
> gpg: OpenPGP card not available: No such device
>
> By the way, to make `ykman` see the key, I had to add a udev rule:
>
> $ cat /etc/udev/rules.d/10-security-key.rules
> KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0666", GROUP="users",
> ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407"
>
> Any idea what else I can try?

Run the following command to see which readers GnuPG's scdaemon sees:
```
$ echo scd getinfo reader_list | gpg-connect-agent --decode
```

For my YubiKey I get
```
D 1050:0407:X:0
OK
```
Instead of the "X" (which I get literally because apparently more descriptive
information is missing) you will hopefully see a more descriptive string.
That's the string you need to use for reader-port if you want to tell scdaemon
explicitly which reader it should use. If scdaemon sees only one reader, then
setting the option reader-port makes no sense.

If scdaemon doesn't see your reader then it's probably not (yet) supported by
GnuPG's CCID driver. Then you could try to use pcsc by adding the option
disable-ccid to your scdaemon.conf.

You could also try GnuPG 2.3.4.

Regards,
Ingo

Ingo Klöcker <kloecker@kde.org> writes:
> $ echo scd getinfo reader_list | gpg-connect-agent --decode

$ ykman config usb -l
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP
YubiHSM Auth
$ gpgconf --kill gpg-agent
$ echo scd getinfo reader_list | gpg-connect-agent --decode
OK

:(


> If scdaemon doesn't see your reader then it's probably not (yet)
> supported by GnuPG's CCID driver. Then you could try to use pcsc by
> adding the option disable-ccid to your scdaemon.conf.

$ echo disable-ccid >~/.gnupg/scdaemon.conf
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

:(

> You could also try GnuPG 2.3.4.

Think I’ll wait until it’s in Arch. At the moment:

$ gpg --version
gpg (GnuPG) 2.2.32


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi!

On Sun, 30 Jan 2022 14:37, Felix E. Klee said:

> $ echo scd getinfo reader_list | gpg-connect-agent --decode
> OK

scdaemon does not see any reader. That might simply due to another
process which uses the reader (the yubikey tools). Using

debug cardio
verbose
log-file /some/where/scd.log

in sdameon.conf can give some insights. You should also try adding

pcsc-shared

into scdameon.conf - this allows the concurrent use of the reader by
more than one process.

> gpg (GnuPG) 2.2.32

Note that there is a bug in the reader-port implementation of 2.2.33;
you better wait for 2.2.34 instead of updating to 2.2.33.


Shalom-Salam,

Werner


p.s.
I did follow the entire thread, thus I may have repeated other advices.

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Werner Koch via Gnupg-users <gnupg-users@gnupg.org> writes:
> scdaemon does not see any reader. That might simply due to another
> process which uses the reader (the yubikey tools).

None the wiser:

$ cat ~/.gnupg/scdaemon.conf
debug cardio
verbose
log-file /tmp/scd.log
pcsc-shared
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
$ cat /tmp/*.log
2022-01-30 20:50:40 scdaemon[416012] listening on socket '/run/user/1000/gnupg/S.scdaemon'
2022-01-30 20:50:40 scdaemon[416012] handler for fd -1 started
2022-01-30 20:50:40 scdaemon[416012] ccid open error: skip
2022-01-30 20:50:40 scdaemon[416012] pcsc_list_readers failed: no readers available (0x8010002e)

>> gpg (GnuPG) 2.2.32
>
> Note that there is a bug in the reader-port implementation of 2.2.33;
> you better wait for 2.2.34 instead of updating to 2.2.33.

Good to know. Will keep an eye on it. Even if 2.2 doesn’t work with
that YubiKey, it does work just fine with the OpenPGP smart card in my
[SPR232 mod][1]. So I don’t want to loose access there.

[1]: https://github.com/feklee/0.332


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users