Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Trouble with GPG Cards for SSH when using FIDO2
philipp at knutschmidt
Jan 15, 2024, 12:25 AM
Post #1 of 5 (101 views)
Permalink
Hello Everybody,

since some update, about 2 Month ago, I started to run into trouble using my both yubi Keys. To be precise: I have setup gpg such that the ssh auth Agent can access the keys. That worked for a long time. For example: `ssh-add -L` always displayed both public keys.
As mentioned before, now I am running into trouble, but not right from the start. As far as I could observe that, it happens always after I used one of the keys for a FIDO2 Authentification. After that `ssh-add -L` doesn't display any more keys and `gpg --card-status` says:

```
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
```

event though the keys are inserted. In such a case, the only thing that helps is a reboot.

I really would like to provide more details, but I really do not know where to start.

Basiline:
- Everything works fine until I use one of the keys for FIDO2
- Afterwards I cannot restore the service without a reboot

I am running Arch Linux with a new Kernel and GPG version 2.4.3

Thanks in ahead for any help!

Attached Files:

Re: Trouble with GPG Cards for SSH when using FIDO2 [ In reply to ]
gnupg-users at gnupg
Jan 15, 2024, 8:04 AM
Post #2 of 5 (101 views)
Permalink
On Mon, 15 Jan 2024 09:25, Philipp Schmidt said:

> - Everything works fine until I use one of the keys for FIDO2
> - Afterwards I cannot restore the service without a reboot

Try to add

pscs-shared

to scdaemon.conf and gpgconf -R scdaemon. Does this change anything?
If not, add

log-file /foo/scd.log
debug ipc,reader,card

to scdaemon.conf and check the log file or send it to me. Make sure
that you did not enter the PIN as it would show up in the log. If this
does not give any hints, adding "debug cardio" will give even more
verbose output.


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Attached Files:

Re: Trouble with GPG Cards for SSH when using FIDO2 [ In reply to ]
philipp at knutschmidt
Feb 1, 2024, 11:04 PM
Post #3 of 5 (77 views)
Permalink
Hello Werner,

thanks a lot for your reply and all the useful commands. Please excuse the late reply, but this one is getting me crazy since I am not able to create a situation in which I can reliably reproduce the failure. I guess that is due to OS updates as well.

Here are some of the edgy cases:

- When I launch a bash right after startup `ssh-add -L` displays all the keys and they remain even after the usage of FIDO

- When I come back from Lunch - waking up the box from logout - the keys are gone, even with the bash still open.

- In case the keys are gone, none of the scripts you provided change anything.

Maybe that is helpful here: The code from my `.bashrc`:

```
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
```

Adding `pscs-shared` completely breaks it, and it stops working.

I will further try to clearly reproduce it. Any hints are welcome.

THANKS FOR HELP!

Best Philipp


> Werner Koch <wk@gnupg.org> hat am 15.01.2024 17:04 CET geschrieben:
>
>
> On Mon, 15 Jan 2024 09:25, Philipp Schmidt said:
>
> > - Everything works fine until I use one of the keys for FIDO2
> > - Afterwards I cannot restore the service without a reboot
>
> Try to add
>
> pscs-shared
>
> to scdaemon.conf and gpgconf -R scdaemon. Does this change anything?
> If not, add
>
> log-file /foo/scd.log
> debug ipc,reader,card
>
> to scdaemon.conf and check the log file or send it to me. Make sure
> that you did not enter the PIN as it would show up in the log. If this
> does not give any hints, adding "debug cardio" will give even more
> verbose output.
>
>
> Salam-Shalom,
>
> Werner
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein

Philipp Schmidt (Diplom-Designer) | knutschmidt.de (http://knutschmidt.de) | philipp@knutschmidt.de | +49 176 23 43 27 79

Attached Files:

Re: Trouble with GPG Cards for SSH when using FIDO2 [ In reply to ]
gnupg-users at gnupg
Feb 2, 2024, 1:02 AM
Post #4 of 5 (77 views)
Permalink
Hi!

I would suggest that you put

debug ipc
log-file /foo/bar/agent.log

into gpg-agent.conf and

debug cardio
log-file /foo/bar/scd.log

into scdaemon.conf and restart them all (gpgconf -K all). You way of
course also run watchgnupg to see a combined log but sepearte log files
are good enough. The ssh handler has no dedicated debug statements and
thus any debug level is sufficient to see errors in the logs. If you
don't see anything in the logs you either need to use a socket proxt
(somewhere in the gnupg source is one) or add debug statements to
command-ssh.c. My guess is that the scdaemon log gives some hints.


Shalom-Salam,

Werner


--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Attached Files:

Re: Trouble with GPG Cards for SSH when using FIDO2 [ In reply to ]
philipp at knutschmidt
Feb 16, 2024, 1:16 AM
Post #5 of 5 (63 views)
Permalink
Hello Werner,

thanks again for your Help! I found some errors in the logs of `~/.gnupg/gpg-agend.log` which you can find in the attachments.

By accident I stumbled over a solution which maybe give some idea what might go wrong, but which is wired in nature as well:

Running `gpgconf -K all` and `systemctl restart pcscd` doesn't change anything immediately - but after a while (Minutes i guess) `ssh-add -L` then yields the keys. When that has happened I can even remove / add one/both of my keys and everything is updated accordingly.

The confusing part is that it takes time until it works again, so maybe that Information can nail down the issue a little?

Best and thanks for Help,
Philipp

> Werner Koch <wk@gnupg.org> hat am 02.02.2024 10:02 CET geschrieben:
>
>
> Hi!
>
> I would suggest that you put
>
> debug ipc
> log-file /foo/bar/agent.log
>
> into gpg-agent.conf and
>
> debug cardio
> log-file /foo/bar/scd.log
>
> into scdaemon.conf and restart them all (gpgconf -K all). You way of
> course also run watchgnupg to see a combined log but sepearte log files
> are good enough. The ssh handler has no dedicated debug statements and
> thus any debug level is sufficient to see errors in the logs. If you
> don't see anything in the logs you either need to use a socket proxt
> (somewhere in the gnupg source is one) or add debug statements to
> command-ssh.c. My guess is that the scdaemon log gives some hints.
>
>
> Shalom-Salam,
>
> Werner
>
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein

Philipp Schmidt (Diplom-Designer) | knutschmidt.de (http://knutschmidt.de) | philipp@knutschmidt.de | +49 176 23 43 27 79

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal