Smartcard Hotplug?

NIIBE Yutaka gniibe at fsij.org
Wed Nov 4 11:05:27 CET 2015


Hello,

For a while, please configure your scdaemon.conf with a line.

==================== .gnupg/scdaemon.conf
disable-ccid
====================

With this option, scdaemon always use PC/SC service and I believe that
it will improve the situation of yours.

			*	*	*

On 2015-11-04 at 00:15 -0800, Marc Mercer wrote:
> For now, I didn't want to make the posting itself too clumsy, so I
> have linked the logfile here:  https://gist.github.com/Daemoen/e079a7
> d0617526661e25

Thanks a lot.  I think that I've finally got a clue to solve this
issue of Yubikey and Cryptostick; I got some complaints but none was
reproducible.

IIUC, I think that the situation is like this:

(1) With the configuration of Yubikey and Cryptostick, a user actually
uses GnuPG's internal CCID driver (instead of PC/SC), if a user
doesn't specify disable-ccid.

That's because current scdaemon's logic is trying internal CCID driver
at first and then, going to PC/SC.

Because of Yubikey and Cryptostick's recommended configuration of udev
(which has other use something like OTP/U2F/PIV), the access by
internal CCID driver (unfortunately) doesn't fail.

Usually for other card readers, the access by internal CCID fails ang
goes to PC/SC, but this doesn't happen for Yubikey and Cryptostick.


(2) On Fedora, we would have some compatibility issue of old libusb.
GnuPG's ccid-driver.c expects return value of -ENODEV for bulk write
when it's gone, but it looks like the return value is different.  So,
internal CCID driver can't detect unplugging of tokens/reders.


While I ask you running scdaemon with disable-ccid option, I should
fix the problem of internal CCID driver.
-- 



More information about the Gnupg-devel mailing list