gpg-agent + smartcards + OS X 10.10 = lots of problems
Florin Andrei
florin at andrei.myip.org
Tue Dec 16 02:43:27 CET 2014
I'm generating and storing ssh keys on smartcards, and I use gpg-agent
in ssh-agent emulation mode for authentication. This is what I have in
gpg-agent.conf:
pinentry-program [various pinentry apps]
enable-ssh-support
write-env-file
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200
Then in ~/.bash_profile I have this:
source ~/.gpg-agent-info
This is the smartcard type I use - the YubiKey NEO:
https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
I use gpg and gpg-agent version 2.0.26 from Homebrew. I have also tried
GPGTools, but the results are the same.
https://gpgtools.org/
After launching the agent with "gpg-agent --daemon", the ssh client will
authenticate using the key stored on the smartcard, everything works
just great. At least that was the case on OS X 10.9.
After upgrading to 10.10, I've had lots of issues. Authentication seems
to work for a while after I boot up and log into my account, but then
after 1 hour, maybe 2, it stops working. Sometimes ssh sessions get
stuck somewhere in authentication; other times authentication just fails.
If I kill gpg-agent and restart it, and unplug / replug the smartcard,
everything works again - for a while. Then later again authentication
starts having problems, and I have to do the kill / relaunch / unplug /
replug song and dance all over again.
I've heard there were some changes in the smartcard framework in 10.10,
but I'm not sure how relevant that is to this issue.
Any idea what I can do to get the smartcards working again? (other than
downgrade to OS X 10.9)
--
Florin Andrei
http://florin.myip.org/
More information about the Gnupg-users
mailing list