gpg-agent + smartcards + OS X 10.10 = lots of problems
Thomas Harning Jr.
harningt at gmail.com
Tue Dec 16 03:07:01 CET 2014
OSX 10.10 has many known issues regarding PC/SC compatibility. See Ludovic
Rousseau's blog which illustrates some issues:
http://ludovicrousseau.blogspot.com/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html
On Mon, Dec 15, 2014, 8:45 PM Florin Andrei <florin at andrei.myip.org> wrote:
> I'm generating and storing ssh keys on smartcards, and I use gpg-agent
> in ssh-agent emulation mode for authentication. This is what I have in
> gpg-agent.conf:
>
> pinentry-program [various pinentry apps]
> enable-ssh-support
> write-env-file
> use-standard-socket
> default-cache-ttl 600
> max-cache-ttl 7200
>
> Then in ~/.bash_profile I have this:
>
> source ~/.gpg-agent-info
>
> This is the smartcard type I use - the YubiKey NEO:
>
> https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
>
> I use gpg and gpg-agent version 2.0.26 from Homebrew. I have also tried
> GPGTools, but the results are the same.
>
> https://gpgtools.org/
>
> After launching the agent with "gpg-agent --daemon", the ssh client will
> authenticate using the key stored on the smartcard, everything works
> just great. At least that was the case on OS X 10.9.
>
> After upgrading to 10.10, I've had lots of issues. Authentication seems
> to work for a while after I boot up and log into my account, but then
> after 1 hour, maybe 2, it stops working. Sometimes ssh sessions get
> stuck somewhere in authentication; other times authentication just fails.
>
> If I kill gpg-agent and restart it, and unplug / replug the smartcard,
> everything works again - for a while. Then later again authentication
> starts having problems, and I have to do the kill / relaunch / unplug /
> replug song and dance all over again.
>
> I've heard there were some changes in the smartcard framework in 10.10,
> but I'm not sure how relevant that is to this issue.
>
> Any idea what I can do to get the smartcards working again? (other than
> downgrade to OS X 10.9)
>
> --
> Florin Andrei
> http://florin.myip.org/
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20141216/6d8482a6/attachment.html>
More information about the Gnupg-users
mailing list