scdaemon lockup with Yubikey NEO

the2nd at otpme.org the2nd at otpme.org
Mon Nov 23 16:53:48 CET 2015


Hi,

i've done some more testing and found out that the problem starts to 
exist with openssh version 6.8p1. With 6.7p1 everything works perfect. I 
downloaded the openssh tarballs one by one, compiled with 
./configure;make and just copied the "ssh" binary.

I was able to reproduce the problem with the following steps:

1. Start gpg-agent: eval $(gpg-agent --daemon --enable-ssh-support 
--log-file ~/.gnupg/gpg-agent.log)
2. Login to any host with your SSH key and keep the session open: ssh -l 
root localhost
3. Plug your yubikey out/in
4. Try to login with your SSH key to any other host

With openssh 6.8p1 this fails reproducable. With version 6.7p1 or 
earlier it works.

As a workaround i replaced my ssh client binary with the old version.

It would be great to get a real fix for this. But i am unsure where the 
realm problem lies, gpg or openssh.

Maybe we should ask this on the openssh list?

regards
the2nd


On 2015-11-22 03:06, Lance R. Vick wrote:
> This happens to me constantly as well. I my case I frequently need to
> kill and restart gpg-agent to get things working again on both Arch
> Linux and Gentoo.
> 
> On Sat, Nov 21, 2015 at 4:41 AM, the2nd <the2nd at otpme.org> wrote:
> 
>> Hi Ben,
>> 
>> We have a similar Problem since we've upgraded from Ubuntu 15.04 to
>> 15.10.  When starting gpg-agent with --log-file the log show the
>> following:
>> 
>> 2015-05-30 13:49:36 gpg-agent[3600] error accessing card:
>> Conflicting use
>> 2015-05-30 13:49:36 gpg-agent[3600] smartcard signing failed: 
>> Conflicting use 
>> 2015-05-30 13:49:38 gpg-agent[3600] error getting
>> default authentication keyID of card: Conflicting use
>> 
>> I've asked the list serval times about this issue but got now answer
>> yet. So i dont have a solution but it may be interesting if your
>> problem is the same...
>> 
>> Regards
>> The2nd 
>> 
>> -------- Ursprüngliche Nachricht --------
>> Von: Ben Warren
>> Datum:11.20.2015 16:26 (GMT+01:00)
>> An: gnupg-users at gnupg.org
>> Betreff: scdaemon lockup with Yubikey NEO
>> 
>> Hi,
>> 
>> I’ve noticed several other problem reports that seem similar,
>> hopefully they’re all related and there’s a simple fix.
>> 
>> The problem:
>> 
>> After an indeterminate amount of time (sometimes minutes, sometimes
>> hours), any GPG operation that uses my Yubikey NEO device hangs. 
>> The two most common operations are SSH authentication and git
>> signing.  The following sequence gets things going again:
>> 
>> $ killall -SIGKILL scdaemon
>> 
>> $ gpg2 —card-status
>> 
>> System particulars:
>> 
>> * Host OS is OS-X Yosemite, although it is also present on
>> Mavericks (haven’t tried El Capitan yet)
>> 
>> * GPG 2.1.5
>> 
>> * Using the Yubikey’s authentication subkey to login to remote
>> Linux hosts
>> 
>> * Using the Yubikey’s signing subkey for git signing operations,
>> both local and remote
>> 
>> * Using gpg-agent for forwarding both GPG and SSH (great features,
>> BTW!)
>> 
>> GPG configuration file:
>> 
>> $ cat ~/.gnupg/gpg-agent.conf
>> 
>> default-cache-ttl 1
>> 
>> ignore-cache-for-signing
>> 
>> no-allow-external-cache
>> 
>> max-cache-ttl 1
>> 
>> extra-socket ${HOME}/.gnupg/S.gpg-extra-agent
>> 
>> debug-all
>> 
>> log-file ${HOME}/.gnupg/mygpglogfile.log
>> 
>> enable-ssh-support
>> 
>> I’ll be happy to help debug this, but need some guidance.
>> 
>> thanks,
>> 
>> Ben
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users [1]
> 
> --
> 
> Lance R. Vick
> __________________________________________________
> Cell      -  407.283.7596
> Gtalk     -  lance at lrvick.net
> Website   -  http://lrvick.net [2]
> PGP Key   -  http://lrvick.net/0x36C8AAA9.asc [3]
> keyserver -  subkeys.pgp.net [4]
> __________________________________________________
> 
> Links:
> ------
> [1] http://lists.gnupg.org/mailman/listinfo/gnupg-users
> [2] http://lrvick.net
> [3] http://lrvick.net/0x36C8AAA9.asc
> [4] http://subkeys.pgp.net



More information about the Gnupg-users mailing list