SSH hangs when using GPG2 + Yubikey on OS-X
Ben Warren
ben at skyportsystems.com
Mon Jul 18 00:44:24 CEST 2016
Hello,
I’ve found similar issues on the mailing list, but wasn’t able to find a resolution.
I’m using a Yubikey 4 hardware token on OS-X “Yosemite”. I’m connecting to a remote Linux VM and am using GPG agent-forwarding in order to sign git commits using the Yubikey. I also forward SSH through GPG, but find that with one or two SSH sessions open, they hang after a couple of hours. This time frame is sometimes shorter, but rarely longer. In order to recover, I need to kill scdaemon on the Mac using SIGKILL. I’ve tried SIGHUP, but that doesn’t help.
I’m able to tolerate this, but colleagues who have more open SSH connections open see it hang much more often to the point where this is unusable.
===============
Software versions:
ben ~ $ gpg2 --version
gpg (GnuPG) 2.1.12
libgcrypt 1.7.0
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html <https://gnu.org/licenses/gpl.html>>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
ben ~ $ ssh -V
OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
================
GPG configurations:
ben ~/.gnupg $ cat gpg-agent.conf
default-cache-ttl 1
ignore-cache-for-signing
no-allow-external-cache
max-cache-ttl 1
extra-socket /Users/ben/.gnupg/S.gpg-extra-agent
debug-all
log-file /Users/ben/.gnupg/mygpglogfile.log
enable-ssh-support
ben ~/.gnupg $ cat scdaemon.conf
log-file /Users/ben/.gnupg/scdaemon.log
verbose
debug-level guru
#jdebug-all
debug ipc,cardio
I have the full scdaemon log file saved, but can’t post it to this mailing list because of size limitations. If there’s anything in it you need, I’ll be happy to provide.
========
Timeline:
2016-07-13 16:20:58 : started SSH connection
2016-07-13 16:30 : I noticed the SSH connection was hung and killed scdaemon
Here’s an interesting snippet from the log file:
2016-07-13 16:28:00 scdaemon[32523] DBG: leave: apdu_get_status => sw=0x0 status=7 changecnt=3
2016-07-13 16:28:01 scdaemon[32523] DBG: enter: apdu_get_status: slot=0 hang=0
2016-07-13 16:28:01 scdaemon[32523] DBG: leave: apdu_get_status => sw=0x0 status=7 changecnt=3
2016-07-13 16:28:01 scdaemon[32523] DBG: chan_6 <- RESTART
2016-07-13 16:28:01 scdaemon[32523] Ohhhh jeeee: trying to release an already released context
2016-07-13 16:30:40 scdaemon[32745] listening on socket '/Users/ben/.gnupg/S.scdaemon'
2016-07-13 16:30:40 scdaemon[32745] handler for fd -1 started
2016-07-13 16:30:40 scdaemon[32745] DBG: enter: apdu_open_reader: portstr=(null)
================
thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160717/4d07d934/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3583 bytes
Desc: not available
URL: </pipermail/attachments/20160717/4d07d934/attachment-0001.bin>
More information about the Gnupg-users
mailing list