The infinite struggle of Yubikey, GPG and SSH

Ave Milia avemilia at protonmail.com
Sat Aug 22 18:09:35 CEST 2020


What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is controlled by GPG agent. SSH key from Yubikey is automatically enrolled and used for connection to git remote. And it "just works". It's been two weeks that I can't get to that point, so I decided to ask for help here.

The most depressing fact is sometimes it works, and the other time it doesn't. And I never know why. And I don't know how to fix it.

Current problem: ssh-add -L returns "Error connecting to agent: No such file or directory".

I have followed [0] to generate and load GPG keys into Yubikey. It didn't work well (I don't remember what exactly was failing, there has been a million issues at this point and I don't know what I'm doing anymore), so I started to dig deeper and tried information from [1] [2] [3]. The result of it is that I can do a git pull once and it works, then I do another git pull and it doesn't.

What I have tried: relogging, launching new terminal, gpgconf --reload all, systemctl restart pcscd, Yubikey replug. Everything alone and everything together.

❯ inxi -Sz
System:    Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: Manjaro Linux


❯ ykman info
Device type: YubiKey 4
Serial number: XXXXXXX
Firmware version: 4.3.5
Enabled USB interfaces: OTP+FIDO+CCID

Applications
OTP     	Enabled
FIDO U2F	Enabled
OpenPGP 	Enabled
PIV     	Enabled
OATH    	Enabled
FIDO2   	Not available


❯ ykman openpgp info
OpenPGP version: 2.1
Application version: 4.3.5

PIN tries remaining: 10
Reset code tries remaining: 0
Admin PIN tries remaining: 10

Touch policies
Signature key           On
Encryption key          On
Authentication key      On


❯ gpg --version
gpg (GnuPG) 2.2.21
libgcrypt 1.8.6


❯ gpg -K
/home/ave/.gnupg/pubring.kbx
----------------------------
sec#  rsa4096/0xF971F82552850CEC 2020-08-11 [C]
      Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8  A955 F971 F825 5285 0CEC
uid                   [ultimate] Ave Milia <avemilia at protonmail.com>
ssb>  rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S]
ssb>  rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E]
ssb>  rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A]


❯ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXX
Name of cardholder: Ave Milia
Language prefs ...: en
Salutation .......: Mr.
URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 10 0 10
Signature counter : 5
Signature key ....: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
      created ....: 2020-08-11 20:13:49
Encryption key....: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
      created ....: 2020-08-11 20:14:37
Authentication key: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
      created ....: 2020-08-11 20:15:07
General key info..: sub  rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia <avemilia at protonmail.com>
sec#  rsa4096/0xF971F82552850CEC  created: 2020-08-11  expires: never
ssb>  rsa4096/0xXXXXXXXXXXXXXXXX  created: 2020-08-11  expires: never
                                  card-no: XXXX XXXXXXXX
ssb>  rsa4096/0xXXXXXXXXXXXXXXXX  created: 2020-08-11  expires: never
                                  card-no: XXXX XXXXXXXX
ssb>  rsa4096/0xXXXXXXXXXXXXXXXX  created: 2020-08-11  expires: never
                                  card-no: XXXX XXXXXXXX


❯ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/run/user/1000/gnupg
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/ave/.gnupg


❯ grep -v "^#" .gnupg/gpg.conf
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
no-greeting
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
use-agent
throw-keyids
keyserver hkps://hkps.pool.sks-keyservers.net


❯ grep -v "^#" .gnupg/gpg-agent.conf
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-curses


❯ grep -v "^#" .gnupg/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid


❯ ll /usr/lib/libpcsclite.so
lrwxrwxrwx 1 root root 20 19. čen 21.40 /usr/lib/libpcsclite.so -> libpcsclite.so.1.0.0


❯ sudo systemctl status pcscd.service
● pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
     Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
   Main PID: 54997 (pcscd)
      Tasks: 5 (limit: 19134)
     Memory: 1.8M
     CGroup: /system.slice/pcscd.service
             └─54997 /usr/bin/pcscd --foreground --auto-exit

srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon.
srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/011)
srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/011)
srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.

^^^ Despite pcscd errors, in my experience this is orthogonal to whether Yubikey/GPG/SSH is in the mood for working correctly.


❯ cat /etc/opensc.conf
app default {
	# Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC
	# can handle both to access keys and certificates, but only one at a time.
	card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 {
		name = "Yubikey 4";
		# Select the PKI applet to use ("PIV-II" or "openpgp")
		driver = "openpgp";
		# Recover from other applications accessing a different applet
		flags = "keep_alive";
	}
}


❯ cat /usr/share/p11-kit/modules/opensc.module
module: opensc-pkcs11.so


❯ p11tool --list-tokens
Token 0:
	URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
	Label: System Trust
	Type: Trust module
	Flags: uPIN uninitialized
	Manufacturer: PKCS#11 Kit
	Model: p11-kit-trust
	Serial: 1
	Module: p11-kit-trust.so


Token 1:
	URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
	Label: Default Trust
	Type: Trust module
	Flags: uPIN uninitialized
	Manufacturer: PKCS#11 Kit
	Model: p11-kit-trust
	Serial: 1
	Module: p11-kit-trust.so


Token 2:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00
	Label: OpenPGP card (User PIN)
	Type: Hardware token
	Flags: Requires login
	Manufacturer: Yubico
	Model: PKCS#15 emulated
	Serial: XXXXXXXXXXXX
	Module: opensc-pkcs11.so


Token 3:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00
	Label: OpenPGP card (User PIN (sig))
	Type: Hardware token
	Flags: Requires login
	Manufacturer: Yubico
	Model: PKCS#15 emulated
	Serial: XXXXXXXXXXXX
	Module: opensc-pkcs11.so


❯ pkcs11-tool -O --login
Using slot 0 with a present token (0x0)
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN:
Private Key Object; RSA
  label:      Encryption key
  ID:         02
  Usage:      decrypt, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
  label:      Encryption key
  ID:         02
  Usage:      encrypt, wrap
  Access:     none
Private Key Object; RSA
  label:      Authentication key
  ID:         03
  Usage:      decrypt, sign, non-repudiation, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
  label:      Authentication key
  ID:         03
  Usage:      encrypt, verify, wrap
  Access:     none


❯ Relevant part from .zshrc
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null


❯ ssh-add -L
Error connecting to agent: No such file or directory

^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX



So, any ideas which tambourine should I pick this time?


[0] <https://github.com/drduh/YubiKey-Guide>
[1] <https://wiki.archlinux.org/index.php/GnuPG#SSH_agent>
[2] <https://wiki.archlinux.org/index.php/GnuPG#Smartcards>
[3] <https://wiki.archlinux.org/index.php/Smartcards>



More information about the Gnupg-users mailing list