The infinite struggle of Yubikey, GPG and SSH
Ave Milia
avemilia at protonmail.com
Sat Aug 22 18:09:35 CEST 2020
What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is controlled by GPG agent. SSH key from Yubikey is automatically enrolled and used for connection to git remote. And it "just works". It's been two weeks that I can't get to that point, so I decided to ask for help here.
The most depressing fact is sometimes it works, and the other time it doesn't. And I never know why. And I don't know how to fix it.
Current problem: ssh-add -L returns "Error connecting to agent: No such file or directory".
I have followed [0] to generate and load GPG keys into Yubikey. It didn't work well (I don't remember what exactly was failing, there has been a million issues at this point and I don't know what I'm doing anymore), so I started to dig deeper and tried information from [1] [2] [3]. The result of it is that I can do a git pull once and it works, then I do another git pull and it doesn't.
What I have tried: relogging, launching new terminal, gpgconf --reload all, systemctl restart pcscd, Yubikey replug. Everything alone and everything together.
❯ inxi -Sz
System: Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: Manjaro Linux
❯ ykman info
Device type: YubiKey 4
Serial number: XXXXXXX
Firmware version: 4.3.5
Enabled USB interfaces: OTP+FIDO+CCID
Applications
OTP Enabled
FIDO U2F Enabled
OpenPGP Enabled
PIV Enabled
OATH Enabled
FIDO2 Not available
❯ ykman openpgp info
OpenPGP version: 2.1
Application version: 4.3.5
PIN tries remaining: 10
Reset code tries remaining: 0
Admin PIN tries remaining: 10
Touch policies
Signature key On
Encryption key On
Authentication key On
❯ gpg --version
gpg (GnuPG) 2.2.21
libgcrypt 1.8.6
❯ gpg -K
/home/ave/.gnupg/pubring.kbx
----------------------------
sec# rsa4096/0xF971F82552850CEC 2020-08-11 [C]
Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8 A955 F971 F825 5285 0CEC
uid [ultimate] Ave Milia <avemilia at protonmail.com>
ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S]
ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E]
ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A]
❯ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXX
Name of cardholder: Ave Milia
Language prefs ...: en
Salutation .......: Mr.
URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 10 0 10
Signature counter : 5
Signature key ....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
created ....: 2020-08-11 20:13:49
Encryption key....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
created ....: 2020-08-11 20:14:37
Authentication key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
created ....: 2020-08-11 20:15:07
General key info..: sub rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia <avemilia at protonmail.com>
sec# rsa4096/0xF971F82552850CEC created: 2020-08-11 expires: never
ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
card-no: XXXX XXXXXXXX
ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
card-no: XXXX XXXXXXXX
ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
card-no: XXXX XXXXXXXX
❯ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/run/user/1000/gnupg
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/ave/.gnupg
❯ grep -v "^#" .gnupg/gpg.conf
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
no-greeting
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
use-agent
throw-keyids
keyserver hkps://hkps.pool.sks-keyservers.net
❯ grep -v "^#" .gnupg/gpg-agent.conf
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-curses
❯ grep -v "^#" .gnupg/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
❯ ll /usr/lib/libpcsclite.so
lrwxrwxrwx 1 root root 20 19. čen 21.40 /usr/lib/libpcsclite.so -> libpcsclite.so.1.0.0
❯ sudo systemctl status pcscd.service
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 54997 (pcscd)
Tasks: 5 (limit: 19134)
Memory: 1.8M
CGroup: /system.slice/pcscd.service
└─54997 /usr/bin/pcscd --foreground --auto-exit
srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon.
srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/011)
srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/011)
srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
^^^ Despite pcscd errors, in my experience this is orthogonal to whether Yubikey/GPG/SSH is in the mood for working correctly.
❯ cat /etc/opensc.conf
app default {
# Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC
# can handle both to access keys and certificates, but only one at a time.
card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 {
name = "Yubikey 4";
# Select the PKI applet to use ("PIV-II" or "openpgp")
driver = "openpgp";
# Recover from other applications accessing a different applet
flags = "keep_alive";
}
}
❯ cat /usr/share/p11-kit/modules/opensc.module
module: opensc-pkcs11.so
❯ p11tool --list-tokens
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
Label: Default Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 2:
URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00
Label: OpenPGP card (User PIN)
Type: Hardware token
Flags: Requires login
Manufacturer: Yubico
Model: PKCS#15 emulated
Serial: XXXXXXXXXXXX
Module: opensc-pkcs11.so
Token 3:
URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00
Label: OpenPGP card (User PIN (sig))
Type: Hardware token
Flags: Requires login
Manufacturer: Yubico
Model: PKCS#15 emulated
Serial: XXXXXXXXXXXX
Module: opensc-pkcs11.so
❯ pkcs11-tool -O --login
Using slot 0 with a present token (0x0)
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN:
Private Key Object; RSA
label: Encryption key
ID: 02
Usage: decrypt, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
label: Encryption key
ID: 02
Usage: encrypt, wrap
Access: none
Private Key Object; RSA
label: Authentication key
ID: 03
Usage: decrypt, sign, non-repudiation, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
label: Authentication key
ID: 03
Usage: encrypt, verify, wrap
Access: none
❯ Relevant part from .zshrc
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
❯ ssh-add -L
Error connecting to agent: No such file or directory
^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX
So, any ideas which tambourine should I pick this time?
[0] <https://github.com/drduh/YubiKey-Guide>
[1] <https://wiki.archlinux.org/index.php/GnuPG#SSH_agent>
[2] <https://wiki.archlinux.org/index.php/GnuPG#Smartcards>
[3] <https://wiki.archlinux.org/index.php/Smartcards>
More information about the Gnupg-users
mailing list