The infinite struggle of Yubikey, GPG and SSH
Ave Milia
avemilia at protonmail.com
Sat Aug 22 21:28:23 CEST 2020
On Saturday, August 22, 2020 6:09 PM, Ave Milia via Gnupg-users <gnupg-users at gnupg.org> wrote:
> What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is controlled by GPG agent. SSH key from Yubikey is automatically enrolled and used for connection to git remote. And it "just works". It's been two weeks that I can't get to that point, so I decided to ask for help here.
>
> The most depressing fact is sometimes it works, and the other time it doesn't. And I never know why. And I don't know how to fix it.
>
> Current problem: ssh-add -L returns "Error connecting to agent: No such file or directory".
>
> I have followed [0] to generate and load GPG keys into Yubikey. It didn't work well (I don't remember what exactly was failing, there has been a million issues at this point and I don't know what I'm doing anymore), so I started to dig deeper and tried information from [1] [2] [3]. The result of it is that I can do a git pull once and it works, then I do another git pull and it doesn't.
>
> What I have tried: relogging, launching new terminal, gpgconf --reload all, systemctl restart pcscd, Yubikey replug. Everything alone and everything together.
>
> ❯ inxi -Sz
> System: Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: Manjaro Linux
>
> ❯ ykman info
> Device type: YubiKey 4
> Serial number: XXXXXXX
> Firmware version: 4.3.5
> Enabled USB interfaces: OTP+FIDO+CCID
>
> Applications
> OTP Enabled
> FIDO U2F Enabled
> OpenPGP Enabled
> PIV Enabled
> OATH Enabled
> FIDO2 Not available
>
> ❯ ykman openpgp info
> OpenPGP version: 2.1
> Application version: 4.3.5
>
> PIN tries remaining: 10
> Reset code tries remaining: 0
> Admin PIN tries remaining: 10
>
> Touch policies
> Signature key On
> Encryption key On
> Authentication key On
>
> ❯ gpg --version
> gpg (GnuPG) 2.2.21
> libgcrypt 1.8.6
>
> ❯ gpg -K
> /home/ave/.gnupg/pubring.kbx
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> sec# rsa4096/0xF971F82552850CEC 2020-08-11 [C]
> Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8 A955 F971 F825 5285 0CEC
> uid [ultimate] Ave Milia avemilia at protonmail.com
> ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S]
> ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E]
> ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A]
>
> ❯ gpg --card-status
> Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
> Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> Application type .: OpenPGP
> Version ..........: 2.1
> Manufacturer .....: Yubico
> Serial number ....: XXXXXXX
> Name of cardholder: Ave Milia
> Language prefs ...: en
> Salutation .......: Mr.
> URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC
> Login data .......: [not set]
> Signature PIN ....: not forced
> Key attributes ...: rsa4096 rsa4096 rsa4096
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 10 0 10
> Signature counter : 5
> Signature key ....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
> created ....: 2020-08-11 20:13:49
> Encryption key....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
> created ....: 2020-08-11 20:14:37
> Authentication key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
> created ....: 2020-08-11 20:15:07
> General key info..: sub rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia avemilia at protonmail.com
> sec# rsa4096/0xF971F82552850CEC created: 2020-08-11 expires: never
> ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
>
> card-no: XXXX XXXXXXXX
>
>
> ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
>
> card-no: XXXX XXXXXXXX
>
>
> ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never
>
> card-no: XXXX XXXXXXXX
>
>
> ❯ gpgconf --list-dirs
> sysconfdir:/etc/gnupg
> bindir:/usr/bin
> libexecdir:/usr/lib/gnupg
> libdir:/usr/lib/gnupg
> datadir:/usr/share/gnupg
> localedir:/usr/share/locale
> socketdir:/run/user/1000/gnupg
> dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
> agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
> agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
> agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
> agent-socket:/run/user/1000/gnupg/S.gpg-agent
> homedir:/home/ave/.gnupg
>
> ❯ grep -v "^#" .gnupg/gpg.conf
> personal-cipher-preferences AES256 AES192 AES
> personal-digest-preferences SHA512 SHA384 SHA256
> personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
> default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
> cert-digest-algo SHA512
> s2k-digest-algo SHA512
> s2k-cipher-algo AES256
> charset utf-8
> fixed-list-mode
> no-comments
> no-emit-version
> no-greeting
> keyid-format 0xlong
> list-options show-uid-validity
> verify-options show-uid-validity
> with-fingerprint
> require-cross-certification
> no-symkey-cache
> use-agent
> throw-keyids
> keyserver hkps://hkps.pool.sks-keyservers.net
>
> ❯ grep -v "^#" .gnupg/gpg-agent.conf
> enable-ssh-support
> default-cache-ttl 60
> max-cache-ttl 120
> pinentry-program /usr/bin/pinentry-curses
>
> ❯ grep -v "^#" .gnupg/scdaemon.conf
> pcsc-driver /usr/lib/libpcsclite.so
> card-timeout 5
> disable-ccid
>
> ❯ ll /usr/lib/libpcsclite.so
> lrwxrwxrwx 1 root root 20 19. čen 21.40 /usr/lib/libpcsclite.so -> libpcsclite.so.1.0.0
>
> ❯ sudo systemctl status pcscd.service
> ● pcscd.service - PC/SC Smart Card Daemon
> Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
> Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago
> TriggeredBy: ● pcscd.socket
> Docs: man:pcscd(8)
> Main PID: 54997 (pcscd)
> Tasks: 5 (limit: 19134)
> Memory: 1.8M
> CGroup: /system.slice/pcscd.service
> └─54997 /usr/bin/pcscd --foreground --auto-exit
>
> srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon.
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/011)
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
> srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/011)
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
>
> ^^^ Despite pcscd errors, in my experience this is orthogonal to whether Yubikey/GPG/SSH is in the mood for working correctly.
>
> ❯ cat /etc/opensc.conf
> app default {
> # Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC
> # can handle both to access keys and certificates, but only one at a time.
> card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 {
> name = "Yubikey 4";
> # Select the PKI applet to use ("PIV-II" or "openpgp")
> driver = "openpgp";
> # Recover from other applications accessing a different applet
> flags = "keep_alive";
> }
> }
>
> ❯ cat /usr/share/p11-kit/modules/opensc.module
> module: opensc-pkcs11.so
>
> ❯ p11tool --list-tokens
> Token 0:
> URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
> Label: System Trust
> Type: Trust module
> Flags: uPIN uninitialized
> Manufacturer: PKCS#11 Kit
> Model: p11-kit-trust
> Serial: 1
> Module: p11-kit-trust.so
>
> Token 1:
> URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
> Label: Default Trust
> Type: Trust module
> Flags: uPIN uninitialized
> Manufacturer: PKCS#11 Kit
> Model: p11-kit-trust
> Serial: 1
> Module: p11-kit-trust.so
>
> Token 2:
> URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00
> Label: OpenPGP card (User PIN)
> Type: Hardware token
> Flags: Requires login
> Manufacturer: Yubico
> Model: PKCS#15 emulated
> Serial: XXXXXXXXXXXX
> Module: opensc-pkcs11.so
>
> Token 3:
> URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00
> Label: OpenPGP card (User PIN (sig))
> Type: Hardware token
> Flags: Requires login
> Manufacturer: Yubico
> Model: PKCS#15 emulated
> Serial: XXXXXXXXXXXX
> Module: opensc-pkcs11.so
>
> ❯ pkcs11-tool -O --login
> Using slot 0 with a present token (0x0)
> Logging in to "OpenPGP card (User PIN)".
> Please enter User PIN:
> Private Key Object; RSA
> label: Encryption key
> ID: 02
> Usage: decrypt, unwrap
> Access: sensitive, always sensitive, never extractable, local
> Public Key Object; RSA 4096 bits
> label: Encryption key
> ID: 02
> Usage: encrypt, wrap
> Access: none
> Private Key Object; RSA
> label: Authentication key
> ID: 03
> Usage: decrypt, sign, non-repudiation, unwrap
> Access: sensitive, always sensitive, never extractable, local
> Public Key Object; RSA 4096 bits
> label: Authentication key
> ID: 03
> Usage: encrypt, verify, wrap
> Access: none
>
> ❯ Relevant part from .zshrc
> unset SSH_AGENT_PID
> if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
> export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
> fi
> export GPG_TTY=$(tty)
> gpg-connect-agent updatestartuptty /bye >/dev/null
>
> ❯ ssh-add -L
> Error connecting to agent: No such file or directory
>
> ^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX
>
> So, any ideas which tambourine should I pick this time?
Todays tambourine turned out to be transitioning to systemd services as per [4] and attempting to do something about gpg-agent-ssh.socket. For me, systemd units are more pleasant to work with, because there is a single standard way to query them and to see their logs. Now, this took extra time, because apparently restart on a .socket didn't work, most probably because of space radiation. Or maybe just systemd things. Anyway. Stop and latter start restarted the socket and I attempted to use git, which hinted me to the next error I already knew. Which is the requirement to have `gpg-connect-agent updatestartuptty /bye` in shellrc file [5] (I removed the previous paste above, leaving only SSH_AUTH_SOCK export).
This is what works in .zshrc as of now:
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
I should also point attention to the fact that `gpgconf --kill/reload gpg-agent/all`, attempted probably a hundred times by now, had no impact on the borked socket. Perhaps I was doing something wrong. Or not.
>
> [0] https://github.com/drduh/YubiKey-Guide
> [1] https://wiki.archlinux.org/index.php/GnuPG#SSH_agent
> [2] https://wiki.archlinux.org/index.php/GnuPG#Smartcards
> [3] https://wiki.archlinux.org/index.php/Smartcards
[4] <https://eklitzke.org/using-gpg-agent-effectively>
[5] <https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html>
>
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
More information about the Gnupg-users
mailing list