The infinite struggle of Yubikey, GPG and SSH

Philihp Busby philihp at gmail.com
Sun Aug 23 13:11:47 CEST 2020


This is quite a painful process; I went through a similar journey on macOS. For me, it seemed that GPG was expecting my master key to be in the signing key slot on my Yubikey. What helped me debug this was turning on logging with gpg-agent, and guru-level logging on scdaemon... have you tried that?

As the current issue is with gpg-agent, has it been confirmed that it will work fine repeatedly with keys on your hard drive?

Also there isn't any reason to redact your key/subkey fingerprints.

If it helps you stay sane, I can say with confidence that this setup is possible with your hardware. I blogged about it here <https://philihp.com/2020/mutt-gmail-passwordstore.html>, although ssh over gpg-agent just worked out of the box so I didn't go into any detail.

On 2020-08-22T16:09:35+0000 Ave Milia via Gnupg-users <gnupg-users at gnupg.org> wrote 13K bytes:

> What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is controlled by GPG agent. SSH key from Yubikey is automatically enrolled and used for connection to git remote. And it "just works". It's been two weeks that I can't get to that point, so I decided to ask for help here.
> 
> The most depressing fact is sometimes it works, and the other time it doesn't. And I never know why. And I don't know how to fix it.
> 
> Current problem: ssh-add -L returns "Error connecting to agent: No such file or directory".
> 
> I have followed [0] to generate and load GPG keys into Yubikey. It didn't work well (I don't remember what exactly was failing, there has been a million issues at this point and I don't know what I'm doing anymore), so I started to dig deeper and tried information from [1] [2] [3]. The result of it is that I can do a git pull once and it works, then I do another git pull and it doesn't.
> 
> What I have tried: relogging, launching new terminal, gpgconf --reload all, systemctl restart pcscd, Yubikey replug. Everything alone and everything together.
> 
> ❯ inxi -Sz
> System:    Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: Manjaro Linux
> 
> 
> ❯ ykman info
> Device type: YubiKey 4
> Serial number: XXXXXXX
> Firmware version: 4.3.5
> Enabled USB interfaces: OTP+FIDO+CCID
> 
> Applications
> OTP     	Enabled
> FIDO U2F	Enabled
> OpenPGP 	Enabled
> PIV     	Enabled
> OATH    	Enabled
> FIDO2   	Not available
> 
> 
> ❯ ykman openpgp info
> OpenPGP version: 2.1
> Application version: 4.3.5
> 
> PIN tries remaining: 10
> Reset code tries remaining: 0
> Admin PIN tries remaining: 10
> 
> Touch policies
> Signature key           On
> Encryption key          On
> Authentication key      On
> 
> 
> ❯ gpg --version
> gpg (GnuPG) 2.2.21
> libgcrypt 1.8.6
> 
> 
> ❯ gpg -K
> /home/ave/.gnupg/pubring.kbx
> ----------------------------
> sec#  rsa4096/0xF971F82552850CEC 2020-08-11 [C]
>       Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8  A955 F971 F825 5285 0CEC
> uid                   [ultimate] Ave Milia <avemilia at protonmail.com>
> ssb>  rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S]
> ssb>  rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E]
> ssb>  rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A]
> 
> 
> ❯ gpg --card-status
> Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
> Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> Application type .: OpenPGP
> Version ..........: 2.1
> Manufacturer .....: Yubico
> Serial number ....: XXXXXXX
> Name of cardholder: Ave Milia
> Language prefs ...: en
> Salutation .......: Mr.
> URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC
> Login data .......: [not set]
> Signature PIN ....: not forced
> Key attributes ...: rsa4096 rsa4096 rsa4096
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 10 0 10
> Signature counter : 5
> Signature key ....: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
>       created ....: 2020-08-11 20:13:49
> Encryption key....: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
>       created ....: 2020-08-11 20:14:37
> Authentication key: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
>       created ....: 2020-08-11 20:15:07
> General key info..: sub  rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia <avemilia at protonmail.com>
> sec#  rsa4096/0xF971F82552850CEC  created: 2020-08-11  expires: never
> ssb>  rsa4096/0xXXXXXXXXXXXXXXXX  created: 2020-08-11  expires: never
>                                   card-no: XXXX XXXXXXXX
> ssb>  rsa4096/0xXXXXXXXXXXXXXXXX  created: 2020-08-11  expires: never
>                                   card-no: XXXX XXXXXXXX
> ssb>  rsa4096/0xXXXXXXXXXXXXXXXX  created: 2020-08-11  expires: never
>                                   card-no: XXXX XXXXXXXX
> 
> 
> ❯ gpgconf --list-dirs
> sysconfdir:/etc/gnupg
> bindir:/usr/bin
> libexecdir:/usr/lib/gnupg
> libdir:/usr/lib/gnupg
> datadir:/usr/share/gnupg
> localedir:/usr/share/locale
> socketdir:/run/user/1000/gnupg
> dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
> agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
> agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
> agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
> agent-socket:/run/user/1000/gnupg/S.gpg-agent
> homedir:/home/ave/.gnupg
> 
> 
> ❯ grep -v "^#" .gnupg/gpg.conf
> personal-cipher-preferences AES256 AES192 AES
> personal-digest-preferences SHA512 SHA384 SHA256
> personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
> default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
> cert-digest-algo SHA512
> s2k-digest-algo SHA512
> s2k-cipher-algo AES256
> charset utf-8
> fixed-list-mode
> no-comments
> no-emit-version
> no-greeting
> keyid-format 0xlong
> list-options show-uid-validity
> verify-options show-uid-validity
> with-fingerprint
> require-cross-certification
> no-symkey-cache
> use-agent
> throw-keyids
> keyserver hkps://hkps.pool.sks-keyservers.net
> 
> 
> ❯ grep -v "^#" .gnupg/gpg-agent.conf
> enable-ssh-support
> default-cache-ttl 60
> max-cache-ttl 120
> pinentry-program /usr/bin/pinentry-curses
> 
> 
> ❯ grep -v "^#" .gnupg/scdaemon.conf
> pcsc-driver /usr/lib/libpcsclite.so
> card-timeout 5
> disable-ccid
> 
> 
> ❯ ll /usr/lib/libpcsclite.so
> lrwxrwxrwx 1 root root 20 19. čen 21.40 /usr/lib/libpcsclite.so -> libpcsclite.so.1.0.0
> 
> 
> ❯ sudo systemctl status pcscd.service
> ● pcscd.service - PC/SC Smart Card Daemon
>      Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
>      Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago
> TriggeredBy: ● pcscd.socket
>        Docs: man:pcscd(8)
>    Main PID: 54997 (pcscd)
>       Tasks: 5 (limit: 19134)
>      Memory: 1.8M
>      CGroup: /system.slice/pcscd.service
>              └─54997 /usr/bin/pcscd --foreground --auto-exit
> 
> srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon.
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/011)
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
> srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 ifdhandler.c:150:CreateChannelByNameOrChannel() failed
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/011)
> srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
> 
> ^^^ Despite pcscd errors, in my experience this is orthogonal to whether Yubikey/GPG/SSH is in the mood for working correctly.
> 
> 
> ❯ cat /etc/opensc.conf
> app default {
> 	# Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC
> 	# can handle both to access keys and certificates, but only one at a time.
> 	card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 {
> 		name = "Yubikey 4";
> 		# Select the PKI applet to use ("PIV-II" or "openpgp")
> 		driver = "openpgp";
> 		# Recover from other applications accessing a different applet
> 		flags = "keep_alive";
> 	}
> }
> 
> 
> ❯ cat /usr/share/p11-kit/modules/opensc.module
> module: opensc-pkcs11.so
> 
> 
> ❯ p11tool --list-tokens
> Token 0:
> 	URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
> 	Label: System Trust
> 	Type: Trust module
> 	Flags: uPIN uninitialized
> 	Manufacturer: PKCS#11 Kit
> 	Model: p11-kit-trust
> 	Serial: 1
> 	Module: p11-kit-trust.so
> 
> 
> Token 1:
> 	URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
> 	Label: Default Trust
> 	Type: Trust module
> 	Flags: uPIN uninitialized
> 	Manufacturer: PKCS#11 Kit
> 	Model: p11-kit-trust
> 	Serial: 1
> 	Module: p11-kit-trust.so
> 
> 
> Token 2:
> 	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00
> 	Label: OpenPGP card (User PIN)
> 	Type: Hardware token
> 	Flags: Requires login
> 	Manufacturer: Yubico
> 	Model: PKCS#15 emulated
> 	Serial: XXXXXXXXXXXX
> 	Module: opensc-pkcs11.so
> 
> 
> Token 3:
> 	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00
> 	Label: OpenPGP card (User PIN (sig))
> 	Type: Hardware token
> 	Flags: Requires login
> 	Manufacturer: Yubico
> 	Model: PKCS#15 emulated
> 	Serial: XXXXXXXXXXXX
> 	Module: opensc-pkcs11.so
> 
> 
> ❯ pkcs11-tool -O --login
> Using slot 0 with a present token (0x0)
> Logging in to "OpenPGP card (User PIN)".
> Please enter User PIN:
> Private Key Object; RSA
>   label:      Encryption key
>   ID:         02
>   Usage:      decrypt, unwrap
>   Access:     sensitive, always sensitive, never extractable, local
> Public Key Object; RSA 4096 bits
>   label:      Encryption key
>   ID:         02
>   Usage:      encrypt, wrap
>   Access:     none
> Private Key Object; RSA
>   label:      Authentication key
>   ID:         03
>   Usage:      decrypt, sign, non-repudiation, unwrap
>   Access:     sensitive, always sensitive, never extractable, local
> Public Key Object; RSA 4096 bits
>   label:      Authentication key
>   ID:         03
>   Usage:      encrypt, verify, wrap
>   Access:     none
> 
> 
> ❯ Relevant part from .zshrc
> unset SSH_AGENT_PID
> if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
>   export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
> fi
> export GPG_TTY=$(tty)
> gpg-connect-agent updatestartuptty /bye >/dev/null
> 
> 
> ❯ ssh-add -L
> Error connecting to agent: No such file or directory
> 
> ^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX
> 
> 
> 
> So, any ideas which tambourine should I pick this time?
> 
> 
> [0] <https://github.com/drduh/YubiKey-Guide>
> [1] <https://wiki.archlinux.org/index.php/GnuPG#SSH_agent>
> [2] <https://wiki.archlinux.org/index.php/GnuPG#Smartcards>
> [3] <https://wiki.archlinux.org/index.php/Smartcards>
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



More information about the Gnupg-users mailing list