[pkg-gnupg-maint] Bug#934237: yubikey communication fails on startup
Antoine Beaupre
anarcat at debian.org
Thu Aug 8 14:57:37 BST 2019
Package: gpg-agent
Version: 2.2.17-3~bpo10+2
Severity: normal
Since I upgraded this package from buster (2.12) to buster-backports
(2.17), things started going weird with my Yubikey. (At least I think
that's the trigger.)
When I login in the morning, my Yubikey setup fails to let me connect
to remove SSH servers:
$ ssh example.com
sign_and_send_pubkey: signing failed: agent refused operation
anarcat at example.com: Permission denied (publickey).
I see this in my session logs:
aoû 08 09:51:37 curie gpg-agent[3298]: scdaemon[3302] ccid open error: skip
aoû 08 09:51:37 curie gpg-agent[3298]: scdaemon[3302] ccid open error: skip
aoû 08 09:51:37 curie gpg-agent[3298]: scdaemon[3302] ccid open error: skip
aoû 08 09:51:37 curie gpg-agent[3298]: DBG: detected card with S/N D2760001240102000006036471890000
aoû 08 09:51:37 curie gpg-agent[3298]: [103B blob data]
aoû 08 09:51:37 curie gpg-agent[3298]: scdaemon[3302] le rappel du code personnel a renvoyé une erreur : L'appel IPC a été annulé
aoû 08 09:51:37 curie gpg-agent[3298]: scdaemon[3302] app_auth failed: L'appel IPC a été annulé
aoû 08 09:51:37 curie gpg-agent[3298]: smartcard signing failed: Ioctl() inapproprié pour un périphérique
aoû 08 09:51:37 curie gpg-agent[3298]: ssh sign request failed: Ioctl() inapproprié pour un périphérique <Pinentry>
Sorry for my french, but this basically says:
* the personal code reminder returned an error: the IPC call failed
* app_auth failed: the IPC call was canceled
I have no idea what's going on, to be honest. The Yubikey in itself
works fine: I can login on websites with Firefox with U2F, and `gpg
--card-status` and `--card-edit` look normal.
The workaround I have found is to restart gpg-agent, but it takes a
*long* time so it's pretty annoying:
$ time systemctl --user restart gpg-agent
0.00user 0.00system 1:30.09elapsed 0%CPU (0avgtext+0avgdata 3864maxresident)k
0inputs+0outputs (0major+206minor)pagefaults 0swaps
But that's a separate problem I guess.
Once gpg-agent is restarted, the Yubikey works fine again. And that
is, even if it's unplugged and plugged back in again.
I first thought this could have been a bad interaction with USBguard
but I feel that the fact it still works after restart and reconnection
rules out that problem.
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gpg-agent depends on:
ii gpgconf 2.2.17-3~bpo10+2
ii init-system-helpers 1.56+nmu1
ii libassuan0 2.5.2-1
ii libc6 2.28-10
ii libgcrypt20 1.8.4-5
ii libgpg-error0 1.35-1
ii libnpth0 1.6-1
ii pinentry-curses [pinentry] 1.1.0-2
ii pinentry-gnome3 [pinentry] 1.1.0-2
ii pinentry-gtk2 [pinentry] 1.1.0-2
ii pinentry-qt [pinentry] 1.1.0-2
Versions of packages gpg-agent recommends:
ii gnupg 2.2.17-3~bpo10+2
Versions of packages gpg-agent suggests:
ii dbus-user-session 1.12.16-1
ii libpam-systemd 241-5
ii pinentry-gnome3 1.1.0-2
ii scdaemon 2.2.17-3~bpo10+2
-- debconf-show failed
More information about the pkg-gnupg-maint
mailing list