[pkg-gnupg-maint] Bug#941904: scdaemon is needlessly noisy when card is missing (pcsc_list_readers failed: unknown PC/SC error code)

Antoine Beaupre anarcat at debian.org
Mon Oct 7 14:32:19 BST 2019 

Package: scdaemon
Version: 2.2.17-3~bpo10+2
Severity: wishlist

I check my email with SSH and syncmaildir. I know it's a somewhat
exotic configuration, but bear with me: I think this problem would
occur any time GnuPG is configured to serve as an SSH agent with keys
both on disk and on a smart card (in my case, a Yubikey NEO).

My Yubikey setup is documented here:

https://anarc.at/blog/2015-12-14-yubikey-howto/

... and my Email setup here:

https://anarc.at/services/mail/syncmaildir/

The TL;DR: is that I use an authentication subkey to login to most
hosts over SSH. But to automate certain jobs (backups, IRC and email
logins), I use static on-disk keys with lower privileges on the
server, a compromise I think is reasonable.

The problem happens when those jobs (email, in my case) run while my
Yubikey is not inserted, which is often the case when I'm not using my
computer for work. I will get those messages every time an SSH
connexion is made:

oct 07 09:20:51 curie gpg-agent[3891]: scdaemon[3893] pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) 

Since I have two mailboxes to pull and push from, it's actually four
connexions, and it actually looks like this:

oct 07 09:22:50 curie systemd[3248]: Starting pull emails with syncmaildir... 
oct 07 09:22:50 curie systemd[1]: Started PC/SC Smart Card Daemon. 
oct 07 09:22:51 curie gpg-agent[3891]: scdaemon[3893] pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) 
oct 07 09:22:54 curie smd-pull[9027]: default: smd-client at localhost: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(214) 
oct 07 09:22:55 curie gpg-agent[3891]: scdaemon[3893] pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) 
oct 07 09:22:55 curie smd-pull[9099]: register: smd-client at localhost: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(216) 
oct 07 09:22:55 curie systemd[3248]: smd-pull.service: Succeeded. 
oct 07 09:22:55 curie systemd[3248]: Started pull emails with syncmaildir. 
oct 07 09:22:55 curie systemd[3248]: Starting push emails with syncmaildir... 
oct 07 09:22:56 curie gpg-agent[3891]: scdaemon[3893] pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) 
oct 07 09:23:00 curie smd-push[9168]: default: smd-client at smd-server-anarcat: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(315) 
oct 07 09:23:00 curie gpg-agent[3891]: scdaemon[3893] pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) 
oct 07 09:23:01 curie smd-push[10019]: register: smd-client at smd-server-register: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(216) 
oct 07 09:23:01 curie systemd[3248]: smd-push.service: Succeeded. 
oct 07 09:23:01 curie systemd[3248]: Started push emails with syncmaildir. 
oct 07 09:23:01 curie systemd[3248]: Starting notmuch new... 
oct 07 09:23:01 curie notmuch[10097]: purging with prefix '.': spam moved (0), ham moved (0), deleted (0), done 
oct 07 09:23:01 curie notmuch[10097]: No new mail. 
oct 07 09:23:01 curie notmuch[10097]: tagging with prefix '.': spam, sent, feeds, koumbit, tor, lists, rapports, folders, done. 
oct 07 09:23:01 curie systemd[3248]: notmuch-new.service: Succeeded. 
oct 07 09:23:01 curie systemd[3248]: Started notmuch new. 

With a log colorizer, this looks pretty alarming:

https://paste.anarc.at/publish/2019-10-07-UGt1IC6YlLk/screenshot.png

"FAILED" is a keyword that many log parsers will find and alert
on. Yet there's basically nothing to cry home about here: the key card
is not present, but things can still work - it's not a hard fail,
maybe a warning at best, but I would call this "information" or even
"debug" level log.

I have jobs that login to multiple hosts as well and while those
currently use my Yubikey, I'm contemplating changes to that and I'm
worried those warnings would flood my logs and turn them into an
endless stream of useless "FAILED" warnings.

Can we not "cry wold" and reduce the severity level of this peculiar
log entry?

Thanks! :)

-- System Information:
Debian Release: 10.1
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages scdaemon depends on:
ii  gpg-agent      2.2.17-3~bpo10+2
ii  libassuan0     2.5.2-1
ii  libc6          2.28-10
ii  libgcrypt20    1.8.4-5
ii  libgpg-error0  1.35-1
ii  libksba8       1.3.5-2
ii  libnpth0       1.6-1
ii  libusb-1.0-0   2:1.0.22-2

scdaemon recommends no packages.

scdaemon suggests no packages.

-- debconf-show failed

More information about the pkg-gnupg-maint mailing list