Cannot connect to gpg smartcard with non-root user

TJM · 2017-01-27 03:52:53

Suddenly my gpg program cannot connect to the smartcard

 [tjm@ArchPad ~]$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

However, pcsc_scan works

PC/SC device scanner
V 1.4.27 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.16
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico Yubikey NEO OTP+U2F+CCID 00 00

Thu Jan 26 19:46:55 2017
Reader 0: Yubico Yubikey NEO OTP+U2F+CCID 00 00
  Card state: Card inserted, 
  ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
  TA(1) = 13 --> [35mFi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s[0m
  TB(1) = 00 --> [35mVPP is not electrically connected[0m
  TC(1) = 00 --> [35mExtra guard time: 0[0m
  TD(1) = 81 --> Y(i+1) = 1000,[35m Protocol T = 1 [0m
-----
  TD(2) = 31 --> Y(i+1) = 0011,[35m Protocol T = 1 [0m
-----
  TA(3) = FE --> [35mIFSC: 254[0m
  TB(3) = 15 --> [35mBlock Waiting Integer: 1 - Character Waiting Integer: 5[0m
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
  Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
[34m	YubiKey NEO (PKI)[0m
[34m	http://www.yubico.com/[0m

Occasionally, I found that I can connect to the card with root

[tjm@ArchPad ~]$ sudo gpg --card-status
[sudo] password for tjm: 
gpg: WARNING: server 'gpg-agent' is older than us (2.1.17 < 2.1.18)
gpg: WARNING: server 'scdaemon' is older than us (2.1.17 < 2.1.18)
Reader ...........: 1050:0116:X:0
Application ID ...: D2760001240102000006045291080000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 04529108
Name of cardholder: TJM
Language prefs ...: en
Sex ..............: male
URL of public key : hkp://keys.gnupg.net
Login data .......: TJM
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 266
Signature key ....: 11A9 FC1B A570 FEEC 0B17  F42D C624 63BE 9F6B 2D7D
      created ....: 2016-03-24 17:25:43
Encryption key....: 3657 0FD5 A641 D5B5 1FB2  34F3 8EB7 5640 165E 80F8
      created ....: 2016-03-24 17:25:43
Authentication key: A2B8 B9BF 207E B597 113A  0CC8 0C1B 8C70 C110 3EF5
      created ....: 2016-03-24 17:31:51
General key info..: [none]

Firstly, I think it is a udev permission issue so I write /etc/udev/rules.d/99-yubikeys.rules

# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1051", ATTRS{idProduct}=="0116", GROUP="wheel", TAG+="uaccess"

However it not works. So, does anyone who have ideas about this situation?

TJM · 2017-01-27 10:37:05

Journal of pcscd.service

Jan 27 02:34:11 ArchPad pcscd[19987]: 00000000 ifdhandler.c:144:CreateChannelByNameOrChannel() failed
Jan 27 02:34:11 ArchPad pcscd[19987]: 00000464 readerfactory.c:1110:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0116:libudev:0:/dev/bus/usb/002/027)
Jan 27 02:34:11 ArchPad pcscd[19987]: 00000011 readerfactory.c:375:RFAddReader() Yubico Yubikey NEO OTP+U2F+CCID init failed.
Jan 27 02:34:11 ArchPad pcscd[19987]: 00005682 ifdhandler.c:144:CreateChannelByNameOrChannel() failed
Jan 27 02:34:11 ArchPad pcscd[19987]: 00000019 readerfactory.c:1110:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0116:libudev:1:/dev/bus/usb/002/027)
Jan 27 02:34:11 ArchPad pcscd[19987]: 00000003 readerfactory.c:375:RFAddReader() Yubico Yubikey NEO OTP+U2F+CCID init failed.
Jan 27 02:34:11 ArchPad pcscd[19987]: 00005105 ccid_usb.c:614:OpenUSBByName() Can't claim interface 2/27: LIBUSB_ERROR_BUSY
Jan 27 02:34:11 ArchPad pcscd[19987]: 00000100 ifdhandler.c:144:CreateChannelByNameOrChannel() failed
Jan 27 02:34:11 ArchPad pcscd[19987]: 00000016 readerfactory.c:1110:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0116:libudev:2:/dev/bus/usb/002/027)
Jan 27 02:34:11 ArchPad pcscd[19987]: 00000002 readerfactory.c:375:RFAddReader() Yubico Yubikey NEO OTP+U2F+CCID init failed.
Jan 27 02:34:11 ArchPad pcscd[19987]: 00000040 hotplug_libudev.c:520:HPAddDevice() Failed adding USB device: Yubico Yubikey NEO OTP+U2F+CCID

rek2 · 2017-01-27 18:52:24

I have similar issue since this morning, was working ok for months.... and all of the suddem fails.. with all my yubikeys and only in arch.

jenglisch · 2017-01-27 20:14:42

It seems that the upgrade of gnupg today caused that issue:
[2017-01-27 19:50] [ALPM] upgraded gnupg (2.1.17-4 -> 2.1.18-1)

after downgrading gnupg again, it worked fine.

/E: related https://bugs.gnupg.org/gnupg/issue2933

Last edited by jenglisch (2017-01-27 20:16:55)

rek2 · 2017-01-27 21:06:42

good catch!!! thanks

neuline · 2017-01-28 11:51:20

Same thing happens with the Nitrokey

TJM · 2017-01-29 03:41:43

Thanks for your advice. I have tried downgrade the gnupg, but it's not work for me.

jenglisch wrote:

It seems that the upgrade of gnupg today caused that issue:
[2017-01-27 19:50] [ALPM] upgraded gnupg (2.1.17-4 -> 2.1.18-1)
after downgrading gnupg again, it worked fine.
/E: related https://bugs.gnupg.org/gnupg/issue2933

jckimble · 2017-01-30 01:32:16

I had this problem, I just fixed it like two seconds ago by adding

pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid

to .gnupg/scdaemon.conf and running "killall scdaemon"

TJM · 2017-01-30 10:27:51

It works! Thank you. But do I need to kill scdaemon everytime after login?

jckimble wrote:

I had this problem, I just fixed it like two seconds ago by adding
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
to .gnupg/scdaemon.conf and running "killall scdaemon"

rek2 · 2017-01-30 18:40:49

jckimble wrote:

I had this problem, I just fixed it like two seconds ago by adding
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
to .gnupg/scdaemon.conf and running "killall scdaemon"

Is this a legit fix? wont break anything to disable ccid?

neuline · 2017-01-30 19:37:30

For me the fix was removing reader-port from scdaemon.conf

jckimble · 2017-01-31 02:39:24

TJM: no it is just to restart scdaemon, restarting your computer will do the same thing. its just the quicker way to check if it worked

rek2: I got it from the archwiki and it didn't break anything with the yubikey 4

Thrawn · 2017-02-04 12:33:24

Works for me too, after creating the file .gnupg/scdaemon.conf

pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid

And to restart the daemon:

sudo systemctl restart pcsd

jugs · 2017-02-11 18:58:33

Still seeing the errors in the pcscd journal but the card does work with the scdaemon.conf as above.

Arch Linux

#1 2017-01-27 03:52:53

Cannot connect to gpg smartcard with non-root user

#2 2017-01-27 10:37:05

Re: Cannot connect to gpg smartcard with non-root user

#3 2017-01-27 18:52:24

Re: Cannot connect to gpg smartcard with non-root user

#4 2017-01-27 20:14:42

Re: Cannot connect to gpg smartcard with non-root user

#5 2017-01-27 21:06:42

Re: Cannot connect to gpg smartcard with non-root user

#6 2017-01-28 11:51:20

Re: Cannot connect to gpg smartcard with non-root user

#7 2017-01-29 03:41:43

Re: Cannot connect to gpg smartcard with non-root user

#8 2017-01-30 01:32:16

Re: Cannot connect to gpg smartcard with non-root user

#9 2017-01-30 10:27:51

Re: Cannot connect to gpg smartcard with non-root user

#10 2017-01-30 18:40:49

Re: Cannot connect to gpg smartcard with non-root user

#11 2017-01-30 19:37:30

Re: Cannot connect to gpg smartcard with non-root user

#12 2017-01-31 02:39:24

Re: Cannot connect to gpg smartcard with non-root user

#13 2017-02-04 12:33:24

Re: Cannot connect to gpg smartcard with non-root user

#14 2017-02-11 18:58:33

Re: Cannot connect to gpg smartcard with non-root user

Board footer