Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:45 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Mon Feb 01, 2016 9:01 pm 
Offline

Joined: Mon Feb 01, 2016 8:53 pm
Posts: 5
Hi,

I have an air-gap computer using Ubuntu 15.10, and I have downloaded my master key to my yubikey using it. I did not need to change any parameters for the yubikey to get gpg2 access to it, which I think I needed to do with my older yubikey.

However, now I try to use the key on my ordinary laptop, also using Ubuntu 15.10, but gpg2 cannot access it. Some details below:

dmesg:
[ 2261.421087] usb 3-2: new full-speed USB device number 4 using xhci_hcd
[ 2261.550796] usb 3-2: New USB device found, idVendor=1050, idProduct=0407
[ 2261.550803] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2261.550807] usb 3-2: Product: Yubikey 4 OTP+U2F+CCID
[ 2261.550809] usb 3-2: Manufacturer: Yubico
[ 2261.551066] usb 3-2: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[ 2261.552589] input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb3/3-2/3-2:1.0/0003:1050:0407.0008/input/input20
[ 2261.606003] hid-generic 0003:1050:0407.0008: input,hidraw1: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-2/input0
[ 2261.607492] hid-generic 0003:1050:0407.0009: hiddev0,hidraw2: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-2/input1

pcsc_scan -n
PC/SC device scanner
V 1.4.24 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.11
Using reader plug'n play mechanism
Scanning present readers...
0: Lenovo Integrated Smart Card Reader 00 00
1: Yubico Yubikey 4 OTP+U2F+CCID 01 00

Mon Feb 1 20:58:41 2016
Reader 0: Lenovo Integrated Smart Card Reader 00 00
Card state: Card removed,
Reader 1: Yubico Yubikey 4 OTP+U2F+CCID 01 00
Card state: Card inserted,
ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4

neoman can find the card just fine, so can yubikey-personalize-gui.

GPG_AGENT_INFO= gpg2 --debug-level guru --card-status
gpg: enabled debug flags: packet mpi cipher filter iobuf memory cache memstat trust hashing extprog cardio assuan
gpg: DBG: connection to agent established
scdaemon[3669]: pcsc_control failed: invalid handle (0x80100003)
scdaemon[3669]: pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
gpg: selecting openpgp failed: Card not present
gpg: OpenPGP card not available: Card not present
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/65536 bytes in 0 blocks
mats@mats-laptop:/etc$ scdaemon[3669]: updating slot 0 status: 0x0000->0x0000 (0->1)
scdaemon[3669]: scdaemon (GnuPG) 2.0.28 stopped

I have tried killing scdaemon and gpg-agent, no difference in behavior. Something is different between these that happens to be significant, but can't figure out what.

Any suggestions as how to debug this?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Feb 03, 2016 10:35 am 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Just to be clear, does this still work on your offline computer?

I believe gpg is trying to use your other card reader.

Try to disable it and restart scdaemon+gpg-agent or add "reader-port Yubico" to ~/.gnupg/scdaemon.conf (if you do this also add "log-file /tmp/scdaemon.log" and "debug-level guru" to get debug info from scd).


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 05, 2016 9:10 am 
Offline

Joined: Mon Feb 01, 2016 8:53 pm
Posts: 5
I made the update of the scdaemon.conf file, did a "killall scdaemon" and "killall gpg-agent" just in case, but none of the killall found any process so it was apparently not needed. I also took out the Yubikey and reinserted it again.

Anyway, here's my terminal session:

$ gpg2 --card-status
gpg: can't connect to the agent - trying fall back
scdaemon[25686]: enabled debug flags: command mpi crypto memory cache memstat hashing assuan cardio
gpg: selecting openpgp failed: Card not present
gpg: OpenPGP card not available: Card not present

This is the scdaemon.log (two attempts with card status):

$ cat /tmp/scdaemon.log
2016-02-05 09:00:19 scdaemon[25627] listening on socket `/tmp/gpg-QxOb6p/S.scdaemon'
2016-02-05 09:00:19 scdaemon[25627] handler for fd -1 started
2016-02-05 09:00:20 scdaemon[25627] pcsc_control failed: invalid handle (0x80100003)
2016-02-05 09:00:20 scdaemon[25627] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
2016-02-05 09:00:20 scdaemon[25627] reader slot 0: not connected
scdaemon[25627]: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
scdaemon[25627]: chan_7 <- GETINFO socket_name
scdaemon[25627]: chan_7 -> D /tmp/gpg-QxOb6p/S.scdaemon
scdaemon[25627]: chan_7 -> OK
scdaemon[25627]: chan_7 <- SERIALNO openpgp
scdaemon[25627]: chan_7 -> ERR 100663408 Card not present <SCD>
scdaemon[25627]: chan_7 <- RESTART
scdaemon[25627]: chan_7 -> OK
scdaemon[25627]: chan_7 <- [eof]
2016-02-05 09:00:20 scdaemon[25627] updating slot 0 status: 0x0000->0x0000 (0->1)
2016-02-05 09:00:20 scdaemon[25627] handler for fd -1 terminated
2016-02-05 09:00:20 scdaemon[25627] scdaemon (GnuPG) 2.0.28 stopped
2016-02-05 09:02:03 scdaemon[25686] listening on socket `/tmp/gpg-nOC3g4/S.scdaemon'
2016-02-05 09:02:03 scdaemon[25686] handler for fd -1 started
2016-02-05 09:02:04 scdaemon[25686] pcsc_control failed: invalid handle (0x80100003)
2016-02-05 09:02:04 scdaemon[25686] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
2016-02-05 09:02:04 scdaemon[25686] reader slot 0: not connected
scdaemon[25686]: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
scdaemon[25686]: chan_7 <- GETINFO socket_name
scdaemon[25686]: chan_7 -> D /tmp/gpg-nOC3g4/S.scdaemon
scdaemon[25686]: chan_7 -> OK
scdaemon[25686]: chan_7 <- SERIALNO openpgp
scdaemon[25686]: chan_7 -> ERR 100663408 Card not present <SCD>
scdaemon[25686]: chan_7 <- RESTART
scdaemon[25686]: chan_7 -> OK
scdaemon[25686]: chan_7 <- [eof]
2016-02-05 09:02:04 scdaemon[25686] updating slot 0 status: 0x0000->0x0000 (0->1)
2016-02-05 09:02:04 scdaemon[25686] handler for fd -1 terminated
2016-02-05 09:02:04 scdaemon[25686] scdaemon (GnuPG) 2.0.28 stopped

This is the syslog:

$ tail /var/log/syslog
Feb 5 09:01:52 mats-laptop kernel: [60842.195549] usb 3-1: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
Feb 5 09:01:52 mats-laptop kernel: [60842.196300] input: Yubico Yubikey NEO OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb3/3-1/3-1:1.0/0003:1050:0116.003A/input/input47
Feb 5 09:01:52 mats-laptop kernel: [60842.251024] hid-generic 0003:1050:0116.003A: input,hidraw1: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:14.0-1/input0
Feb 5 09:01:52 mats-laptop kernel: [60842.252348] hid-generic 0003:1050:0116.003B: hiddev0,hidraw2: USB HID v1.10 Device [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:14.0-1/input1
Feb 5 09:01:52 mats-laptop pcscd: ifdhandler.c:130:CreateChannelByNameOrChannel() failed
Feb 5 09:01:52 mats-laptop pcscd: readerfactory.c:1043:RFInitializeReader() Open Port 0x200001 Failed (usb:1050/0116:libudev:0:/dev/bus/usb/003/018)
Feb 5 09:01:52 mats-laptop pcscd: readerfactory.c:335:RFAddReader() Yubico Yubikey NEO OTP+U2F+CCID init failed.
Feb 5 09:01:52 mats-laptop pcscd: ifdhandler.c:130:CreateChannelByNameOrChannel() failed
Feb 5 09:01:52 mats-laptop pcscd: readerfactory.c:1043:RFInitializeReader() Open Port 0x200002 Failed (usb:1050/0116:libudev:1:/dev/bus/usb/003/018)
Feb 5 09:01:52 mats-laptop pcscd: readerfactory.c:335:RFAddReader() Yubico Yubikey NEO OTP+U2F+CCID init failed.

Might it be some library that is too old to handle Yubikey?

I also tried starting a virtual machine and doing a fresh install of Ubuntu 15.10 adding Yubico ppa to it. gpg2 can see the yubikey, but I couldn't use it anyway (hardware error or something). Might be an error due to being a virtual machine, or perhaps is a clue to the real issue. Not sure which. Worth nothing however that in the VM I'm trying the Neo4, above is using Neo3. And I'm also trying key-signing using the Neo4 and VM, while I'm trying decryption using Neo3 on the host. Not sure if that makes any difference, though...


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 05, 2016 4:15 pm 
Offline

Joined: Mon Feb 01, 2016 8:53 pm
Posts: 5
I finally nailed! What I did was using pcsc_scan, and took the name of the reader from there to the "reader-port" configuration of scdaemon.conf. By taken the whole string it worked. When adding another reader-port entry for my Neo4 I could see that one as well using gpg2 --card-status

Now I have another problem, but this seems unrelated, so I'll create a new thread for this. But my Neo3 can decrypt mails at least, nice!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group