#854616 - Scdaemon Cannot Access Yubikey Using Ccid Driver Without PCSCD - Debian Bug Report Logs

Debian Bug report logs - #854616
scdaemon cannot access yubikey using ccid driver without pcscd

Package: scdaemon; Maintainer for scdaemon is Debian GnuPG Maintainers <pkg-gnupg-
maint@lists.alioth.debian.org>; Source for scdaemon is src:gnupg2 (PTS, buildd, popcon).
Reported by: Antoine Beaupre <anarcat@debian.org>

Date: Wed, 8 Feb 2017 17:39:02 UTC
Severity: grave
Tags: patch
Found in version gnupg2/2.1.18-3
Fixed in version gnupg2/2.1.18-5
Done: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Bug is archived. No further changes may be made.
Toggle useless messages
View this report as an mbox folder, status mbox, maintainer mbox
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: scdaemon cannot access yubikey using ccid driver without pcscd
Date: Wed, 08 Feb 2017 12:35:36 -0500
Package: scdaemon
Version: 2.1.18-3
Severity: grave
In Bug#854005, I have described a distinct issue I have experience

with my Yubikey since the upgrade of the GnuPG suite from 2.1.17 to
2.1.18, and in the case of pcscd, from 1.8.19-1 to 1.8.20-1.
I am not sure what exactly is going on here. What I know is that I was
able to configure my Yubikey to work in Jessie with GnuPG using a
procedure I have documented here:
https://anarc.at/blog/2015-12-14-yubikey-howto/
After installing a new workstation with Debian stretch, things were

still working until the 2.1.18 release.
The symptom is this:
[996]anarcat@curie:~$ LANG=C gpg --card-status

gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
At first, adding "disable-ccid" to scdaemon.conf fixes the issue. But

after a while, the behavior returns.
I have noticed that pcscd is gone when that happens. After advice
received in 854005, I have tried to uninstall pcscd to try and let
scdaemon handle the device. This also fails. Here's a trace of me
purging pcscd, restarting gpg-agent and trying to connect to the card.
[1001]anarcat@curie:~$ sudo apt purge pcscd

Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
Le paquet suivant a été installé automatiquement et n'est plus nécessaire :
libccid
Veuillez utiliser « sudo apt autoremove » pour le supprimer.
Les paquets suivants seront ENLEVÉS :
pcscd*
0 mis à jour, 0 nouvellement installés, 1 à enlever et 23 non mis à jour.
Après cette opération, 205 ko d'espace disque seront libérés.
Souhaitez-vous continuer ? [O/n]
(Lecture de la base de données... 291154 fichiers et répertoires déjà installés.)
Suppression de pcscd (1.8.20-1) ...
Warning: Stopping pcscd.service, but it can still be activated by:
pcscd.socket
Traitement des actions différées (« triggers ») pour man-db (2.7.6.1-2) ...
Purge des fichiers de configuration de pcscd (1.8.20-1) ...
Traitement des actions différées (« triggers ») pour systemd (232-15) ...
[master ab8bc2d] committing changes in /etc after apt run
Author: Antoine Beaupré <anarcat@debian.org>
10 files changed, 155 deletions(-)
delete mode 100755 init.d/pcscd
delete mode 120000 rc0.d/K01pcscd
delete mode 120000 rc2.d/S01pcscd
delete mode 120000 systemd/system/sockets.target.wants/pcscd.socket
[1002]anarcat@curie:~$ systemctl --user stop gpg-agent
Warning: Stopping gpg-agent.service, but it can still be activated by:
gpg-agent.socket
gpg-agent-ssh.socket
gpg-agent-extra.socket
gpg-agent-browser.socket
[1003]anarcat@curie:~$ ps axf | grep gpg
27310 pts/4 S+ 0:00 \_ grep gpg
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
Here's the output proving gpg is stopped:
fév 08 12:22:09 curie systemd[1199]: Stopping GnuPG cryptographic agent and passphrase cache...
fév 08 12:22:09 curie systemd[1199]: Stopped GnuPG cryptographic agent and passphrase cache.
fév 08 12:22:09 curie gpg-agent[21736]: scdaemon[21738] SIGTERM received - shutting down ...
fév 08 12:22:09 curie gpg-agent[21736]: SIGTERM received - shutting down ...
fév 08 12:22:09 curie gpg-agent[21736]: gpg-agent (GnuPG) 2.1.18scdaemon[21738] scdaemon (GnuPG) 2.1.18 stopped
fév 08 12:22:09 curie gpg-agent[21736]: stopped
Here's the error when i try to access the card then:
fév 08 12:24:20 curie systemd[1199]: Started GnuPG cryptographic agent and passphrase cache.
fév 08 12:24:20 curie gpg-agent[27960]: gpg-agent (GnuPG) 2.1.18 starting in supervised mode.
fév 08 12:24:20 curie gpg-agent[27960]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent)
fév 08 12:24:20 curie gpg-agent[27960]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
fév 08 12:24:20 curie gpg-agent[27960]: using fd 5 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
fév 08 12:24:20 curie gpg-agent[27960]: using fd 6 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
fév 08 12:24:20 curie gpg-agent[27960]: listening on: std=3 extra=5 browser=6 ssh=4
fév 08 12:24:20 curie gpg-agent[27960]: scdaemon[27962] ccid open error: skip
the scdaemon debug logs show this:
2017-02-08 12:24:58 scdaemon[27971] listening on socket '/run/user/1000/gnupg/S.scdaemon'

2017-02-08 12:24:58 scdaemon[27971] handler for fd -1 started
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK GNU Privacy Guard's Smartcard server ready
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO socket_name
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D /run/user/1000/gnupg/S.scdaemon
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- OPTION event-signal=12
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO version
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D 2.1.18
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- SERIALNO openpgp
2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: BAI=11201
2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: new device=11201
2017-02-08 12:24:58 scdaemon[27971] ccid open error: skip
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> ERR 100696144 Aucun périphérique de ce type <SCD>
2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- RESTART
Those were enabled with:
printf 'debug-all\nlog-file /run/user/%d/scdaemon.log\n' "$(id -u)" >> ~/.gnupg/scdaemon.conf
If I reinstall pcscd and disable-ccid in scdaemon.conf, things work

again, for a while, until pcscd crashes again.
Here's a working run output:
Reader ...........: Yubico Yubikey NEO OTP CCID 00 00

Application ID ...: XXXXXXXXXXXXXXXXXXXXXxx
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: XXXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
created ....: 2012-07-20 00:17:35
General key info..: sub rsa2048/[...]
and here's what i get in syslog:
fév 08 12:27:06 curie systemd[1199]: Started GnuPG cryptographic agent and passphrase cache.
fév 08 12:27:06 curie gpg-agent[28488]: gpg-agent (GnuPG) 2.1.18 starting in supervised mode.
fév 08 12:27:06 curie gpg-agent[28488]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent)
fév 08 12:27:06 curie gpg-agent[28488]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
fév 08 12:27:06 curie gpg-agent[28488]: using fd 5 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
fév 08 12:27:06 curie gpg-agent[28488]: using fd 6 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
fév 08 12:27:06 curie gpg-agent[28488]: listening on: std=3 extra=5 browser=6 ssh=4
fév 08 12:27:06 curie gpg-agent[28488]: scdaemon[28490] enabled debug flags: mpi crypto memory cache memstat hashing ipc
cardio reader
fév 08 12:27:06 curie kernel: xhci_hcd 0000:00:14.0: WARN Event TRB for slot 21 ep 4 with no TDs queued?
fév 08 12:27:06 curie pcscd[28182]: 25900973 winscard.c:283:SCardConnect() Error Reader Exclusive
fév 08 12:27:06 curie gpg-agent[28488]: card has S/N: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I haven't figured out what happens when pcscd crashes - i couldn't

find anything in the syslog or anywhere.
I get this error from scdaemon:
fév 06 19:45:29 curie gpg-agent[1643]: scdaemon[1645] pcsc_establish_context failed: no service (0x8010001d)
... which is the same error as when pcscd is uninstalled - ie. it's
not running.
the reason why reinstalling pcscd fixes the issue for me is probably
that it resets the systemd configuration for the daemon and
reinstalling restarts it properly.
now it is running - but who knows for how long?

● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; vendor preset: enabled)
Active: active (running) since Wed 2017-02-08 10:12:36 EST; 4min 1s ago
Main PID: 14439 (pcscd)
CGroup: /system.slice/pcscd.service
└─14439 /usr/sbin/pcscd --foreground --auto-exit
It seems that I need to do this reset thing every morning now, so I

guess it's crashing at least every 24 hours. i have tried unplugging
and replugging the yubikey, it doesn't trigger the problem.
i have tried to figure out what may have happened by looking at the
journald logs, but i can't figure it out. it doesn't clearly mention a
crash.
notice, in the log below, that i reinstalled the package at around Feb
08 10:12:36, which is when things went back to normal. yet before that,
it's unclear what problem there was. you can certainly see a few
instances where systemd started pcscd without it being stopped
first... so there's definitely something going on there.
anything i can do to improve debugging here? note that I don't *need*

pcscd at all. i don't actually know what it is or what it's for. just
want this yubikey to work reliably. :)
[1021]anarcat@curie:~$ sudo LANG=C journalctl -u pcscd.service| cat

-- Logs begin at Sat 2017-02-04 11:17:15 EST, end at Wed 2017-02-08 12:32:43 EST. --
Feb 04 12:33:58 curie systemd[1]: Started PC/SC Smart Card Daemon.
Feb 04 12:33:58 curie pcscd[8947]: 00000000 ifdhandler.c:151:CreateChannelByNameOrChannel() failed
Feb 04 12:33:58 curie pcscd[8947]: 00000012 readerfactory.c:1110:RFInitializeReader() Open Port 0x200000 Failed
(usb:1050/0111:libudev:0:/dev/bus/usb/001/007)
Feb 04 12:33:58 curie pcscd[8947]: 00000002 readerfactory.c:375:RFAddReader() Yubico Yubikey NEO OTP+CCID init failed.
Feb 04 12:33:58 curie pcscd[8947]: 00341712 winscard.c:283:SCardConnect() Error Reader Exclusive
Feb 04 13:26:51 curie pcscd[8947]: 99999999 ccid_usb.c:797:WriteUSB() write failed (1/7): -4 LIBUSB_ERROR_NO_DEVICE
Feb 04 18:27:49 curie pcscd[1915]: 99999999 ccid_usb.c:1337:InterruptStop() libusb_cancel_transfer failed: -4
Feb 06 10:55:09 curie pcscd[20263]: 00000000 utils.c:82:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or
directory
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)

Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages scdaemon depends on:

ii gnupg-agent 2.1.18-3
ii libassuan0 2.4.3-2
ii libc6 2.24-9
ii libgcrypt20 1.7.6-1
ii libgpg-error0 1.26-2
ii libksba8 1.3.5-2
ii libnpth0 1.3-1
ii libusb-1.0-0 2:1.0.21-1
scdaemon recommends no packages.
scdaemon suggests no packages.
-- no debconf information
Message #10 received at 854616@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Antoine Beaupre <anarcat@debian.org>, 854616@bugs.debian.org, NIIBE Yutaka <gniibe@fsij.org>
Subject: Re: [pkg-gnupg-maint] Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Date: Wed, 08 Feb 2017 15:17:20 -0500
[Message part 1 (text/plain, inline)]
Control: tags 854616 + moreinfo
Hi Anarcat--
thanks for all this documentation on #854616. I'd like to try to

differentiate this report from #854005.
#854005 is about problems with smartcards more generally.
The new bug, #845616, should be focused specifically on the use case
where pcscd is *not* involved (not even installed on the system), and
disable-ccid is *not* set in scdaemon.conf.
On Wed 2017-02-08 12:35:36 -0500, Antoine Beaupre wrote:
> [1004]anarcat@curie:~$ LANG=C gpg --card-status

> gpg: selecting openpgp failed: No such device
> gpg: OpenPGP card not available: No such device
[…]
> the scdaemon debug logs show this:
>
> 2017-02-08 12:24:58 scdaemon[27971] listening on socket '/run/user/1000/gnupg/S.scdaemon'
> 2017-02-08 12:24:58 scdaemon[27971] handler for fd -1 started
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK GNU Privacy Guard's Smartcard server ready
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO socket_name
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D /run/user/1000/gnupg/S.scdaemon
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> OK
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- OPTION event-signal=12
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- GETINFO version
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> D 2.1.18
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- SERIALNO openpgp
> 2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: BAI=11201
> 2017-02-08 12:24:58 scdaemon[27971] DBG: apdu_open_reader: new device=11201
> 2017-02-08 12:24:58 scdaemon[27971] ccid open error: skip
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 -> ERR 100696144 Aucun périphérique de ce type <SCD>
> 2017-02-08 12:24:58 scdaemon[27971] DBG: chan_5 <- RESTART
Can you confirm that:
* disable-ccid is *not* set in scdaemon.conf

* pcscd is purged
* the same problem is present on 2.1.18-4 ?
Thanks,
--dkg
[signature.asc (application/pgp-signature, inline)]
Added tag(s) moreinfo. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to 854616-submit@bugs.debian.org. (Wed, 08 Feb 2017
20:21:05 GMT) (full text, mbox, link).

From: NIIBE Yutaka <gniibe@fsij.org>
To: Antoine Beaupre <anarcat@debian.org>, 854616@bugs.debian.org
Date: Thu, 09 Feb 2017 05:33:38 +0900
Hello,
Thank you for reporting in detail.
Antoine Beaupre <anarcat@debian.org> wrote:

> In Bug#854005, I have described a distinct issue I have experience
> with my Yubikey since the upgrade of the GnuPG suite from 2.1.17 to
> 2.1.18, and in the case of pcscd, from 1.8.19-1 to 1.8.20-1.
[...]
> anything i can do to improve debugging here? note that I don't *need*
> pcscd at all. i don't actually know what it is or what it's for. just
> want this yubikey to work reliably. :)
While I don't know about pcscd crash, I explain how to use card reader /
token with internal ccid driver of GnuPG.
You need a configuration file to allow USB access by user, when you use
internal ccid driver of GnuPG.
Please create a file /etc/udev/rules.d/yubikey-neo-otp-ccid.rules

with the content of:
---------------- /etc/udev/rules.d/yubikey-neo-otp-ccid.rules
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", MODE="664", GROUP="plugdev"
----------------
And please add yourself as a group member of "plugdev".
In my case, I have this line in /etc/group:
plugdev:x:46:gniibe
If this works, the udev line should be included into scdaemon package in
future, so that each user doesn't need to configure.
--

From: Antoine Beaupré <anarcat@debian.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 854616@bugs.debian.org, NIIBE Yutaka <gniibe@fsij.org>
Date: Wed, 08 Feb 2017 15:59:05 -0500
On 2017-02-08 15:17:20, Daniel Kahn Gillmor wrote:
> Can you confirm that:
>
> * disable-ccid is *not* set in scdaemon.conf
confirmed.
> * pcscd is purged
confirmed.
> * the same problem is present on 2.1.18-4 ?
confirmed.
pardon my french:
root@curie:/home/anarcat# apt install scdaemon/unstable gnupg-agent/unstable gpgsm/unstable

Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « scdaemon »
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gnupg-agent »
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gpgsm »
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « dirmngr » à cause de « gpgsm »
Version choisie « 2.1.18-4 » (Debian:unstable [amd64]) pour « gnupg » à cause de « dirmngr »
Version choisie « 2.1.18-4 » (Debian:unstable [all]) pour « gnupg-l10n » à cause de « gnupg »
The following additional packages will be installed:
dirmngr gnupg
Paquets suggérés :
parcimonie xloadimage
Paquets recommandés :
gnupg-l10n
Les paquets suivants seront mis à jour :
dirmngr gnupg gnupg-agent gpgsm scdaemon
Il est nécessaire de prendre 3 252 ko dans les archives.
Après cette opération, 0 o d'espace disque supplémentaires seront utilisés.
Réception de:2 http://debian.mirror.constant.com/debian sid/main amd64 gnupg amd64 2.1.18-4 [1 126 kB]
Réception de:3 http://mirrors.cat.pdx.edu/debian sid/main amd64 scdaemon amd64 2.1.18-4 [476 kB]
Réception de:4 http://debian.mirror.constant.com/debian sid/main amd64 gpgsm amd64 2.1.18-4 [502 kB]
Réception de:1 http://mirrors.ocf.berkeley.edu/debian sid/main amd64 dirmngr amd64 2.1.18-4 [595 kB]
Réception de:5 http://mirrors.ocf.berkeley.edu/debian sid/main amd64 gnupg-agent amd64 2.1.18-4 [554 kB]
3 252 ko réceptionnés en 2s (1 294 ko/s)
[master 95fac63] saving uncommitted changes in /etc prior to apt run
1 file changed, 1 insertion(+), 1 deletion(-)
Récupération des rapports de bogue… Fait
Analyse des informations Trouvé/Corrigé… Fait
Lecture des fichiers de modifications (« changelog »)... Terminé
Préparation du dépaquetage de .../dirmngr_2.1.18-4_amd64.deb ...
Dépaquetage de dirmngr (2.1.18-4) sur (2.1.18-3) ...
Préparation du dépaquetage de .../gnupg_2.1.18-4_amd64.deb ...
Dépaquetage de gnupg (2.1.18-4) sur (2.1.18-3) ...
Préparation du dépaquetage de .../scdaemon_2.1.18-4_amd64.deb ...
Dépaquetage de scdaemon (2.1.18-4) sur (2.1.18-3) ...
Préparation du dépaquetage de .../gpgsm_2.1.18-4_amd64.deb ...
Dépaquetage de gpgsm (2.1.18-4) sur (2.1.18-3) ...
Préparation du dépaquetage de .../gnupg-agent_2.1.18-4_amd64.deb ...
Dépaquetage de gnupg-agent (2.1.18-4) sur (2.1.18-3) ...
Traitement des actions différées (« triggers ») pour install-info (6.3.0.dfsg.1-1+b1) ...
Paramétrage de gnupg-agent (2.1.18-4) ...
Paramétrage de dirmngr (2.1.18-4) ...
Paramétrage de gnupg (2.1.18-4) ...
Paramétrage de scdaemon (2.1.18-4) ...
Paramétrage de gpgsm (2.1.18-4) ...
Scanning processes...
Scanning candidates...
Scanning linux images...
Running kernel seems to be up-to-date.
Restarting services...
Services being skipped:
systemctl restart NetworkManager.service
/etc/needrestart/restart.d/dbus.service
systemctl restart lightdm.service
systemctl restart systemd-journald.service
systemctl restart systemd-logind.service
systemctl restart wpa_supplicant.service
No containers need to be restarted.
User sessions running outdated binaries:
anarcat @ session #2: emacs[1497], firefox.real[2085], pulseaudio[1306], xmonad-x86_64-l[1215]
anarcat @ user manager service: at-spi-bus-laun[1291], gpg-agent[28488], systemd[1199]
root@curie:/home/anarcat# apt purge pcscd
Le paquet suivant a été installé automatiquement et n'est plus nécessaire :
libccid
Veuillez utiliser « apt autoremove » pour le supprimer.
Les paquets suivants seront ENLEVÉS :
pcscd*
Après cette opération, 205 ko d'espace disque seront libérés.
Suppression de pcscd (1.8.20-1) ...
Warning: Stopping pcscd.service, but it can still be activated by:
pcscd.socket
Purge des fichiers de configuration de pcscd (1.8.20-1) ...
Traitement des actions différées (« triggers ») pour systemd (232-15) ...
[master 09e8876] committing changes in /etc after apt run
10 files changed, 155 deletions(-)
delete mode 100755 init.d/pcscd
delete mode 120000 systemd/system/sockets.target.wants/pcscd.socket
root@curie:/home/anarcat# exit
[1000]anarcat@curie:~$ cat .gnupg/scdaemon.conf
disable-ccid
debug-all
log-file /run/user/1000/scdaemon.log
[1001]anarcat@curie:~$ sed -i '/ccid/d' .gnupg/scdaemon.conf
[1002]anarcat@curie:~$ cat .gnupg/scdaemon.conf
debug-all
log-file /run/user/1000/scdaemon.log
[1003]anarcat@curie:~$ killall gpg-agent
[1004]anarcat@curie:~$ killall gpg-agent
gpg-agent: aucun processus trouvé
[1004]anarcat@curie:~1$ gpg --card-status
gpg: selecting openpgp failed: Aucun périphérique de ce type
gpg: OpenPGP card not available: Aucun périphérique de ce type
scdaemon debug log says:
2017-02-08 15:56:35 scdaemon[14813] listening on socket '/run/user/1000/gnupg/S.scdaemon'

2017-02-08 15:56:35 scdaemon[14813] handler for fd -1 started
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 -> OK GNU Privacy Guard's Smartcard server ready
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 <- GETINFO socket_name
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 -> D /run/user/1000/gnupg/S.scdaemon
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 <- OPTION event-signal=12
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 <- GETINFO version
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 -> D 2.1.18
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 <- SERIALNO openpgp
2017-02-08 15:56:35 scdaemon[14813] DBG: enter: apdu_open_reader: portstr=(null)
2017-02-08 15:56:35 scdaemon[14813] pcsc_establish_context failed: no service (0x8010001d)
2017-02-08 15:56:35 scdaemon[14813] DBG: leave: apdu_open_reader => slot=-1 [pc/sc]
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 -> ERR 100696144 Aucun périphérique de ce type <SCD>
2017-02-08 15:56:35 scdaemon[14813] DBG: chan_5 <- RESTART
syslog doesn't say anything anymore, oddly enough.
a.
--
Concepts have meaning only if we can point to objects to which they
refer and to the rules by which they are assigned to these objects.
- Albert Einstein

To: NIIBE Yutaka <gniibe@fsij.org>, 854616@bugs.debian.org
Date: Wed, 08 Feb 2017 16:01:15 -0500
Control: tags 854616 -moreinfo +patch
On 2017-02-09 05:33:38, NIIBE Yutaka wrote:

> Hello,
>
> Thank you for reporting in detail.
[...]
> If this works, the udev line should be included into scdaemon package in
> future, so that each user doesn't need to configure.
I confirm the udev hack works.
Thanks!
A.
--
Il faut respecter le noir. Rien ne le prostitue. Il est agent de
l'esprit bien plus que la belle couleur de la palette ou du prisme.
- Odilon Redon
Removed tag(s) moreinfo. Request was from Antoine Beaupré <anarcat@debian.org> to 854616-submit@bugs.debian.org. (Wed, 08 Feb 2017 21:03:04
GMT) (full text, mbox, link).
Added tag(s) patch. Request was from Antoine Beaupré <anarcat@debian.org> to 854616-submit@bugs.debian.org. (Wed, 08 Feb 2017 21:03:05 GMT)
(full text, mbox, link).
To: Antoine Beaupré <anarcat@debian.org>, 854616@bugs.debian.org
Date: Thu, 09 Feb 2017 06:15:21 +0900
Thanks a lot for your confirmation.
Antoine Beaupré <anarcat@debian.org> writes:

>> If this works, the udev line should be included into scdaemon package in
>> future, so that each user doesn't need to configure.
>
> I confirm the udev hack works.
No, this is not a hack. This is a configuration needed.
It seems for me that Yubico has been recommended use of PC/SC service.
Since no one has reported for use of internal CCID driver, there is no
entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian.
Now, since it is confirmed, we should add an entry.

--

Date: Wed, 08 Feb 2017 16:29:17 -0500
> Thanks a lot for your confirmation.
>
> Antoine Beaupré <anarcat@debian.org> writes:
>>> If this works, the udev line should be included into scdaemon package in
>>> future, so that each user doesn't need to configure.
>>
>> I confirm the udev hack works.
>
> No, this is not a hack. This is a configuration needed.
Sorry for my imprecise vocabulary. This is all very obscure to me, so

everything looks like a hack. :)
> It seems for me that Yubico has been recommended use of PC/SC service.
I don't know about this, but that's how I made it work the first time. I
took this document as a source for how to make it work:
https://blog.night-shade.org.uk/2015/04/ssh-support-in-gpg-agent-on-ubunt/
... which suggests installing pcscd.
> Since no one has reported for use of internal CCID driver, there is no
> entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian.
>
> Now, since it is confirmed, we should add an entry.
Thanks for the clarification!
A.
--
La propriété est un piège: ce que nous croyons posséder nous possède.
- Alphonse Karr

Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 08 Feb 2017 16:34:26 -0500
>>> If this works, the udev line should be included into scdaemon package in
>>> future, so that each user doesn't need to configure.
>>
>> I confirm the udev hack works.
>
This reminds me - it sure looks like pcscd was crashing back

there. Should I revert back to using pcscd to try and reproduce the
problem and file a pcscd bug about this?
A.
--
La guerre, c'est le massacre d'hommes qui ne se connaissent pas,
au profit d'hommes qui se connaissent mais ne se massacreront pas.
- Paul Valéry

To: Antoine Beaupré <anarcat@debian.org>, 854616@bugs.debian.org
Date: Thu, 09 Feb 2017 06:38:18 +0900
Antoine Beaupré <anarcat@debian.org> writes:
> This reminds me - it sure looks like pcscd was crashing back
> there. Should I revert back to using pcscd to try and reproduce the
> problem and file a pcscd bug about this?
Yes. I think that this is a different problem, and it's pcscd issue.
--

To: NIIBE Yutaka <gniibe@fsij.org>, 854616@bugs.debian.org, Antoine Beaupré <anarcat@debian.org>
Subject: Re: [pkg-gnupg-maint] Bug#854616: Bug#854616: scdaemon cannot access yubikey using ccid driver without pcscd
Date: Wed, 08 Feb 2017 17:40:29 -0500
[Message part 1 (text/plain, inline)]
On Wed 2017-02-08 16:15:21 -0500, NIIBE Yutaka wrote:

>
> It seems for me that Yubico has been recommended use of PC/SC service.
> Since no one has reported for use of internal CCID driver, there is no
> entry for Yubikey in /lib/udev/rules.d/60-scdaemon.rules on Debian.
>
> Now, since it is confirmed, we should add an entry.
Hi Gniibe--
Thanks for your work on sorting this out! If there are patches that
should go into the scdaemon package for stretch, we should include,
hopefully soon!
If you want to roll a release of the gnupg2 package to update scdaemon,

that's fine with me. Or if you'd rather push a series of patches to our
shared git repository on alioth for an extra pair of eyes, i'm happy to
review them when they're ready.
or, send patches upstream and post commit IDs here, or send a separate
patch go pkg-gnupg-maint, however you prefer :)
There are a few other udev rule updates that seem to be pending in
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=scdaemon;dist=unstable
and i think a patch (or series of patches) to include them all would be
completely reasonable to aim for inclusion with stretch.
Thanks for the smartcard wrangling!
--dkg
[signature.asc (application/pgp-signature, inline)]

Date: Thu, 09 Feb 2017 12:00:17 -0500
>> This reminds me - it sure looks like pcscd was crashing back
>> there. Should I revert back to using pcscd to try and reproduce the
>> problem and file a pcscd bug about this?
>
> Yes. I think that this is a different problem, and it's pcscd issue.
Okay then - I have reported this as a bug against the pcscd package
(#854703), hopefully it will get some traction there.
Do note that what is happening with pcscd is that it is exiting on its

own when I unplug the Yubikey:
fév 08 21:36:15 curie pcscd[15485]: 00000008 winscard_svc.c:1034:MSGCleanupClient() Starting suicide alarm in 60 seconds
Maybe pcscd expects to be reactivated through the systemd socket instead

of just running forever? Does scdaemon talk to the right socket
(/var/run/pcscd/pcscd.comm, according to the systemd config file)?
Thanks for any information,
A.
--
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir
- Lofofora
Added tag(s) pending. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Mon, 13 Feb 2017 15:03:14 GMT)
(full text, mbox, link).
Message sent on to Antoine Beaupre <anarcat@debian.org>:

Bug#854616. (Mon, 13 Feb 2017 15:03:28 GMT) (full text, mbox, link).
Message #66 received at 854616-submitter@bugs.debian.org (full text, mbox, reply):

To: 854616-submitter@bugs.debian.org
Subject: Bug#854616 marked as pending
Date: Mon, 13 Feb 2017 15:01:01 +0000
tag 854616 pending
thanks
Hello,
Bug #854616 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=pkg-gnupg/gnupg2.git;a=commitdiff;h=4c91bae
---
commit 4c91bae777022f7ffd2ac4fa69837d59653eeb8f
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon Feb 13 09:41:56 2017 -0500
prepare new debian release

diff --git a/debian/changelog b/debian/changelog
index edd953b..bca7302 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+gnupg2 (2.1.18-5) unstable; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * Xsession.d/90gpg-agent: use simpler and more direct gpgconf
+ invocations for socket names.
+
+ [ NIIBE Yutaka ]
+ * scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889).
+ * scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616).
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 13 Feb 2017 09:15:07 -0500
+
gnupg2 (2.1.18-4) unstable; urgency=medium
[ Daniel Kahn Gillmor ]
Reply sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:

You have taken responsibility. (Mon, 13 Feb 2017 15:21:26 GMT) (full text, mbox, link).
Message #71 received at 854616-close@bugs.debian.org (full text, mbox, reply):

To: 854616-close@bugs.debian.org
Subject: Bug#854616: fixed in gnupg2 2.1.18-5
Date: Mon, 13 Feb 2017 15:18:52 +0000
Source: gnupg2
Source-Version: 2.1.18-5
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 854616@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software

pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated gnupg2 package)
(This message was generated automatically at their request; if you

believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512
Format: 1.8
Date: Mon, 13 Feb 2017 09:15:07 -0500
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg gnupg2 gpgv gpgv2 dirmngr gpgv-udeb gpgv-static gpgv-win32 gnupg-l10n
Architecture: source
Version: 2.1.18-5
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
dirmngr - GNU privacy guard - network certificate management service
gnupg - GNU privacy guard - a free PGP replacement
gnupg-agent - GNU privacy guard - cryptographic agent
gnupg-l10n - GNU privacy guard - localization files
gnupg2 - GNU privacy guard - a free PGP replacement (dummy transitional pa
gpgsm - GNU privacy guard - S/MIME version
gpgv - GNU privacy guard - signature verification tool
gpgv-static - minimal signature verification tool (static build)
gpgv-udeb - minimal signature verification tool (udeb)
gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
gpgv2 - GNU privacy guard - signature verification tool (dummy transition
scdaemon - GNU privacy guard - smart card support
Closes: 648331 734889 852702 854005 854595 854616
Changes:
gnupg2 (2.1.18-5) unstable; urgency=medium
.
[ Daniel Kahn Gillmor ]
* Xsession.d/90gpg-agent: use simpler and more direct gpgconf
invocations for socket names.
.
[ NIIBE Yutaka ]
* scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889).
* scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616).
Checksums-Sha1:
7107ae53a9a7b92c96abd2189b34a0d9cd1fba99 3148 gnupg2_2.1.18-5.dsc
b31b7f97466e99c49c4eb9320b6df12d32d87e78 67321 gnupg2_2.1.18-5.debian.tar.bz2
a1c521fc8bf43272c59490065eef86cecf06821d 9975 gnupg2_2.1.18-5_source.buildinfo
Checksums-Sha256:
8eb4d1d8bb97ac770e8f50e558046981fd6f1fea169ae5e74ac959a6d033a35d 3148 gnupg2_2.1.18-5.dsc
e6dbc03c9a163baff078a47b0f7c023d8b830f80bf6ae486e6a580fbdb71d9c2 67321 gnupg2_2.1.18-5.debian.tar.bz2
e24155aeaccd93a834ace33df252d57538679afff471235bb770af4140365ec8 9975 gnupg2_2.1.18-5_source.buildinfo
Files:
cffe62364ca47384f8347317a5d1a673 3148 utils optional gnupg2_2.1.18-5.dsc
950b349fb8ed2ee14a00155da3ae2650 67321 utils optional gnupg2_2.1.18-5.debian.tar.bz2
f39a698baf6d532deab22cb867f3a4b3 9975 utils optional gnupg2_2.1.18-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEOCdgUepHf6PklTkyFJitxsGSMjcFAlihyfYWHGRrZ0BmaWZ0
aGhvcnNlbWFuLm5ldAAKCRAUmK3GwZIyN9UvD/0aFI/Jphk4kTyJC/bx5G7vcgpu
pPCrtlb5/FDvko1XJUMohcS8dFuMf7PPHpQZH31kjqawbQMSzVYhXy9wZL6r+hrg
xz68kJ1CgCTFO/HB+h1dTLASt4OuVGfKGpkuueXenR3kCY7Ghx8H6YOlhYRMtVT6
yWhdpGKHIvR82sCLN61iqMut3NTh47MB1QUmWd1zQPNoGPWLBK2dt7hNvqQWvFZ4
XXsGkjk6LQrZegX4JIrAEjsqIjXQlKJhOWnCA4+86EIVbjnUaYjZKX7q2dHOG21Y
DxT6rn4qx9PCMTR5krJPht4R1hbc6C0aZT4y3I6Cp53FS3uZGD84YxGYND9v5WSb
auu5FGwE0xN+RAbHOVTxh0lIuySJJTkIdX78kqsnuaSaNkXCfgiNo3xacs9uY+9d
TYKg17ouRsbnETkVqpDngTaaaY9pK6ajk/u3uyA3znEWp870ww/7gvrMjCl1gkfP
hinmFseLTKOvHQFlDAZb6HTj/V7SXqSr25hMpSoWNXC8ylypfh90fnDD+YNpFXMm
VND3eZTNtW/EEQTxiWVbDrWXFoIrFTioRHLlbH4rC3dkJ0RjxeMiKcKPzrap/5ht
6vu/nqkBgltt/8UPIctb+6Qe5czMFDJj8T+B/m3+sarCzjd4njHcn0Og4H4flvqY
M07IRiEkzX00kH824A==
=fpGR
-----END PGP SIGNATURE-----
Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 14 Mar 2017 07:26:14
GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Dec 20 00:33:59 2022; Machine Name: buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from
https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other
contributors.

#854616 - Scdaemon Cannot Access Yubikey Using Ccid Driver Without PCSCD - Debian Bug Report Logs

Uploaded by

Copyright:

Available Formats

You might also like

#854616 - Scdaemon Cannot Access Yubikey Using Ccid Driver Without PCSCD - Debian Bug Report Logs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

#854616 - Scdaemon Cannot Access Yubikey Using Ccid Driver Without PCSCD - Debian Bug Report Logs

Uploaded by

Copyright:

Available Formats

Debian Bug report logs - #854616

scdaemon cannot access yubikey using ccid driver without pcscd

Reported by: Antoine Beaupre <anarcat@debian.org>

View this report as an mbox folder, status mbox, maintainer mbox

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

In Bug#854005, I have described a distinct issue I have experience

After installing a new workstation with Debian stretch, things were

The symptom is this:

[996]anarcat@curie:~$ LANG=C gpg --card-status

At first, adding "disable-ccid" to scdaemon.conf fixes the issue. But

[1001]anarcat@curie:~$ sudo apt purge pcscd

Here's the output proving gpg is stopped:

Here's the error when i try to access the card then:

the scdaemon debug logs show this:

2017-02-08 12:24:58 scdaemon[27971] listening on socket '/run/user/1000/gnupg/S.scdaemon'

Those were enabled with:

printf 'debug-all\nlog-file /run/user/%d/scdaemon.log\n' "$(id -u)" >> ~/.gnupg/scdaemon.conf

If I reinstall pcscd and disable-ccid in scdaemon.conf, things work

Reader ...........: Yubico Yubikey NEO OTP CCID 00 00

and here's what i get in syslog:

I haven't figured out what happens when pcscd crashes - i couldn't

I get this error from scdaemon:

fév 06 19:45:29 curie gpg-agent[1643]: scdaemon[1645] pcsc_establish_context failed: no service (0x8010001d)

now it is running - but who knows for how long?

It seems that I need to do this reset thing every morning now, so I

anything i can do to improve debugging here? note that I don't *need*

[1021]anarcat@curie:~$ sudo LANG=C journalctl -u pcscd.service| cat

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)

Versions of packages scdaemon depends on:

scdaemon recommends no packages.

scdaemon suggests no packages.

Message #10 received at 854616@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: tags 854616 + moreinfo

thanks for all this documentation on #854616. I'd like to try to

#854005 is about problems with smartcards more generally.

On Wed 2017-02-08 12:35:36 -0500, Antoine Beaupre wrote:

> [1004]anarcat@curie:~$ LANG=C gpg --card-status

Can you confirm that:

* disable-ccid is *not* set in scdaemon.conf

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 854616@bugs.debian.org (full text, mbox, reply):

Thank you for reporting in detail.

Antoine Beaupre <anarcat@debian.org> wrote:

Please create a file /etc/udev/rules.d/yubikey-neo-otp-ccid.rules

And please add yourself as a group member of "plugdev".

In my case, I have this line in /etc/group:

Message #22 received at 854616@bugs.debian.org (full text, mbox, reply):

> * pcscd is purged

> * the same problem is present on 2.1.18-4 ?

root@curie:/home/anarcat# apt install scdaemon/unstable gnupg-agent/unstable gpgsm/unstable

scdaemon debug log says:

2017-02-08 15:56:35 scdaemon[14813] listening on socket '/run/user/1000/gnupg/S.scdaemon'

syslog doesn't say anything anymore, oddly enough.

Message #27 received at 854616@bugs.debian.org (full text, mbox, reply):

On 2017-02-09 05:33:38, NIIBE Yutaka wrote:

I confirm the udev hack works.

Antoine Beaupré <anarcat@debian.org> writes:

anything i can do to improve debugging here? note that I don't need

* disable-ccid is not set in scdaemon.conf