agent: Request insertion of smartcard when no card present
Open, NormalPublic

Description

(I've since worked out that this is probably only a problem on w32 - Unfortunately I can't test a physical linux system at present, but from the dim dark past I seem to remember it working there)

Currently, if you have the wrong smart card inserted, the agent requests you to insert the right card. It would be nice if it also did this when you don't have a card inserted at all.

Looking at line 111 of agent/divert-scd.c, in my limited knowledge of the code base, it looks like the logic test could be changed from:

if (!rc) {

to:

if (!rc || no_card) {

to achieve this?

The ternary operator on line 117 appears to already have the appropriate prompt ready to go, but the code path will never make it there (rc is only ever set when there is a card inserted, no_card is only set when there isn't a card present - the check above only checks rc)

mjb created this task.Nov 29 2018, 10:36 AM
mjb updated the task description. (Show Details)Nov 29 2018, 10:39 AM
mjb added a project: gpgagent.
mjb removed External Link.
mjb added a comment.Nov 30 2018, 10:20 AM

..... And now after looking into this a bit deeper after attempting to build gpg-agent for windows, it appears that this is a bit deeper than the logic above (which is actually sound, when I read it for the second time)

So perhaps I should re-submit this as a bug? (Something like: "On windows, gpg-agent never asks for a smart card to be inserted when none is present")

mjb updated the task description. (Show Details)Nov 30 2018, 10:25 AM
mjb updated the task description. (Show Details)
gniibe claimed this task.Dec 17 2018, 9:09 AM
gniibe added a subscriber: gniibe.

How scdaemon responds when there is no card available?

What's the output of following?

$ gpg-connect-agent "SCD SERIALNO" /bye
gniibe edited projects, added Info Needed; removed Feature Request.Dec 17 2018, 9:22 AM

Please let us know the version of GnuPG, the output of gpg --card-status when inserted, and how gpg is not working well, etc.

mjb added a comment.Dec 18 2018, 6:19 AM

When no card is inserted, usage of an ssh client simply fails to request insertion of the card for the stub keys present in ~/.gnupg/.

When the correct card is inserted, it works fine.

When the wrong card is inserted, the message on line 117 of agent/divert-scd.c is presented: "Please insert the card with serial number ..." (so, no_card was true, instead of no_card being false and being asked to remove/insert).

Output as requested:

No card inserted

C:\Users\mjb>gpg-connect-agent "SCD SERIALNO" /bye
ERR 100696144 No such device <SCD>

Wrong card inserted:

C:\Users\mjb>gpg-connect-agent "SCD SERIALNO" /bye
S SERIALNO D2760001240102000006045508730000
OK

Correct card inserted:

C:\Users\mjb>gpg-connect-agent "SCD SERIALNO" /bye
S SERIALNO D2760001240102010006090260190000
OK

And:

C:\Users\mjb>gpg --version
gpg (GnuPG) 2.2.10
libgcrypt 1.8.3
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/mjb/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

C:\Users\mjb>gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: D2760001240102010006090260190000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 09026019
Name of cardholder: Mike Beattie
Language prefs ...: en
Sex ..............: male
URL of public key : https://keybase.io/mjbnz/key.asc
Login data .......: mjb
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key .
...: 1938 318D 8DCE 7ADC 9CDD  CD22 4B9C 6C2E 8B6B 8644
      created ....: 2016-06-14 08:37:46
Encryption key....: 623D EAA0 E230 60CA D427  2F2C A835 4D27 D1D7 1073
      created ....: 2016-06-14 08:41:15
Authentication key: 88ED D802 5962 0264 0303  3ACC 5E1A D2EA 3DF3 CACC
      created ....: 2016-06-14 08:44:12
General key info..: sub  rsa2048/4B9C6C2E8B6B8644 2016-06-14 Mike Beattie <mike@ethernal.org>
sec#  rsa4096/3B6212915022936C  created: 2014-12-28  expires: never
ssb#  rsa4096/7E02B9F54C1A5C20  created: 2014-12-28  expires: never
ssb>  rsa2048/4B9C6C2E8B6B8644  created: 2016-06-14  expires: never
                                card-no: 0006 09026019
ssb>  rsa2048/A8354D27D1D71073  created: 2016-06-14  expires: never
                                card-no: 0006 09026019
ssb>  rsa2048/5E1AD2EA3DF3CACC  created: 2016-06-14  expires: never
                                card-no: 0006 09026019
gniibe added a comment.EditedDec 19 2018, 2:19 AM

Thanks for your information.
Hum, you are using gpg-agent for SSH access.

Are you sure about gpg-agent's running (with no device inserted), when you access SSH?
With gpg frontend, it can invoke gpg-agent automatically when it's not running. But for SSH access, because it's an emulation of ssh-agent, ssh client has no knowledge for invoking gpg-agent.

Please try your gpg use (ssh client use) after you get:

C:\Users\mjb>gpg-connect-agent "SCD SERIALNO" /bye
ERR 100696144 No such device <SCD>
mjb added a comment.EditedDec 19 2018, 2:33 AM

Yes, it's running. I have a scheduled task that spawns a vbscript to ensure that gpg-agent is started on login, and restarts it on insertion of a card (specifically for two reasons: windows ssh clients don't typically start agents automatically, and windows can cause gpg-agent to get a but upset after a card is removed and re-inserted. Edit: although, I think that latter reason might be resolved now... I haven't investigated deeply. more info here and here).

However:

C:\Users\mjb>gpg-connect-agent "SCD SERIALNO" /bye
S SERIALNO D2760001240102010006090260190000
OK

C:\Users\mjb>tasklist | find "gpg-agent.exe"
gpg-agent.exe                21052 Console                    1      1,880 K

Removed card here

C:\Users\mjb>tasklist | find "gpg-agent.exe"
gpg-agent.exe                21052 Console                    1      1,832 K

C:\Users\mjb>gpg-connect-agent "SCD SERIALNO" /bye
ERR 100696144 No such device <SCD>

C:\Users\mjb>tasklist | find "gpg"
gpg-agent.exe                21052 Console                    1      1,876 K

C:\Users\mjb>ssh aeon
mjb@aeon's password:

Note the password prompt instead of 'please insert card'

Re-inserted card here

C:\Users\mjb>ssh aeon

=> Got pinentry prompt

....motd....
Last login: Wed Dec 12 12:11:03 2018 from --redacted--
mjb@aeon:~>

I see your point. You are right. For SSH access, it just fails without asking insertion. It's not Windows specific.
I checked the change of history of gpg-agent, but I cannot find prompting insertion was supported.
So, I don't thin this is a regression.

Personally, in $HOME/.gnupg/sshcontrol, I have a line like:

# Card D276000124010200F517000000010000
5D6C89682D07CCFC034AF508420BF2276D8018ED 60 confirm

... where 5D6C...18ED is a keygrip for my SSH key. (You can get the keygrip by gpg --with-keygrip --card-status.)

I use this (a line with "confirm") because I prefer being notified by a dialog popup for SSH access.

For your usage, having sshcontrol file with no "confirm", you will be prompted for card insertion.

mjb added a comment.Dec 19 2018, 3:09 AM

Oh, wow - yes, adding to sshcontrol brings up the prompt - I do however need to stop the agent from being restarted on insertion for it to subsequently ask for the unlock.

Also noted that with the wrong card inserted, the alternate prompt "Please remove the current card and insert the one with serial number <serialno>" does not get presented. This is probably because ask_for_card is being called with a demanded serial number?

C:\Users\mjb>gpg-connect-agent "SCD SERIALNO --demand=D2760001240102010006090260190000" /bye
ERR 100696144 No such device <SCD>

C:\Users\mjb>gpg-connect-agent "SCD SERIALNO" /bye
S SERIALNO D2760001240102000006045508730000
OK
mjb added a comment.EditedDec 19 2018, 3:22 AM

Also - going back to sshcontrol - with an ssh key added to the agent with ssh-add, an entry in sshcontrol is required - but not for a key on a smartcard. Is that intentional, or just a byproduct of the smartcard diversion that happens?

sshcontrol entry is required for non-smartcard keys, but not for keys on smartcard. This is intentional. For gpg-agent and current format, it is only the information for gpg-agent to know if a key is for SSH or not.

mjb added a comment.Dec 19 2018, 3:35 AM

OK - so if an entry is not required in sshcontrol for a smart-card key - is the private key stub sufficiently detailed enough for the agent to realise that it can ask for that card to be inserted for an ssh connection?

I'm not complaining - just wondering if there's a way to improve the user experience around asking for card insertions.

Basically, you are right. In addition, gpg-agent asks scdaemon about list of card/token.

Thanks. Your opinion is important.

mjb added a comment.Dec 19 2018, 3:54 AM

You're very welcome. In my instance, this is "resolved" - I now get the prompt I realised I needed so to me this bug could be considered closed or wontfix, but I'll leave you to do with it as you please.

Many thanks for your help.

werner added a subscriber: werner.Dec 19 2018, 7:58 AM

FWIW, the canonical way to make sure that gpg-agent has been started is to run

gpgconf --launch gpg-agent
gniibe triaged this task as Normal priority.