Page MenuHome GnuPG

Yubikey not recognized
Closed, ResolvedPublic

Description

A fresh Windows setup (version 1903) was installed on my notebook. The integrated smart card reader works fine, also with gpg4win, version 3.1.11. However, both Yubikey 5 are not recognized any more.

"gpg --card-status" in case of inserted smart card, show expected data and the cards are working with gpg.

However, both Yubikey will not be detected, the message is "gpg: selecting card failed: No such device".

All OpenPGP smart cards are recognized and they are working fine. But both Yubikey fail. I contacted Yubikey support, but no reply in this matter so far for several days and few e-mails submitted.

Yubikey is working fine for U2F application and if tested Yubikey Manager, Yubikey Personalization Tool or Yubikey Authenticator. It fails only by GPG and of course by SSH. With the old Windows image smart cards and Yubikey were working.

I am a little bit derailed at the moment. Advice would be appreciated!

Details

Version
3.1.11

Event Timeline

I'll keep this on needs triage because I don't know what the issue could be. I have a yubikey 5 at hand and just tested it with Gpg4win 3.1.11. It works without problems.

Can you please enable scdaemon debugging (Kleopatra settings -> GnuPG System -> Debug-Level 4 ( all ) ) and look at the log / attach it here.

Please, note the following uncommon behavior:

  1. Set the debug mode as advised, but Yubikey was not recognized in Kleopatra or by command line and log file remained empty (0 Byte), see screenshots pages 1-4 sent by e-mail to you.
  1. I inserted afterwards a smart card, in the command line the smart card was found, but not in Kleopatra, see page 5 of the screenshots attached.
  1. I did a reboot and inserted a smart card (the same card as under (2), the card could be read by command line and by Kleopatra. Afterwards I connected the Yubikey. Not identified at all. If I entered: gpg --card-status (the Yubikey was fixed and the smart card removed), it showed the removed smart card data in the command line window. From test (3) I was able to get a scdaemon_log (attached), but I assume the data written in is only from the smart card, not from the Yubikey.

So long, as I only use smart cards, it works fine with gpg. If I insert a Yubikey, the system is out of order until I reboot. The "disorder" affects only smart card & Yubikey detection in gpg. All other programs are working fine!

It should be mentioned, that the notebook has an integrated smart card reader, a Reiner sct comfort smart card reader with PIN pad can be connected and Yubikeys. I using quite often smart cards (also by authentication for Bitlocker encryption and in some apps, e.g. qualified signatures, all this is working).

Both Yubikey working fine outside gpg / ssh. I can use it for OTP, U2F and Yubico apps working as well.

I appreciate your support in this matter, because I lost little bit the bearing by this problem and Yubico support does not answer at all.

Maybe a silly question, but let's be sure: Is the Openpgp app enabled on that Yubikey and is it enabled for usb? I can't remember the Yubikey commands on how to check this but tehre should even be a GUI. These days I use the new gpg-card tool to manage my Yubikeys (from GnuPG master).

if you want to give it a test on the command line, make sure that scdameon is not running and then run

scdaemon --log-file - -v --server

and enter

serialno openpgp

on the console. Any error messages?

Werner, no silly questions exist, only silly answers are existing. However, Yubikey is enabled for usb. I using Yubikey Manager a GUI, for the USB interface it is enabled: OTP, FIDO, FIDO U2F, OpenPGP, PIV and OATH. Thanks also for the suggested command line test. Indeed an error code shows up:

2020-01-12 15:49:04 scdaemon[15924] Handhabungsroutine für fd -1 gestartet
OK GNU Privacy Guard's Smartcard server ready
serialno openpgp
2020-01-12 15:49:24 scdaemon[15924] detected reader 'Microsoft IFD 0'
2020-01-12 15:49:24 scdaemon[15924] detected reader 'Yubico YubiKey OTP+FIDO+CCID 0'
2020-01-12 15:49:24 scdaemon[15924] detected reader ''
2020-01-12 15:49:24 scdaemon[15924] reader slot 0: not connected
2020-01-12 15:49:24 scdaemon[15924] pcsc_connect failed: removed card (0x80100069)
2020-01-12 15:49:24 scdaemon[15924] reader slot 0: not connected
ERR 100696144 No such device <SCD>

Hope, it is helpful for you to find the root cause.

At least one configuration error I could identify by myself: Kleopartra -> GnuPG-System -> Smartcard -> Connecting Reader with port N. If it is written: Yubico YubiKey OTP+FIDO+CCID 0 then Yubikey is recognized. I forgot to write "Yubico Yubikey" at the beginning and the "0" at the end. Now smart cards and Yubikeys are working for gpg. What is still a problem is SSH. A SSH key is on smart card or the Yubikey.

PuTTY generally work with SSH keys, so long as the SSH key is on a USB stick. Because in this particular case I can enter a path to the USB stick in "Options controlling SSH authentication: Private Key File for authentication". I can browse the path to the USB stick and can find the private SSH key there. In case of a smart card or Yubikey I cannot enter the path to the smart card or Yubikey. Most probably another silly configuration problem. However, I appreciate your comments!

I'm working on better support for Smartcards and esp. multiple smartcards in Kleopatra. IMO it should not be required for a user to explicitly write a reader port in the config.

aheinecke claimed this task.

JW-D with Gpg4win-4 we have support for multiple readers and also a dropdown menu for selecting reader ports. This should resolve this issue.