gpg: error getting version from 'scdaemon': Forbidden
Open, HighPublic

Description

I am trying to forward gpg-agent from Manjaro Linux 20.1 (remote) to Windows 10 2004 (local). From what it seems from ssh logs, everything is fine. The problems start when I try to query Yubikey smartcard which is plugged into local. Smartcard was configured both on local and remote separately and correctly works with gpg when plugged directly in local or remote machine (remote is my home pc, local is my laptop).

This is the error I am receiving on remote after sshing into it:

❯ gpg --card-status
gpg: error getting version from 'scdaemon': Forbidden
gpg: selecting card failed: Forbidden
gpg: OpenPGP card not available: Forbidden

Is this a bug? Is this a configuration problem? Is this an unimplemented feature? I have exhausted my debugging options, as well as search engine results on the topic of Windows-Linux gpg interop and would like developers to make a comment on this.

I have posted about this problem a week ago at [0] which received no response. I have also previously posted about another problem with Yubikey smartcard when it is plugged into local at [1] which received no response as well. I have no choice but use bug tracker to receive a response from developers. I think I have provided exhaustive information below to be able to answer questions from previous paragraph.

Since the time I posted on the mailing list I additionally started using yubikey-touch-detector [2] on remote to get a notification when Yubikey needs a touch. It works correctly when used locally on remote. After gpg --card-status it has reported that Yubikey is awaiting for the touch. To clarify, touch is not required to execute this operation neither on local, nor on remote when Yubikey is used locally (plugged directly into machines and used for local gpg operations). Might be a useful observation, or it might not.

Additionall comment for the "Session:" part. Ctrl+D is mapped to exit, but the shell wasn't exiting after gpg --card-status, despite gpg --card-status correctly returning. Therefore, Ctrl+C was required to get back into local shell. This is probably reflected in the logs. Normally I don't need to Ctrl+C after Ctrl+D, if I don't issue gpg --card-status, I can exit the shell just fine.

For the information on what is wsl-ssh-pageant and gpg-brindge see [3] and [4] respectively. I have provided additional comments on them on [0].

Below are the configs and logs for local and remote machines with no additional comments.

Local

Environment:

SSH_AUTH_SOCK=\\.\pipe\ssh-pageant

Software:

> ssh -V
OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5
> gpg --version
gpg (GnuPG) 2.2.23
libgcrypt 1.8.6

Preparation for session:

> gpgconf --kill all
> rm .\AppData\Roaming\gnupg\*log
> gpgconf --launch all

Separate terminal:

> wsl-ssh-pageant-amd64 --winssh ssh-pageant
Listening on named pipe: \\.\pipe\ssh-pageant

Separate terminal:

> gpg-bridge 127.0.0.1:<EXTRA_SOCKET_PORT> C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra

Separate terminal:

> gpg-bridge 127.0.0.1:<SSH_SOCKET_PORT> C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh

Session:

> ssh -v pc -E ssh.log
Last login: ...
gpg-connect-agent: connection to agent is in restricted mode
❯ gpg --card-status
gpg: error getting version from 'scdaemon': Forbidden
gpg: selecting card failed: Forbidden
gpg: OpenPGP card not available: Forbidden
<Ctrl+D>
<Ctrl+C>

<gpg.conf>

personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
no-greeting
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
use-agent
throw-keyids
utf8-strings

<gpg-agent.conf>

enable-ssh-support
enable-putty-support
default-cache-ttl 60
max-cache-ttl 120
verbose
debug-level advanced
log-file C:\Users\avemilia\AppData\Roaming\gnupg\gpg-agent.log
extra-socket C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra

<scdaemon.conf>

card-timeout 5
verbose
debug-level advanced
log-file C:\Users\avemilia\AppData\Roaming\gnupg\scdaemon.log

<gpg-agent.log>

2020-09-10 22:01:02 gpg-agent[6752] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent'
2020-09-10 22:01:02 gpg-agent[6752] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra'
2020-09-10 22:01:02 gpg-agent[6752] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.browser'
2020-09-10 22:01:02 gpg-agent[6752] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh'
2020-09-10 22:01:02 gpg-agent[6752] gpg-agent (GnuPG) 2.2.23 started
2020-09-10 22:01:02 gpg-agent[6752] putty message loop thread started
2020-09-10 22:01:02 gpg-agent[6752] DBG: chan_0x00000290 -> OK Pleased to meet you
2020-09-10 22:01:02 gpg-agent[6752] DBG: chan_0x00000290 <- RESET
2020-09-10 22:01:02 gpg-agent[6752] DBG: chan_0x00000290 -> OK
2020-09-10 22:01:02 gpg-agent[6752] DBG: chan_0x00000290 <- [eof]
2020-09-10 22:01:06 gpg-agent[6752] DBG: chan_0x0000029c -> OK Pleased to meet you
2020-09-10 22:01:06 gpg-agent[6752] DBG: chan_0x0000029c <- RESET
2020-09-10 22:01:06 gpg-agent[6752] DBG: chan_0x0000029c -> OK
2020-09-10 22:01:06 gpg-agent[6752] DBG: chan_0x0000029c <- [eof]
2020-09-10 22:01:53 gpg-agent[6752] DBG: ssh map file 'WSLPageantRequest'
2020-09-10 22:01:53 gpg-agent[6752] DBG: ssh map handle 0x000002a0
2020-09-10 22:01:53 gpg-agent[6752] DBG:           my sid: 'S-1-5-21-2866614668-1482101499-365976279-1001'
2020-09-10 22:01:53 gpg-agent[6752] DBG: ssh map file sid: 'S-1-5-21-2866614668-1482101499-365976279-1001'
2020-09-10 22:01:53 gpg-agent[6752] DBG: ssh IPC buffer at 0x00100000
2020-09-10 22:01:53 gpg-agent[6752] ssh request handler for request_identities (11) started
2020-09-10 22:01:53 gpg-agent[6752] no running SCdaemon - starting it
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK GNU Privacy Guard's Smartcard server ready
2020-09-10 22:01:53 gpg-agent[6752] DBG: first connection to SCdaemon established
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> GETINFO socket_name
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: additional connections at 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon'
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> OPTION event-signal=0x0000028c
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> SERIALNO
2020-09-10 22:01:53 gpg-agent[6752] SIGUSR2 received - updating card event counter
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- S SERIALNO <SERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> GETINFO card_list
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- S SERIALNO <SERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> SERIALNO --demand=<SERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- S SERIALNO <SERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> GETATTR $AUTHKEYID
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- S $AUTHKEYID OPENPGP.3
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> GETATTR SERIALNO
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- S SERIALNO <SERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> READKEY OPENPGP.3
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_000002C4 <- [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(548 byte(s) skipped) ]
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> GETATTR $DISPSERIALNO
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- S $DISPSERIALNO <DISPSERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] ssh request handler for request_identities (11) ready
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> RESTART
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: ssh map file 'WSLPageantRequest'
2020-09-10 22:01:53 gpg-agent[6752] DBG: ssh map handle 0x000002a0
2020-09-10 22:01:53 gpg-agent[6752] DBG:           my sid: 'S-1-5-21-2866614668-1482101499-365976279-1001'
2020-09-10 22:01:53 gpg-agent[6752] DBG: ssh map file sid: 'S-1-5-21-2866614668-1482101499-365976279-1001'
2020-09-10 22:01:53 gpg-agent[6752] DBG: ssh IPC buffer at 0x00100000
2020-09-10 22:01:53 gpg-agent[6752] ssh request handler for sign_request (13) started
2020-09-10 22:01:53 gpg-agent[6752] new connection to SCdaemon established (reusing)
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> SERIALNO --demand=<SERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- S SERIALNO <SERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: detected card with S/N <SERIALNO>
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> SETDATA [...]
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_0x000002c4 -> PKAUTH OPENPGP.3
2020-09-10 22:01:53 gpg-agent[6752] DBG: chan_000002C4 <- [ 49 4e 51 ... ]
2020-09-10 22:01:53 gpg-agent[6752] starting a new PIN Entry
2020-09-10 22:01:54 gpg-agent[6752] DBG: connection to PIN entry established
2020-09-10 22:02:04 gpg-agent[6752] DBG: chan_000002C4 -> [ 44 20 7e ... ]
2020-09-10 22:02:04 gpg-agent[6752] DBG: chan_0x000002c4 -> END
2020-09-10 22:02:06 gpg-agent[6752] DBG: chan_000002C4 <- [ 44 20 a3 ... ]
2020-09-10 22:02:06 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:02:06 gpg-agent[6752] ssh request handler for sign_request (13) ready
2020-09-10 22:02:06 gpg-agent[6752] DBG: chan_0x000002c4 -> RESTART
2020-09-10 22:02:06 gpg-agent[6752] DBG: chan_0x000002c4 <- OK
2020-09-10 22:02:06 gpg-agent[6752] DBG: chan_0x000002a0 -> OK Pleased to meet you
2020-09-10 22:02:06 gpg-agent[6752] DBG: chan_0x000002a0 <- GETINFO pid
2020-09-10 22:02:06 gpg-agent[6752] DBG: chan_0x000002a0 -> D 6752
2020-09-10 22:02:06 gpg-agent[6752] DBG: chan_0x000002a0 -> OK
2020-09-10 22:02:07 gpg-agent[6752] DBG: chan_0x000002a0 <- BYE
2020-09-10 22:02:07 gpg-agent[6752] DBG: chan_0x000002a0 -> OK closing connection
2020-09-10 22:02:07 gpg-agent[6752] DBG: chan_0x000002e4 -> OK Pleased to meet you
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 <- RESET
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 <- OPTION ttyname=/dev/pts/5
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 <- GETINFO restricted
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 <- updatestartuptty
2020-09-10 22:02:08 gpg-agent[6752] command 'UPDATESTARTUPTTY' failed: Forbidden
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:08 gpg-agent[6752] DBG: chan_0x000002e4 <- [eof]
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x000002f0 -> OK Pleased to meet you
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x00000310 -> OK Pleased to meet you
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x00000310 <- RESET
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x00000310 -> OK
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x000002f0 <- RESET
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x000002f0 -> OK
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x000002f0 <- OPTION ttyname=/dev/pts/5
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x000002f0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x00000310 <- OPTION display=:0
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x00000310 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x000002f0 <- GETINFO restricted
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x000002f0 -> OK
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x00000310 <- GETINFO restricted
2020-09-10 22:02:19 gpg-agent[6752] DBG: chan_0x00000310 -> OK
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 <- GETINFO version
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 -> D 2.2.23
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000310 <- GETINFO version
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000310 -> D 2.2.23
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 -> OK
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000310 -> OK
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 <- OPTION allow-pinentry-notify
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000310 <- OPTION allow-pinentry-notify
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000310 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000310 <- [eof]
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000314 -> OK Pleased to meet you
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 <- OPTION agent-awareness=2.1.0
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 -> OK
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000314 <- RESET
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000314 -> OK
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 <- SCD GETINFO version
2020-09-10 22:02:20 gpg-agent[6752] command 'SCD' failed: Forbidden
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000314 <- OPTION display=:0
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000314 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x000002f0 <- [eof]
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000314 <- GETINFO restricted
2020-09-10 22:02:20 gpg-agent[6752] DBG: chan_0x00000314 -> OK
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x00000314 <- GETINFO version
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x00000314 -> D 2.2.23
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x00000314 -> OK
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x00000314 <- OPTION allow-pinentry-notify
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x00000314 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x00000314 <- [eof]
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc -> OK Pleased to meet you
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc <- RESET
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc -> OK
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc <- OPTION display=:0
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc <- GETINFO restricted
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc -> OK
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc <- GETINFO version
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc -> D 2.2.23
2020-09-10 22:02:21 gpg-agent[6752] DBG: chan_0x000002cc -> OK
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002cc <- OPTION allow-pinentry-notify
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002cc -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002cc <- [eof]
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002e0 -> OK Pleased to meet you
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002e0 <- RESET
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002e0 -> OK
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002e0 <- OPTION display=:0
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002e0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002e0 <- GETINFO restricted
2020-09-10 22:02:22 gpg-agent[6752] DBG: chan_0x000002e0 -> OK
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x000002e0 <- GETINFO version
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x000002e0 -> D 2.2.23
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x000002e0 -> OK
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x000002e0 <- [eof]
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 -> OK Pleased to meet you
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 <- RESET
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 <- OPTION display=:0
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 <- GETINFO restricted
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 <- GETINFO version
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 -> D 2.2.23
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 <- OPTION allow-pinentry-notify
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 <- OPTION agent-awareness=2.1.0
2020-09-10 22:02:23 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000300 <- SCD GETINFO version
2020-09-10 22:02:24 gpg-agent[6752] command 'SCD' failed: Forbidden
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000300 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000300 <- [eof]
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 -> OK Pleased to meet you
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 <- RESET
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 -> OK
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 <- OPTION display=:0
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 <- GETINFO restricted
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 -> OK
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 <- GETINFO version
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 -> D 2.2.23
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 -> OK
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 <- OPTION allow-pinentry-notify
2020-09-10 22:02:24 gpg-agent[6752] DBG: chan_0x00000304 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x00000304 <- OPTION agent-awareness=2.1.0
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x00000304 -> OK
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x00000304 <- [eof]
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 -> OK Pleased to meet you
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 <- RESET
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 -> OK
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 <- OPTION display=:0
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 <- GETINFO restricted
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 -> OK
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 <- GETINFO version
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 -> D 2.2.23
2020-09-10 22:02:25 gpg-agent[6752] DBG: chan_0x000002f0 -> OK
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x000002f0 <- OPTION allow-pinentry-notify
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x000002f0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x000002f0 <- OPTION agent-awareness=2.1.0
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x000002f0 -> OK
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x000002f0 <- [eof]
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x00000300 -> OK Pleased to meet you
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x00000300 <- RESET
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x00000300 <- OPTION display=:0
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x00000300 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x00000300 <- GETINFO restricted
2020-09-10 22:02:26 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x00000300 <- GETINFO version
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x00000300 -> D 2.2.23
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x00000300 <- OPTION allow-pinentry-notify
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x00000300 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x00000300 <- [eof]
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x000002e0 -> OK Pleased to meet you
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x000002e0 <- RESET
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x000002e0 -> OK
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x000002e0 <- OPTION display=:0
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x000002e0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x000002e0 <- GETINFO restricted
2020-09-10 22:02:27 gpg-agent[6752] DBG: chan_0x000002e0 -> OK
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e0 <- GETINFO version
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e0 -> D 2.2.23
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e0 -> OK
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e0 <- OPTION allow-pinentry-notify
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e0 <- [eof]
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e4 -> OK Pleased to meet you
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e4 <- RESET
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e4 <- OPTION display=:0
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e4 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e4 <- GETINFO restricted
2020-09-10 22:02:28 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002e4 <- GETINFO version
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002e4 -> D 2.2.23
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002e4 <- OPTION allow-pinentry-notify
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002e4 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002e4 <- [eof]
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002a0 -> OK Pleased to meet you
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002a0 <- RESET
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002a0 -> OK
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002a0 <- OPTION display=:0
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002a0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002a0 <- GETINFO restricted
2020-09-10 22:02:29 gpg-agent[6752] DBG: chan_0x000002a0 -> OK
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x000002a0 <- GETINFO version
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x000002a0 -> D 2.2.23
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x000002a0 -> OK
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x000002a0 <- OPTION allow-pinentry-notify
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x000002a0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x000002a0 <- [eof]
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x0000031c -> OK Pleased to meet you
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x0000031c <- RESET
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x0000031c -> OK
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x0000031c <- OPTION display=:0
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x0000031c -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x0000031c <- GETINFO restricted
2020-09-10 22:02:30 gpg-agent[6752] DBG: chan_0x0000031c -> OK
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x0000031c <- GETINFO version
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x0000031c -> D 2.2.23
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x0000031c -> OK
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x0000031c <- [eof]
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 -> OK Pleased to meet you
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 <- RESET
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 <- OPTION display=:0
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 <- GETINFO restricted
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 <- GETINFO version
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 -> D 2.2.23
2020-09-10 22:02:31 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002e4 <- OPTION allow-pinentry-notify
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002e4 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002e4 <- [eof]
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 -> OK Pleased to meet you
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 <- RESET
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 -> OK
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 <- OPTION display=:0
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 <- GETINFO restricted
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 -> OK
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 <- GETINFO version
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 -> D 2.2.23
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 -> OK
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 <- OPTION allow-pinentry-notify
2020-09-10 22:02:32 gpg-agent[6752] DBG: chan_0x000002a0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x000002a0 <- OPTION agent-awareness=2.1.0
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x000002a0 -> OK
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x000002a0 <- [eof]
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 -> OK Pleased to meet you
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 <- RESET
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 <- OPTION display=:0
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 <- GETINFO restricted
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 <- GETINFO version
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 -> D 2.2.23
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 <- OPTION allow-pinentry-notify
2020-09-10 22:02:33 gpg-agent[6752] DBG: chan_0x00000300 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x00000300 <- OPTION agent-awareness=2.1.0
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x00000300 -> OK
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x00000300 <- [eof]
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x0000031c -> OK Pleased to meet you
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x0000031c <- RESET
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x0000031c -> OK
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x0000031c <- OPTION display=:0
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x0000031c -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x0000031c <- GETINFO restricted
2020-09-10 22:02:34 gpg-agent[6752] DBG: chan_0x0000031c -> OK
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x0000031c <- GETINFO version
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x0000031c -> D 2.2.23
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x0000031c -> OK
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x0000031c <- OPTION allow-pinentry-notify
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x0000031c -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x0000031c <- OPTION agent-awareness=2.1.0
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x0000031c -> OK
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x0000031c <- [eof]
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x000002e0 -> OK Pleased to meet you
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x000002e0 <- RESET
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x000002e0 -> OK
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x000002e0 <- OPTION display=:0
2020-09-10 22:02:35 gpg-agent[6752] DBG: chan_0x000002e0 -> ERR 67109115 Forbidden <GPG Agent>
2020-09-10 22:03:07 gpg-agent[6752] DBG: chan_0x00000314 -> OK Pleased to meet you
2020-09-10 22:03:07 gpg-agent[6752] DBG: chan_0x00000314 <- GETINFO pid
2020-09-10 22:03:07 gpg-agent[6752] DBG: chan_0x00000314 -> D 6752
2020-09-10 22:03:07 gpg-agent[6752] DBG: chan_0x00000314 -> OK
2020-09-10 22:03:07 gpg-agent[6752] DBG: chan_0x00000314 <- BYE
2020-09-10 22:03:07 gpg-agent[6752] DBG: chan_0x00000314 -> OK closing connection
2020-09-10 22:04:07 gpg-agent[6752] DBG: chan_0x000002e4 -> OK Pleased to meet you
2020-09-10 22:04:07 gpg-agent[6752] DBG: chan_0x000002e4 <- GETINFO pid
2020-09-10 22:04:07 gpg-agent[6752] DBG: chan_0x000002e4 -> D 6752
2020-09-10 22:04:07 gpg-agent[6752] DBG: chan_0x000002e4 -> OK
2020-09-10 22:04:07 gpg-agent[6752] DBG: chan_0x000002e4 <- BYE
2020-09-10 22:04:07 gpg-agent[6752] DBG: chan_0x000002e4 -> OK closing connection
2020-09-10 22:05:07 gpg-agent[6752] DBG: chan_0x00000314 -> OK Pleased to meet you
2020-09-10 22:05:07 gpg-agent[6752] DBG: chan_0x00000314 <- GETINFO pid
2020-09-10 22:05:07 gpg-agent[6752] DBG: chan_0x00000314 -> D 6752
2020-09-10 22:05:07 gpg-agent[6752] DBG: chan_0x00000314 -> OK
2020-09-10 22:05:07 gpg-agent[6752] DBG: chan_0x00000314 <- BYE
2020-09-10 22:05:07 gpg-agent[6752] DBG: chan_0x00000314 -> OK closing connection
2020-09-10 22:06:07 gpg-agent[6752] DBG: chan_0x0000031c -> OK Pleased to meet you
2020-09-10 22:06:07 gpg-agent[6752] DBG: chan_0x0000031c <- GETINFO pid
2020-09-10 22:06:07 gpg-agent[6752] DBG: chan_0x0000031c -> D 6752
2020-09-10 22:06:07 gpg-agent[6752] DBG: chan_0x0000031c -> OK
2020-09-10 22:06:07 gpg-agent[6752] DBG: chan_0x0000031c <- BYE
2020-09-10 22:06:07 gpg-agent[6752] DBG: chan_0x0000031c -> OK closing connection

<scdaemon.log>

2020-09-10 22:01:53 scdaemon[3600] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon'
2020-09-10 22:01:53 scdaemon[3600] handler for fd -1 started
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK GNU Privacy Guard's Smartcard server ready
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- GETINFO socket_name
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- OPTION event-signal=0x0000028c
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- SERIALNO
2020-09-10 22:01:53 scdaemon[3600] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 0'
2020-09-10 22:01:53 scdaemon[3600] reader slot 0: not connected
2020-09-10 22:01:53 scdaemon[3600] reader slot 0: active protocol: T1
2020-09-10 22:01:53 scdaemon[3600] slot 0: ATR=[...]
2020-09-10 22:01:53 scdaemon[3600] AID: [...]
2020-09-10 22:01:53 scdaemon[3600] Historical Bytes: [...]
2020-09-10 22:01:53 scdaemon[3600] Version-2+ .....: yes
2020-09-10 22:01:53 scdaemon[3600] Extcap-v3 ......: no
2020-09-10 22:01:53 scdaemon[3600] Button .........: yes
2020-09-10 22:01:53 scdaemon[3600] SM-Support .....: no
2020-09-10 22:01:53 scdaemon[3600] Get-Challenge ..: no
2020-09-10 22:01:53 scdaemon[3600] Key-Import .....: yes
2020-09-10 22:01:53 scdaemon[3600] Change-Force-PW1: yes
2020-09-10 22:01:53 scdaemon[3600] Private-DOs ....: yes
2020-09-10 22:01:53 scdaemon[3600] Algo-Attr-Change: yes
2020-09-10 22:01:53 scdaemon[3600] Symmetric Crypto: no
2020-09-10 22:01:53 scdaemon[3600] KDF-Support ....: no
2020-09-10 22:01:53 scdaemon[3600] Max-Cert3-Len ..: 1216
2020-09-10 22:01:53 scdaemon[3600] Cmd-Chaining ...: yes
2020-09-10 22:01:53 scdaemon[3600] Ext-Lc-Le ......: no
2020-09-10 22:01:53 scdaemon[3600] Status-Indicator: 05
2020-09-10 22:01:53 scdaemon[3600] GnuPG-No-Sync ..: no
2020-09-10 22:01:53 scdaemon[3600] GnuPG-Def-PW2 ..: no
2020-09-10 22:01:53 scdaemon[3600] Key-Attr-sign ..: RSA, n=4096, e=17, fmt=std
2020-09-10 22:01:53 scdaemon[3600] Key-Attr-encr ..: RSA, n=4096, e=17, fmt=std
2020-09-10 22:01:53 scdaemon[3600] Key-Attr-auth ..: RSA, n=4096, e=17, fmt=std
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> S SERIALNO <SERIALNO>
2020-09-10 22:01:53 scdaemon[3600] triggering event 0x0000028c (0x0000028c) for client -1
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- GETINFO card_list
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> S SERIALNO <SERIALNO>
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- SERIALNO --demand=<SERIALNO>
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> S SERIALNO <SERIALNO>
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- GETATTR $AUTHKEYID
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> S $AUTHKEYID OPENPGP.3
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- GETATTR SERIALNO
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> S SERIALNO <SERIALNO>
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- READKEY OPENPGP.3
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0000015C -> [ 44 20 28 ... ]
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- GETATTR $DISPSERIALNO
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> S $DISPSERIALNO <DISPSERIALNO>
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- RESTART
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- SERIALNO --demand=<SERIALNO>
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> S SERIALNO <SERIALNO>
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- SETDATA [...]
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0x0000015c <- PKAUTH OPENPGP.3
2020-09-10 22:01:53 scdaemon[3600] DBG: asking for PIN '||Please unlock the card%0A%0ANumber: [...]%0AHolder: Ave Milia'
2020-09-10 22:01:53 scdaemon[3600] DBG: chan_0000015C -> [ 49 4e 51 ... ]
2020-09-10 22:02:04 scdaemon[3600] DBG: chan_0000015C <- [ 44 20 7e ... ]
2020-09-10 22:02:04 scdaemon[3600] DBG: chan_0x0000015c <- END
2020-09-10 22:02:06 scdaemon[3600] operation auth result: Success
2020-09-10 22:02:06 scdaemon[3600] DBG: chan_0000015C -> [ 44 20 a3 ... ]
2020-09-10 22:02:06 scdaemon[3600] DBG: chan_0x0000015c -> OK
2020-09-10 22:02:06 scdaemon[3600] DBG: chan_0x0000015c <- RESTART
2020-09-10 22:02:06 scdaemon[3600] DBG: chan_0x0000015c -> OK

<.ssh/config>

User ave

Host pc
    Hostname <REMOTE_MACHINE_IP>
    Port     <REMOTE_MACHINE_SSH_PORT>
    RemoteForward /run/user/1000/gnupg/S.gpg-agent      127.0.0.1:<EXTRA_SOCKET_PORT>
    RemoteForward /run/user/1000/gnupg/S.gpg-agent.ssh  127.0.0.1:<SSH_SOCKET_PORT>

<ssh.log>

OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\avemilia/.ssh/config
debug1: C:\\Users\\avemilia/.ssh/config line 3: Applying options for pc
debug1: Connecting to <REMOTE_MACHINE_IP> [<REMOTE_MACHINE_IP>] port <REMOTE_MACHINE_SSH_PORT>.
debug1: Connection established.
debug1: identity file C:\\Users\\avemilia/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\avemilia/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3
debug1: match: OpenSSH_8.3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to <REMOTE_MACHINE_IP>:<REMOTE_MACHINE_SSH_PORT> as 'ave'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<SERVER_HOST_KEY>
debug1: Host '[<REMOTE_MACHINE_IP>]:<REMOTE_MACHINE_SSH_PORT>' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\avemilia/.ssh/known_hosts:2
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: cardno:<DISPSERIALNO> RSA SHA256:<YUBIKEY_SSH_KEY> agent
debug1: Will attempt key: (none) RSA SHA256:<YUBIKEY_SSH_KEY> agent
debug1: Will attempt key: C:\\Users\\avemilia/.ssh/id_rsa 
debug1: Will attempt key: C:\\Users\\avemilia/.ssh/id_dsa 
debug1: Will attempt key: C:\\Users\\avemilia/.ssh/id_ecdsa 
debug1: Will attempt key: C:\\Users\\avemilia/.ssh/id_ed25519 
debug1: Will attempt key: C:\\Users\\avemilia/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: cardno:<DISPSERIALNO> RSA SHA256:<YUBIKEY_SSH_KEY> agent
debug1: Server accepts key: cardno:<DISPSERIALNO> RSA SHA256:<YUBIKEY_SSH_KEY> agent
debug1: Authentication succeeded (publickey).
Authenticated to <REMOTE_MACHINE_IP> ([<REMOTE_MACHINE_IP>]:<REMOTE_MACHINE_SSH_PORT>).
debug1: Remote connections from /run/user/1000/gnupg/S.gpg-agent:-2 forwarded to local address 127.0.0.1:<EXTRA_SOCKET_PORT>
debug1: Remote connections from /run/user/1000/gnupg/S.gpg-agent.ssh:-2 forwarded to local address 127.0.0.1:<SSH_SOCKET_PORT>
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: console supports the ansi parsing
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/ave/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/ave/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: remote forward success for: listen /run/user/1000/gnupg/S.gpg-agent:-2, connect 127.0.0.1:<EXTRA_SOCKET_PORT>
debug1: remote forward success for: listen /run/user/1000/gnupg/S.gpg-agent.ssh:-2, connect 127.0.0.1:<SSH_SOCKET_PORT>
debug1: All remote forwarding requests processed
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=8
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 1: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=8
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 4 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=9
debug1: channel 2: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 2: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 5 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=10
debug1: channel 3: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 3: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 2: free: forwarded-streamlocal, nchannels 4
debug1: channel 1: free: forwarded-streamlocal, nchannels 3
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=8
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 3: free: forwarded-streamlocal, nchannels 3
debug1: channel 1: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 4 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=8
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=9
debug1: channel 2: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 2: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 1: free: forwarded-streamlocal, nchannels 3
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=5
debug1: channel 0: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 0: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 2: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=6
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 0: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=5
debug1: channel 0: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 0: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 1: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=6
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 0: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=5
debug1: channel 0: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 0: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 1: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=6
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 0: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=5
debug1: channel 0: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 0: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 1: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=6
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 0: free: forwarded-streamlocal, nchannels 2
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=5
debug1: channel 0: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 0: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 1: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=6
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 0: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=5
debug1: channel 0: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 0: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 1: free: forwarded-streamlocal, nchannels 2
debug1: client_input_channel_open: ctype forwarded-streamlocal@openssh.com rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_streamlocal: request: /run/user/1000/gnupg/S.gpg-agent
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:<EXTRA_SOCKET_PORT>) in progress, fd=6
debug1: channel 1: new [forwarded-streamlocal]
debug1: confirm forwarded-streamlocal@openssh.com
debug1: channel 1: connected to 127.0.0.1 port <EXTRA_SOCKET_PORT>
debug1: channel 0: free: forwarded-streamlocal, nchannels 2
debug1: channel 1: free: forwarded-streamlocal, nchannels 1
Transferred: sent 10808, received 12892 bytes, in 28.6 seconds
Bytes per second: sent 377.8, received 450.6
debug1: Exit status 2

Remote

Environment (per shell):

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
export GPG_TTY=$(tty)
gpgconf --create-socketdir
gpg-connect-agent updatestartuptty /bye >/dev/null

Software:

❯ sshd -Vunknown option -- V
OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020
❯ gpg --version
gpg (GnuPG) 2.2.23
libgcrypt 1.8.6

<gpg.conf>

personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
no-greeting
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
use-agent
throw-keyids

<gpg-agent.conf>

enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-tty
verbose
debug-level advanced
log-file /home/ave/.gnupg/gpg-agent.log

<scdaemon.conf>

pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
verbose
debug-level advanced
log-file /home/ave/.gnupg/scdaemon.log

<gpg-agent.log>

2020-09-10 22:02:35 gpg-agent[27020] listening on socket '/run/user/1000/gnupg/S.gpg-agent'
2020-09-10 22:02:35 gpg-agent[27020] listening on socket '/run/user/1000/gnupg/S.gpg-agent.extra'
2020-09-10 22:02:35 gpg-agent[27020] listening on socket '/run/user/1000/gnupg/S.gpg-agent.browser'
2020-09-10 22:02:35 gpg-agent[27020] listening on socket '/run/user/1000/gnupg/S.gpg-agent.ssh'
2020-09-10 22:02:35 gpg-agent[27021] gpg-agent (GnuPG) 2.2.23 started
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK Pleased to meet you, process 27018
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- RESET
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- OPTION display=:0
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- OPTION xauthority=/home/ave/.Xauthority
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- GETINFO version
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> D 2.2.23
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- OPTION allow-pinentry-notify
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- OPTION agent-awareness=2.1.0
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- SCD GETINFO version
2020-09-10 22:02:35 gpg-agent[27021] no running SCdaemon - starting it
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 <- OK GNU Privacy Guard's Smartcard server ready
2020-09-10 22:02:35 gpg-agent[27021] DBG: first connection to SCdaemon established
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 -> GETINFO socket_name
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 <- D /run/user/1000/gnupg/S.scdaemon
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 <- OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: additional connections at '/run/user/1000/gnupg/S.scdaemon'
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 -> OPTION event-signal=12
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 <- OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 -> GETINFO version
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 <- D 2.2.23
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 <- OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> D 2.2.23
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> OK
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- SCD SERIALNO
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 -> SERIALNO
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 <- ERR 100696144 No such device <SCD>
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 -> ERR 100696144 No such device <SCD>
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_10 <- [eof]
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 -> RESTART
2020-09-10 22:02:35 gpg-agent[27021] DBG: chan_11 <- OK

<scdaemon.log>

2020-09-10 22:02:35 scdaemon[27023] listening on socket '/run/user/1000/gnupg/S.scdaemon'
2020-09-10 22:02:35 scdaemon[27023] handler for fd -1 started
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 <- GETINFO socket_name
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 -> D /run/user/1000/gnupg/S.scdaemon
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 -> OK
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 <- OPTION event-signal=12
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 -> OK
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 <- GETINFO version
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 -> D 2.2.23
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 -> OK
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 <- SERIALNO
2020-09-10 22:02:35 scdaemon[27023] pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 -> ERR 100696144 No such device <SCD>
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 <- RESTART
2020-09-10 22:02:35 scdaemon[27023] DBG: chan_7 -> OK

<sshd_config>

AllowUsers ave
Port <REMOTE_MACHINE_SSH_PORT>
ListenAddress <REMOTE_MACHINE_INTRANET_IP>
AddressFamily inet
Compression yes
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
LogLevel VERBOSE
Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
AuthenticationMethods publickey
UsePAM yes
AuthorizedKeysFile .ssh/authorized_keys
PrintMotd no # pam does that
Banner /etc/issue
StreamLocalBindUnlink yes

<sshd.log>

Sep 10 22:01:52 ave-pc sshd[26850]: Connection from 212.102.39.196 port 61528 on <REMOTE_MACHINE_INTRANET_IP> port <REMOTE_MACHINE_SSH_PORT> rdomain ""
Sep 10 22:01:53 ave-pc sshd[26850]: Accepted key RSA SHA256:<YUBIKEY_SSH_KEY> found at /home/ave/.ssh/authorized_keys:1
Sep 10 22:01:53 ave-pc sshd[26850]: Postponed publickey for ave from 212.102.39.196 port 61528 ssh2 [preauth]
Sep 10 22:02:06 ave-pc sshd[26850]: Accepted key RSA SHA256:<YUBIKEY_SSH_KEY> found at /home/ave/.ssh/authorized_keys:1
Sep 10 22:02:06 ave-pc sshd[26850]: pam_systemd_home(sshd:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Sep 10 22:02:06 ave-pc sshd[26850]: Accepted publickey for ave from 212.102.39.196 port 61528 ssh2: RSA SHA256:<YUBIKEY_SSH_KEY>
Sep 10 22:02:06 ave-pc sshd[26850]: pam_unix(sshd:session): session opened for user ave(uid=1000) by (uid=0)
Sep 10 22:02:06 ave-pc sshd[26850]: User child is on pid 26862
Sep 10 22:02:07 ave-pc sshd[26862]: Starting session: shell on pts/5 for ave from 212.102.39.196 port 61528 id 0
Sep 10 22:02:23 ave-pc sshd[26862]: Close session: user ave from 212.102.39.196 port 61528 id 0
Sep 10 22:02:35 ave-pc sshd[26850]: pam_unix(sshd:session): session closed for user ave

[0] https://lists.gnupg.org/pipermail/gnupg-users/2020-September/064076.html
[1] https://lists.gnupg.org/pipermail/gnupg-users/2020-August/064071.html
[2] https://github.com/maximbaz/yubikey-touch-detector
[3] https://github.com/benpye/wsl-ssh-pageant
[4] https://github.com/BusyJay/gpg-bridge

Details

Version
2.2.23
avemilia updated the task description. (Show Details)
gniibe added a subscriber: gniibe.Fri, Sep 11, 4:28 AM

I think that your configuration does not work well for gpg --card-status when you want to use local scdaemon service from remote machine.
By using "extra" socket, only a few commands are allowed to execute.

If really needed, you can forward normal socket (S.gpg-agent, instead of S.gpg-agent.extra).

BTW, I'm confusing why you runs gpg-agent and scdaemon on "remote" machine, if you want to use the service on you
gave us the gpg-agent.log and scdaemon.log.

Perhaps, for the usability, it would be good for gpg-agent's "extra" access to allow some of SCD commands.
This can align the current limitation, I suppose.

gniibe claimed this task.Fri, Sep 11, 6:39 AM
gniibe triaged this task as High priority.
avemilia added a comment.EditedFri, Sep 11, 8:14 AM

Thank you for the response.

If really needed, you can forward normal socket (S.gpg-agent, instead of S.gpg-agent.extra).

Thank you VERY MUCH! Using normal socket instead of extra socket in gpg-bridge command solved it. gpg --card-status works out of the box.

BTW, I'm confusing why you runs gpg-agent and scdaemon on "remote" machine, if you want to use the service on you gave us the gpg-agent.log and scdaemon.log.

Can you please rephrase? I don't understand the sentence.

After getting this to work I met another related problem, this time with ssh. I will open a separate issue.

gniibe added a comment.EditedFri, Sep 11, 8:51 AM

Sorry, my editing error. I wanted to write:

BTW, I'm confusing why you ran gpg-agent and scdaemon on "remote" machine and you gave us the gpg-agent.log and scdaemon.log of "remote" machine.
When you want to use the service of "local" machine on "remote" machine, you don't run gpg-agent (and scdaemon) on "remote" machine, but use the forwarded socket.

avemilia added a comment.EditedFri, Sep 11, 9:22 AM

I didn't run gpg-agent or scdaemon on remote manually. If that happened -- it probably happened as a result of ssh'ing into it and spawning a zsh shell, which executed the section that I mark as "Environment (per shell)" above. I do this kind of "preparation" (stop gpg, clean up logs to collect only relevant logs on problem demonstration) to make the problem description as minimal as possible. And I post all relevant produced logs to make the problem description as complete as possible. Sorry if this is confusing, I don't really know what I'm doing but I want to make a bug report that can be acted upon.

I have also noticed that if I don't do things certain way e.g. gpg --card-status won't work. As of right now, during fighting another problem [0] I have worked out this procedure to make sure gpg --card-status or ssh-add -L work (if environment is not prepared, e.g. gpg --card-status can report "no device", or ssh-add -L can just hang forever with no output until it receives a <Ctrl+C>):

> gpgconf --kill all
> rm ~/.gnupg/*log
> gpg-connect-agent updatestartuptty /bye
gpg-connect-agent: no running gpg-agent - starting 'C:\Program Files (x86)\gnupg\bin\gpg-agent.exe'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
OK

Bizarrely, this also excludes gpgconf --launch all as I am used to do, which makes ssh-add -L to misbehave as described, if I remember correctly. The preparation above is done for both local and remote machines.

You should not do gpgconf --kill all on your remote machine; It kills gpg-agent on your local machine, through forwarded socket. And next invocation of gpg will invoke gpg-agent on your remote machine, which makes things confusing.

I see. How should I prepare environment instead? With local it is clear, but with remote it isn't. I also use remote as a normal machine with yubikey plugged directly into it most of the time, as it is a desktop at home. Local is a laptop that I use when I'm not at home. So, let's say I have a fresh reboot of remote and use it a bit with yubikey. So, it has gpg-agent started with its own socket there. Now I want to ssh into remote. If I understand correctly, for correct functionality I need to kill gpg-agent on remote first, otherwise agent forwarding will misbehave? Then, after I'm done with ssh and get back to remote (physically), how do I "recover" from ssh and re-launch gpg agent normally again? Since you say that killing it will send instruction to kill it on local machine, what should be done instead?

Additionally, does your answer imply that when I ssh into remote, no gpg logs on remote should be produced if everything is executed correctly?

gniibe added a comment.EditedFri, Sep 18, 3:58 AM

For SSH, I don't think forwarding gpg-agent's socket (S.gpg-agent.ssh) is good idea; It complicates things unnecessarily. Simply use -A option of SSH, if possible.

I think that there is some misunderstanding how gpg-agent and scdaemon run.
In the normal configuration, those program run when you login to your desktop or it is invoked when used, then, after you logout, it dies.

If your use case is something like: You use "remote" machine daily with token. You logout after use. You bring token with your laptop.
You use your laptop just like your normal "remote" machine. You need to login to "remote" from your laptop, and want to use gpg there with token inserted to laptop (remotely use the token from "remote" machine).

Is that your case? Or do you have a permanent login situation in your "remote" machine?

Well, if there is a possibility for you, having multiple shell from different machines, I'd suggest use of GNUPGHOME environment variable when your remote machine is accessed from laptop remotely.

(1) A normal use of "remote" machine locally (with ~/.gnupg, and /run/user/<YOUR-UID>/gnupg)
(2) Another use of "remote" machine from laptop through SSH (say, with ~/remote-use-gnupg and /run/user/<YOUR-UID>/gnupg/d.<SOMETHING>)

Then, there are two access points for gpg on your "remote" machine; For the normal, it is at /run/user/<YOUR-UID>/gnupg/S.gpg-agent.
Behind that socket, there is gpg-agent running at "remote" machine.

For access from laptop, it is at /run/user/<YOUR-UID>/gnupg/d.<SOMETHING>. And it is handled by SSH, actually, it is accessed to the gpg-agent running on your laptop.

At first, you should copy files of ~/.gnupg/ to ~/remote-use-gnupg/.

When you login from your laptop, you should have GNUPGHOME environment variable. You can check by gpg-conf --list-dirs to see the value of d.<SOMETHING>. You use it for your forwarding setting for SSH.

Here are my test configurations.

The machine which allows remote access (from notebook computer of mine):

  • When login from network, I decide to use GNUPGHOME=/home/gniibe/.gnupg-extra
  • I copied files from /home/gniibe/.gnupg to /home/gniibe/.gnupg-extra
$ ls /home/gniibe/.gnupg-extra 
dirmngr.conf  gpg.conf  pubring.kbx  tofu.db  trustdb.gpg
$ 

The notebook computer:

  • I put following to the file ~/.ssh/config
Host fw-test
     Hostname remote-machine.gniibe.org
     ExitOnForwardFailure yes
     RemoteForward /run/user/1000/gnupg/d.4z8xhhn3s877ibme1nmr4oi5/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra

Test by notebook computer ssh login to remote-machine.gniibe.org

  • Make sure no file of /run/user/1000/gnupg/d.4z8xhhn3s877ibme1nmr4oi5/S.gpg-agent exists on remote-machine.gniibe.org
  • ssh fw-test
  • After successful login, do export GNUPGHOME=/home/gniibe/.gnupg-extra
  • While gpg --card-status does *not* work (as expected, because of the use ofS.gpg-agent.extra), normal operations like gpg -d (decryption) and gpg -s (signing) works well
  • Before logout, remove the /run/user/1000/gnupg/d.4z8xhhn3s877ibme1nmr4oi5/S.gnupg-agent socket file.