Page MenuHome GnuPG
Create Task
Maniphest T802

SSH smartcard authentication fails after card reader removal
Closed, ResolvedPublic
Actions

Description

Removing and replugging my SCR335 card reader after successfully using scdaemon
and gpg-agent for an SSH login results similar key based logins failing.

$ ssh-add -L
ssh-rsa
AAAAB3NzaC1yc2EAAAAFALL+3MkAAACBAM0T7JyynT4hvez/TtPSekvE7EKjIf2Mf1w8nMo8pKUc4PhW6Fu86xzzEjUbJvxU3ORZN/ekLrgfTW0DXeW/z7JhHxw1NOp+8lM80FCWrx+0XyeeEbRkjc18+ni0UYSonBJzVRAvZw8eqtSga+LpExTzH7LRiuteNsWunamKar9Z
cardno:000100000B0C
$ ssh james@freecharity.org.uk

[ Entered PIN]

Linux freecharity.org.uk 2.6.16.18-tk-x8664-trie #1 SMP Mon Jun 12 21:38:58 UTC
2006 i686 GNU/Linux
No mail.
Last login: Wed May 23 12:02:38 2007 from natpool49.norse.ukerna.ac.uk
james@freecharity:~$
james@freecharity:~$ exit
logout
Connection to freecharity.org.uk closed.

[ Remove, reinsert card reader ]

$ ssh james@freecharity.org.uk
Agent admitted failure to sign using the key.
Password:
$

Details

Due Date
Dec 15 2008, 1:00 AM
Version
1.4.6

Event Timeline

jamesd set Version to 1.4.6.May 23 2007, 1:24 PM
jamesd added projects: scd, gpgagent, gnupg, Bug Report.
jamesd added a subscriber: jamesd.
werner added a subscriber: werner.Jun 4 2007, 6:08 PM

What version of gpg-agent and scdaemon are you running?

jamesd added a comment.Jun 4 2007, 6:15 PM

$ gpg-agent --version
gpg-agent (GnuPG) 2.0.0
...
$ scdaemon --version
scdaemon (GnuPG) 2.0.0
...

werner added a subscriber: moritz.Oct 28 2008, 5:17 PM

Moritz Schulte created a test case for this or a similar problem:

#!/bin/bash

SOCK=$(echo "SCD GETINFO socket_name" | gpg-connect-agent | awk '{ print $2 }')
echo "scdaemon socket is $SOCK"

echo "first run..."

gpg-connect-agent -S $SOCK<<EOF
/definqfile POPUPKEYPADPROMPT /dev/null
/definqfile DISMISSKEYPADPROMPT /dev/null
SERIALNO
SERIALNO
LEARN --force
EOF

echo -e "\n OKAY, now reinsert the smartcard, wait two seconds and press
enter \n"
read a

echo "second run..."

gpg-connect-agent -S $SOCK<<EOF
/definqfile POPUPKEYPADPROMPT /dev/null
/definqfile DISMISSKEYPADPROMPT /dev/null
SERIALNO
SERIALNO
LEARN --force
EOF

werner added a project: In Progress.Oct 28 2008, 5:17 PM
moritz added a comment.Oct 28 2008, 6:18 PM

Just as a quick follow-up to this script I wrote:

[...]

The output I get on every (approx.) second run is:

moritz@kiste:~/Arbeit/g10/test-cases$ ./scdaemon-bug.sh
scdaemon socket is /tmp/gpg-7DrMzg/S.scdaemon
first run...
S SERIALNO D2760001240101000001000000CF0000 0
OK
S SERIALNO D2760001240101000001000000CF0000 0
OK
S SERIALNO D2760001240101000001000000CF0000 0
S APPTYPE OPENPGP
S EXTCAP gc=1+ki=1+fc=1+pd=0
S DISP-NAME Schulte<<Moritz
S DISP-LANG de
S DISP-SEX 1
S LOGIN-DATA moritz%0A%14F=3%18
S KEY-FPR 1 7F31D6DDEB0EA3E5D6DAB5BC0A7F4D909EC83163
S KEY-FPR 2 DEDB4462D3D618676D4EE78B8EFEA57E4F850554
S KEY-FPR 3 E98CFF3B4601466A79B430327EED887CB2F9878A
S CHV-STATUS +1+254+254+254+3+3+3
S SIG-COUNTER 33
S KEYPAIRINFO BA3F59E10685CCEC226449613E92EE7613551B4F OPENPGP.1
S KEYPAIRINFO FE373824F9A6962CE250CB8DDCE97C2660CC3E44 OPENPGP.2
S KEYPAIRINFO A2F466EB816996967D9CB967DC3F86E2C6E0BE67 OPENPGP.3
OK

  • OKAY, now reinsert the smartcard, wait two seconds and press enter **

second run...
S SERIALNO D2760001240101000001000000CF0000 0
OK
S SERIALNO D2760001240101000001000000CF0000 0
OK
S SERIALNO D2760001240101000001000000CF0000 0
S APPTYPE OPENPGP
S EXTCAP gc=1+ki=1+fc=1+pd=0
S LOGIN-DATA moritz%0A%14F=3%18
OK
moritz@kiste:~/Arbeit/g10/test-cases$

And that's wrong. Since, in my understanding the second block of status
information should be identical to the first one. But it's stripped.

I cannot reproduce this bug EVERY time i run the script. It's a timing
problem.

I had problems debugging this; in the end I suspected the bug in the
application caching code. IIRC, when i disabled the cache THIS bug was gone.

mo

werner added a project: Restricted Project.Dec 5 2008, 6:28 PM
werner removed a project: In Progress.

Moritz, this should be fixed in the current SVN of 2.0.10. Would you mind to
test it?

werner set Due Date to Dec 15 2008, 1:00 AM.Dec 5 2008, 6:28 PM
moritz added a comment.Dec 5 2008, 8:04 PM

I cannot reproduce this problem anymore. Neither with the test case
script, nor during ssh authentication with several card-reinsertions.

Thanks as lot!
mo

werner closed this task as Resolved.Dec 6 2008, 7:40 PM
werner claimed this task.
werner removed a project: Restricted Project.