[pkg-gnupg-maint] Bug#854005: Bug#854005: ssh-agent no longer works

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 3 00:03:37 UTC 2017 

Control: reassign 854005 scdaemon

Hi Wouter--

On Thu 2017-02-02 17:54:26 -0500, Wouter Verhelst wrote:
> Since a recent upgrade, gnupg-agent no longer finds the authentication
> (SSH) key on my OpenPGP smartcard:
>
> wouter at gangtai:~$ gpg --card-status
>
> Reader ...........: ACS ACR38U 00 00
> Application ID ...: D2760001240102010005000047360000
> Version ..........: 2.1
> Manufacturer .....: ZeitControl
> Serial number ....: 00004736
> Name of cardholder: Wouter Verhelst
> Language prefs ...: nl
> Sex ..............: male
> URL of public key :
> http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0x9B69FDF3F0DA0948066129F72DFC519954181296
> Login data .......: [not set]
> Signature PIN ....: forced
> Max. PIN lengths .: 32 32 32
> PIN retry counter : 3 0 3
> Signature counter : 116
> Signature key ....: 9B69 FDF3 F0DA 0948 0661  29F7 2DFC 5199 5418 1296
>       created ....: 2016-04-11 11:46:27
> Encryption key....: B057 2256 DD3D 8275 A1F2  3015 EBC4 535B 0557 DB14
>       created ....: 2016-04-11 11:46:27
> Authentication key: B7D1 52E7 6233 6135 DBEF  6435 965E 159D 1F28 844B
>       created ....: 2016-04-11 11:46:27
> General key info..: pub  rsa4096/2DFC519954181296 2016-04-11 Wouter
> Verhelst <w at uter.be>
> sec>  rsa4096/2DFC519954181296  created: 2016-04-11  expires: never     
>                                 card-no: 0005 00004736
> ssb>  rsa4096/965E159D1F28844B  created: 2016-04-11  expires: never     
>                                 card-no: 0005 00004736
> ssb>  rsa4096/EBC4535B0557DB14  created: 2016-04-11  expires: never     
>                                 card-no: 0005 00004736
> wouter at gangtai:~$ echo "foo bar" | gpg -r 54181296 -e | gpg
> gpg: please do a --check-trustdb
> gpg: 54181296: skipped: public key already present
> gpg: encrypted with 4096-bit RSA key, ID EBC4535B0557DB14, created
> 2016-04-11
>       "Wouter Verhelst <w at uter.be>"
> foo bar
> wouter at gangtai:~$ echo $SSH_AUTH_SOCK 
> /run/user/1000/gnupg/S.gpg-agent.ssh
> wouter at gangtai:~$ ssh-add -l
> The agent has no identities.
>
> The interesting part of the above is that the last command (the "ssh-add
> -l" bit) actually reads from the card (I can see the cardreader LED
> flash).  It just doesn't find anything.
>
> Note: I removed the "90gpg-agent" file from Xsession.d, since it messes
> up some other SSH key setup that I have, very much in the same way that
> gnome-keyring messes up gpg-agent. With the previous version of
> gpg-agent, it was enough to just run "gpg --card-status" to start the
> agent and make the ssh key stuff work.
>
> Having to fight with all of that is pretty ironic, given that ssh-agent
> actually supports external modules through PKCS#11. Ah well.

i don't have such a device to test with, so i'm not sure how to debug
this with you, but it sounds like it may be an issue with scdaemon
itself, so i'm reassigning it there and cc'ing gniibe in the hopes that
he can provide some insight.

is the key you expect to use listed in ~/.gnupg/sshcontrol ?  I'd expect
it to be listed by its keygrip, which i think is:

    40277D42041E8A6E9AC9206FB335DDBA4B57A505

thanks for the report!

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170202/279b0e3a/attachment.sig>

More information about the pkg-gnupg-maint mailing list