search

FiloSottile / yubikey-agent

yubikey-agent is a seamless ssh-agent for YubiKeys.
https://filippo.io/yubikey-agent
BSD 3-Clause "New" or "Revised" License
2.6k stars 124 forks source link

Card cannot be accessed because of other connections #111

Open delucca opened 2 years ago

delucca commented 2 years ago

Hi!

First and foremost, congrats on the project! It is pretty good and solves a pretty big problem for me :)

I've the following setup:

I use them both a lot. My SSH key is mainly for connecting to some servers I manage, but also for pushing commit using Git. My GPG key is used both for encryption, but also for signing git commits.

Anyway, I followed this guide to setup my GPG inside my Yubikey, and it works as expected. But, it seems that the usage of my GPG key somehow breaks the Yubikey-agent.

Let me explain.

Every time I run git commit ... I'm prompted by my OS to type my GPG key password (from inside my Yubikey). Them, afterwards, usually I run git push and when I do so I got an error like the following:

Load key "/home/delucca/.ssh/id_yubikey.pub": invalid format
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

After that, if I check my yubikey-agent service, I see the following:

❯ systemctl --user status yubikey-agent.service
● yubikey-agent.service - Seamless ssh-agent for YubiKeys
     Loaded: loaded (/usr/lib/systemd/user/yubikey-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-12-14 17:15:31 -03; 15s ago
       Docs: https://filippo.io/yubikey-agent
   Main PID: 568094 (yubikey-agent)
      Tasks: 8 (limit: 38436)
     Memory: 2.5M
        CPU: 7ms
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/yubikey-agent.service
             └─568094 yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock

dez 14 17:15:31 delucca-workstation systemd[2422]: Started Seamless ssh-agent for YubiKeys.
dez 14 17:15:35 delucca-workstation yubikey-agent[568094]: 2021/12/14 17:15:35 Connecting to the YubiKey...
dez 14 17:15:35 delucca-workstation yubikey-agent[568094]: 2021/12/14 17:15:35 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding

Even if I run systemctl --user restart yubikey-agent.service the error persists. What I need to do is physically remove the Yubikey, wait 1-2s and them plug it again. Them, restart the Yubikey agent and my SSH key works in the git push

After that, if I only run commands using my SSH keys (connect to a given server, fetch, push, etc) it works every time. But, as soon as I use my GPG key from within my Yubikey, the same issue happens again.

Anyone have any idea how to fix this?

Edit 1: I've just found out that the same issue happens in the other direciton. If I'm using my Yubikey for the SSH key I can't sign any GPG commits, neither encrypt data (with my GPG key inside the Yubikey). I need to phisically remove and insert again in other do use it for GPG 🤔

saxonww commented 10 months ago

I run into this with another command line utility that uses the yubikey to get an SSH certificate. I added the following to my .bashrc, wrapping that utility:

function ssh-add {
  local _usbdev=$(lsusb | grep Yubico | awk '{x=$2+0;print x}')
  sudo sh -c "echo 'usb${_usbdev}' >/sys/bus/usb/drivers/usb/unbind"
  sudo sh -c "echo 'usb${_usbdev}' >/sys/bus/usb/drivers/usb/bind"
  sleep 1
  /path/to/ssh-add $*
}

This only supports one Yubico device being plugged in, but that's OK for me. It parses the lsusb output to get the bus device the yubikey is plugged into, resets that bus, sleeps a second (this could be shortened probably), then runs the utility. So far, it seems to work for me.