search

Yubico / yubico-piv-tool

Command line tool for the YubiKey PIV application
https://developers.yubico.com/yubico-piv-tool
BSD 2-Clause "Simplified" License
298 stars 99 forks source link

Using ykcs11 and opengpg card on 4 nano #86

Closed baloo closed 8 years ago

baloo commented 8 years ago

Using both a ssh-agent and a gpg-agent.

I have a ssh key configured like:

$ yubico-piv-tool -a list-readers
Yubico Yubikey 4 U2F+CCID 00 00
$ yubico-piv-tool -a status
CHUID:  No data available
CCC:    No data available
Slot 9a:    
    Algorithm:  RSA2048
    Subject DN: CN=[redacted]
    Issuer DN:  CN=[redacted]
    Fingerprint:    [redacted]
    Not Before: Apr 25 00:41:48 2016 GMT
    Not After:  Apr 20 00:41:48 2036 GMT

This works fine with ssh key like:

ssh-add -s /usr/lib/x86_64-linux-gnu/libykcs11.so
Enter passphrase for PKCS#11: 
Card added: /usr/lib/x86_64-linux-gnu/libykcs11.so

But, when I try to connect the gpg-agent to the yubikey as well, it stucks:

$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
^C

I'm forced to remove the ssh-key:

$ ssh-add -e /usr/lib/x86_64-linux-gnu/libykcs11.so
Card removed: /usr/lib/x86_64-linux-gnu/libykcs11.so
$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000]  04 02 07 90 00                                     .....           
OK

And then I'm unable to use both gpg and ssh again:

$ ssh-add -s /usr/lib/x86_64-linux-gnu/libykcs11.so
Enter passphrase for PKCS#11: 
Could not add card "/usr/lib/x86_64-linux-gnu/libykcs11.so": agent refused operation
$ yubico-piv-tool -a status
Failed to connect to reader.

I'm using a yubikey 4 nano (bought in april 16, one revision late I believe) and:

$ dpkg -l | grep -e yubi -e ykcs -e ssh -e gnupg
ii  gnupg                                2.1.14-5                             amd64        GNU privacy guard - a free PGP replacement
ii  gnupg-agent                          2.1.14-5                             amd64        GNU privacy guard - cryptographic agent
ii  openssh-client                       1:7.3p1-1                            amd64        secure shell (SSH) client, for secure access to remote machines
ii  ykcs11                               1.4.2-1                              amd64        PKCS#11 module for the YubiKey PIV applet
ii  yubico-piv-tool                      1.4.2-1                              amd64        Command line tool for the YubiKey PIV applet

Am I missing something? I'd really like to be able to use both at the same time :(

a-dma commented 8 years ago

Unfortunately it's not really possible to use those two together.

The problem is that gpg-agent claims the device in exclusive mode, meaning that no other application can access it. This is by design according to GnuPG. What they suggest is for application to go through scdaemon or kill gpg-agent.

baloo commented 8 years ago

:( and now I'm sad!