gnupg and ssh interaction somehow broken (card reader with pinpad)

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

gnupg and ssh interaction somehow broken (card reader with pinpad)

GnuPG - User mailing list
Dear all,

I'd appreciate some advice. I recently returned back from a year abroad to my
trusted hardware, and it seems an upgrade of gpg in the meantime broke things.

Setup:
* OpenPGP card with S, E, A subkeys; using both gnupg and ssh with the card
* SPR532 USB card reader with pinpad

~/.bashrc (after consultation of the list archives):
GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
unset SSH_AGENT_PID
unset SSH_ASKPASS
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"

Symptoms:

1) first, sign something (e.g. detached file signature): works as expected
(pinentry window pops up, pin entered on keypad)
2) then, use ssh with pubkey authentication: pinentry window pops up, pin is
not accepted ("wrong beep")

alternatively (after removing card, unpowering reader, plugging reader and
card back in)

1) gpg --card-status finds the card and starts the agent
2) use ssh with pubkey authentication: pinentry window pops up, pin is
accepted, works
3) then, sign something: pinentry window pops up, pin is not accepted ("wrong
beep")

Here's an excerpt from the debug log:

2021-03-15 19:41:01 gpg-agent[12004] starting a new PIN Entry
2021-03-15 19:41:01 gpg-agent[12004] DBG: connection to PIN entry established
2021-03-15 19:41:01 gpg-agent[12004] DBG: chan_11 -> END
2021-03-15 19:41:05 gpg-agent[12004] DBG: agent_cache_housekeeping
2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 <- INQUIRE
DISMISSPINPADPROMPT
2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 -> END
2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 <- ERR 100663351 Invalid
value <SCD>
2021-03-15 19:41:06 gpg-agent[12004] smartcard signing failed: Invalid value

Any clue what's happening?

TIA,
Andreas

--
Andreas K. Hüttel
[hidden email]
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)
_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (1000 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

GnuPG - User mailing list
On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:

> 3) then, sign something: pinentry window pops up, pin is not accepted ("wrong
> beep")

We need a log from the scdaemon.  Put

--8<---------------cut here---------------start------------->8---
log-file /somewhere/scd.log
verbose
debug ipc,reader
--8<---------------cut here---------------end--------------->8---

into scdaemon.conf.  You may also want to add debug-pinentry to
gpg-agent.conf.  Then

  gpgconf --kill scdaemon

or

  gpgconf --kill all


Which gnupg version are you running?


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

Andreas K. Huettel-2
Am Mittwoch, 17. März 2021, 09:48:58 CET schrieb Werner Koch:
> On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:
> > 3) then, sign something: pinentry window pops up, pin is not accepted
> > ("wrong beep")
>
> We need a log from the scdaemon.  

Here's the critical part from the scdaemon log, when signing fails in step 3:

2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END
2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: Ungültiger
Wert
2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ungültiger Wert
2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ungültiger Wert
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ungültiger
Wert <SCD>
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK

[Not being familiar with the details, I dont know if I can post the full log
here or if it contains sensitive data.]

> Which gnupg version are you running?

huettel@kailua ~ $ gpg --version
gpg (GnuPG) 2.2.25
libgcrypt 1.8.6
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/huettel/.gnupg
Unterstützte Verfahren:
Öff. Schlüssel: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
           CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2


If I do gpg signing a file first and ssh later, this is the detail when after
successful signing the ssh command fails:

2021-03-17 16:28:49 scdaemon[26257] DBG: dismiss pinpad entry prompt
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 <- END
2021-03-17 16:28:49 scdaemon[26257] Prüfung des CHV2 fehlgeschlagen:
Ungültiger Wert
2021-03-17 16:28:49 scdaemon[26257] operation auth result: Ungültiger Wert
2021-03-17 16:28:49 scdaemon[26257] app_auth failed: Ungültiger Wert
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> ERR 100663351 Ungültiger
Wert <SCD>
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 <- RESTART
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> OK


--
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
e-mail [hidden email]
http://www.akhuettel.de/
http://www.physik.uni-r.de/forschung/huettel/
_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (1000 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

Klaus Ethgen
Hi Andreas,

Am Mi den 17. Mär 2021 um 16:31 schrieb Andreas K. Huettel:

> Am Mittwoch, 17. März 2021, 09:48:58 CET schrieb Werner Koch:
> > On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:
> > > 3) then, sign something: pinentry window pops up, pin is not accepted
> > > ("wrong beep")
> >
> > We need a log from the scdaemon.  
>
> Here's the critical part from the scdaemon log, when signing fails in step 3:
>
> 2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END
> 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: Ungültiger
> Wert
> 2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ungültiger Wert
> 2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ungültiger Wert
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ungültiger
> Wert <SCD>
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK
Kann es sein, daß der Agent und GnuPG grob unterschiedliche Versionen
haben?

gpg-agent --version
/usr/lib/gnupg/scdaemon --version

Gruß
   Klaus
--
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[hidden email]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (703 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

Andreas K. Huettel-2
Am Mittwoch, 17. März 2021, 20:52:26 CET schrieb Klaus Ethgen:

> Hi Andreas,
>
> Am Mi den 17. Mär 2021 um 16:31 schrieb Andreas K. Huettel:
> > Am Mittwoch, 17. März 2021, 09:48:58 CET schrieb Werner Koch:
> > > On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:
> > > > 3) then, sign something: pinentry window pops up, pin is not accepted
> > > > ("wrong beep")
> > >
> > > We need a log from the scdaemon.
> >
> > Here's the critical part from the scdaemon log, when signing fails in step
> > 3:
> >
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE
> > DISMISSPINPADPROMPT 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END
> > 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen:
> > Ungültiger Wert
> > 2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ungültiger Wert
> > 2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ungültiger Wert
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ungültiger
> > Wert <SCD>
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK
>
> Kann es sein, daß der Agent und GnuPG grob unterschiedliche Versionen
> haben?
>
> gpg-agent --version
> /usr/lib/gnupg/scdaemon --version
I'm pretty sure they didnt have different versions, sorry.
(I rebooted the machine a few minutes earlier because of a kernel update.)

huettel@kailua ~ $ /usr/libexec/scdaemon --version
scdaemon (GnuPG) 2.2.25
libgcrypt 1.8.6
libksba 1.3.5
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
huettel@kailua ~ $ gpg-agent --version
gpg-agent (GnuPG) 2.2.25
libgcrypt 1.8.6
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


--
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
fax +49 941 943 3196
e-mail [hidden email]
http://www.akhuettel.de/

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (1000 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

Andreas K. Huettel-2
Am Mittwoch, 17. März 2021, 21:07:16 CET schrieb Andreas K. Huettel:
>
> I'm pretty sure they didnt have different versions, sorry.
> (I rebooted the machine a few minutes earlier because of a kernel update.)
>

OK now it's getting very strange.

On a second PC with the same reader hardware model, the same gpg version, and
the same chipcard, things work perfectly fine.

Could this be a hardware defect (i.e., reader was too long in the sun)?

--
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
fax +49 941 943 3196
e-mail [hidden email]
http://www.akhuettel.de/

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (1000 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

GnuPG - User mailing list
Andreas K. Huettel wrote:

> Am Mittwoch, 17. März 2021, 21:07:16 CET schrieb Andreas K. Huettel:
>  
>> I'm pretty sure they didnt have different versions, sorry.
>> (I rebooted the machine a few minutes earlier because of a kernel update.)
> OK now it's getting very strange.
>
> On a second PC with the same reader hardware model, the same gpg version, and
> the same chipcard, things work perfectly fine.
>
> Could this be a hardware defect (i.e., reader was too long in the sun)?
>  

Can you swap the readers between the two computers and see if the
problem follows the suspected-bad reader?


-- Jacob


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

Ángel
In reply to this post by Andreas K. Huettel-2
On 2021-03-17 at 21:16 +0100, Andreas K. Huettel wrote:
>
> OK now it's getting very strange.
>
> On a second PC with the same reader hardware model, the same gpg
> version, and
> the same chipcard, things work perfectly fine.
>
> Could this be a hardware defect (i.e., reader was too long in the
> sun)?

I don't think so. You report that the first program which uses the card
(either gpg or ssh) "keeps" it, and the other is unable to (btw, would
e.g. a second sign work?). This looks like the first one locks use of
the card.
May gpg and ssh be launchihng separete scdaemon instances? Does it help
if you use --card-timeout on scdaemon config?


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

Andreas K. Huettel-2
In reply to this post by GnuPG - User mailing list
>
> Can you swap the readers between the two computers and see if the
> problem follows the suspected-bad reader?
>

Possible as last resort, I'd rather figure this out some other way though.

--
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
fax +49 941 943 3196
e-mail [hidden email]
http://www.akhuettel.de/

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (1000 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gnupg and ssh interaction somehow broken (card reader with pinpad)

GnuPG - User mailing list
In reply to this post by Andreas K. Huettel-2
On Wed, 17 Mar 2021 16:31, Andreas K. Huettel said:
> 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: Ungültiger
> [Not being familiar with the details, I dont know if I can post the full log
> here or if it contains sensitive data.]

At that debug level it is okay.  However with a higher debug level
(debug cardio) the log would show your PIN if you have used
disable-pinpad.  With a pinpad it won't show it, of course.

> gpg (GnuPG) 2.2.25

We fixed a reader bug in 2.2.26 which also changed how the SPR532 is
accessed.  See https://dev.gnupg.org/T5167 - Thus you better update to
the latest version first.

If you want to debug things, put

debug cardio
debug-ccid-driver

into scdameon.conf, kill and retry.  You may send the log to me by PM; I
would then only share it with my colleague Gniibe.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (233 bytes) Download Attachment