Since about F36 I have to restart pcscd every time to get my keys listed with ssh-add -l. It may have to do with a lock obtained by something else than pcscd (I guess gnupg), and thus fails. Maybe I’m missing something in my ~/.gnupg/scdaemon.conf
I’ve tried all these (also the commented ones):
card-timeout 300
#reader-port Yubico Yubi
disable-ccid
#pcsc-driver /usr/lib64/libpcsclite.so.1
But basically the problem is that lock, because the restart of pcscd is what fixes it. Not systemctl --user restart gpg-agent.service, but systemctl restart pcscd.
Does anyone have a better fix? I have a YubiKey 5 NFC.
Related issue, but also no solution:
opened 01:25AM - 13 Mar 21 UTC
closed 03:27PM - 24 Jul 21 UTC
I'm running into an issue of yubikey-agent/ssh-add -L failing to read the conten… ts of the yubikey on each reboot, unless the pcscd.service is manually restarted. Not sure if this is an pcsc or yubikey-agent issue, however, there appears to be no errors thrown by pcscd.{service,socket}.
Installed yubikey-agent using the steps recommended for manual installation. Temporarily disabled SELinux, but the problem still persists.
`systemctl restart pcscd.service` always solves the issue, so it's not a major issue, however, a bit frustrating. I've included some debugging info below. If there is anything else I could provide to help please let me know.
```
$ uname -a
Linux $HOST 5.10.22-200.fc33.x86_64 #1 SMP Tue Mar 9 22:05:08 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
```
```
$ ssh-add -L
error fetching identities: agent refused operation
```
```
$ systemctl --user status yubikey-agent.service
yubikey-agent.service - Seamless ssh-agent for YubiKeys
Loaded: loaded (/home/rtmoran/.config/systemd/user/yubikey-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-03-12 20:19:31 EST; 19min ago
Docs: https://filippo.io/yubikey-agent
Main PID: 6703 (yubikey-agent)
Tasks: 7 (limit: 18707)
Memory: 1.3M
CPU: 17ms
CGroup: /user.slice/user-1000.slice/user@1000.service/yubikey-agent.service
└─6703 /usr/local/bin/yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock
Mar 12 20:19:31 rtm-fedora systemd[2139]: Started Seamless ssh-agent for YubiKeys.
Mar 12 20:19:31 rtm-fedora yubikey-agent[6703]: selinux: avc: netlink recvfrom: error 9
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 Connecting to the YubiKey...
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding
```
```
$ systemctl status pcscd.service
pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
Active: active (running) since Fri 2021-03-12 19:57:26 EST; 44min ago
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 1510 (pcscd)
Tasks: 18 (limit: 18707)
Memory: 4.9M
CPU: 10.454s
CGroup: /system.slice/pcscd.service
└─1510 /usr/sbin/pcscd --foreground --auto-exit
Mar 12 19:57:26 rtm-fedora systemd[1]: Started PC/SC Smart Card Daemon.
```
```
$ systemctl status pcscd.socket
pcscd.socket - PC/SC Smart Card Daemon Activation Socket
Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-03-12 19:57:26 EST; 45min ago
Triggers: ● pcscd.service
Listen: /run/pcscd/pcscd.comm (Stream)
Tasks: 0 (limit: 18707)
Memory: 0B
CPU: 0
CGroup: /system.slice/pcscd.socket
Mar 12 19:57:26 rtm-fedora systemd[1]: Listening on PC/SC Smart Card Daemon Activation Socket.
```
```
$ journalctl -b | grep -i yubikey-agent
Mar 12 20:19:31 rtm-fedora yubikey-agent[6703]: selinux: avc: netlink recvfrom: error 9
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 Connecting to the YubiKey...
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding
```
```
$ journalctl -b | grep -i pcscd
Mar 12 19:57:26 rtm-fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pcscd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
```
1 Like
Found the solution here:https://bugzilla.redhat.com/show_bug.cgi?id=1893131
~/.gnupg/scdaemon.conf must contain:
disable-ccid
pcsc-shared
pcsc-driver /usr/lib64/libpcsclite.so.1
Of course make sure the path to the pcsc-driver matches. Using rpm -ql pcsc-lite-libs | grep so shows you where it is. The shortest one is often best, it symlinks to the current release.
In my case I could remove the pcsc-driver line, I guess the pcsc-shared option is key.
1 Like
raczkow
June 6, 2023, 6:01pm
3
Does it still work when you close and start Firefox again?gpg --card-status for me.
I think the best solution is to remove the package opensc, which creates conflicts.
I have the following in my .gnupg/scdaemon.conf now:
card-timeout 300
disable-ccid
reader-port Yubico Yubi
That last line is maybe not needed. The first line is more of a preference. The disable-ccid is what matters most. I think that’s my most stable solution. Let me know if this works for you, if not I’ll see if more things are needed.
raczkow
June 7, 2023, 10:35am
5
Yes, it works (I mean - removing opensc package), but it is a dirty workaround as I won’t be able to use my Yubikey’s X509 certs in Thunderbird and Firefox anymore.
Any other solutions (in scdaemon.conf) don’t work
That is indeed unstable, reinserting the Yubikey often fixes it (for me). Luckily I don’t need those certs anymore, so for me this fixes it. Doesn’t help you of course.
raczkow
June 20, 2023, 5:32pm
8
Until you open Firefox
I’ve tried every solution I found. I fixed the problem with uninstalling opensc and installing scute library which should replace opensc in Firefox and Thunderbird (haven’t tested it yet).
1 Like
