gpg-agent hangs on ssh connections (macOS, Yubikey, gpg-agent, ansible/chef/puppet/wassh)

mwasilewski's Avatar

mwasilewski

19 Jun, 2019 04:18 PM

Which of our tools is giving you problems?

gpg-agent (actually it's most likely scdaemon)

Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):

Yubikey 5 NFC
macOS Mojave 10.14.5

$ gpg --version
gpg (GnuPG) 2.2.16
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
(...)
$ gpg-agent --version
gpg-agent (GnuPG) 2.2.16
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
(...)

Describe your problem. Add as much detail as possible.

Thanks a lot for your great work! it is much appreciated!

I've been hit by this exact issue (for some reason I'm unable to reopen it): https://gpgtools.tenderapp.com/discussions/problems/76494-gpg-agent...

other possibly related issue: #140 : https://gpgtools.tenderapp.com/discussions/problems/30646-gpg-agent...

I saw the same behavior in logs as was described in the first issue, I am able to reproduce it reliably and the fix (adding disable-ccid to my scdaemon config) worked. I'm happy to provide more info/logs if needed to address this problem.

This was incredibly frustrating. I narrowed it down to specific scenarios and it looks like the long lasting calls to scdaemon are the most probable cause. It was particularly bad when I was using tools that were accessing a private key on a smart card in small intervals, for example, bash for loops, wassh, ansible-playbook or knife ssh. It got better if I reduced the concurrency, e.g. knife ssh -C 2 or if the commands where long lasting (in which case there was a bigger interval between each ssh session). I can reliably reproduce it by running knife ssh -C 30 'hostname' on hundreds of hosts.

What did you expect instead

for the gpg-agent to be able to handle such amount of requests

Describe steps leading to the problem.

Open dozens of ssh sessions in short intervals

Are you using any other Mail.app plugins?

  1. Support Staff 1 Posted by Luke Le on 24 Jun, 2019 09:42 PM

    Luke Le's Avatar

    Hi,

    we are very sorry for the problems you have been experiencing.
    Unfortunately scdaemon can be behaving quite unreliably at times. We have heard from users where disable-ccid caused their cards or Yubi Keys not to work at all, while others reported that it solved their problems.

    We have noticed that you are not using our version of GnuPG but homebrew's or a self-compiled one, is that correct? Have you tried using our version by any chance? We have a few minor patches, which might lead to a different result though.

    Generally when problems concerning smart card problems arise, it's best to file a bug directly with the people at GnuPG: https://dev.gnupg.org or on one of their mailing lists: https://lists.gnupg.org/pipermail/gnupg-devel/

    We are very glad to learn that you were able to solve your issue in the end.

  2. 2 Posted by mwasilewski on 02 Jul, 2019 07:38 AM

    mwasilewski's Avatar

    yes, that's correct, I was using the one from homebrew. I tried with gpgtools:

    $ gpg --version
    gpg (GnuPG/MacGPG2) 2.2.10 libgcrypt 1.8.3 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. (...)
    but unfortunately the result is the same.

    Thanks, will file a bug in the gpg tracker

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac