gpg-agent gets stuck when used with smartcards in ssh-agent mode

Florin Andrei's Avatar

Florin Andrei

10 Dec, 2014 11:05 PM

Which of our tools is giving you problems?

gpg-agent

Copy and past the version info of your installed software: (how to do that: http://support.gpgtools.org/kb/faq/where-can-i-find-the-version-inf...)

GPG Suite - 2014.11.Yosemite-b3.dmg
Version: 1.5b1
Build: 704b

OS X 10.10

Describe your problem. Add as much detail as possible.

I'm using gpg-agent in ssh-agent emulation mode, with a smartcard, to authenticate my ssh connections. The setup is not very coherently described here:

http://forum.yubico.com/viewtopic.php?f=26&t=1171

The smartcard is the YubiKey NEO:

https://www.yubico.com/products/yubikey-hardware/yubikey-neo/

Short version: in gpg-agent.conf I have this:

pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
enable-ssh-support
write-env-file
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200

And in .bash_profile I have this:

source ~/.gpg-agent-info

And then if I run ssh, it uses the private ssh key stored on the smartcard, just as if I was using ssh-agent.

But I get all sorts of weird behavior, like authentication failing, as if there's no ssh key, or the wrong key was provided. Or sometimes the ssh client gets stuck in authentication forever, until I CTRL-C it.

If any of that happens, I do "pkill gpg-agent" several times, then run "gpg-agent --daemon" once from the terminal. That seems to fix it, at least temporarily.

What did you expect instead

I can't be 100% sure, but I don't remember seeing these issues on OS X 10.9, with the older GPG Tools (whatever version was available back then for 10.9). AFAICT, authentication used to work without a hitch on 10.9

Describe steps leading to the problem.

  1. ...
  2. ...
  3. ...

If your problem concerns GPGMail, are you using any other plugins?

other Plugins go here

  1. Support Staff 1 Posted by Luke Le on 10 Dec, 2014 11:17 PM

    Luke Le's Avatar

    Hi Florin,

    thanks for reporting this issue.
    We've already looked into it some time ago, it's due to a bug in Apple's smart card framework of Yosemite, but have yet to find a workaround.

    We'll update this discussion once we know more.

  2. 2 Posted by Florin Andrei on 10 Dec, 2014 11:42 PM

    Florin Andrei's Avatar

    Thanks, I'll be waiting for updates then.

    BTW, I should mention that sometimes you also need to unplug / replug the smartcard to make it work again.

  3. 3 Posted by Emile Cantin on 11 Dec, 2014 05:57 PM

    Emile Cantin's Avatar

    I had this problem previously, but it seems to have gone away. I think the only change I made was to uninstall gpg version 1 (I had installed it with homebrew) and symlink /usr/local/bin/gpg2 to /usr/local/bin/gpg.

    It may be a direction worth exploring.

  4. 4 Posted by Florin Andrei on 11 Dec, 2014 07:13 PM

    Florin Andrei's Avatar

    Emile, that's actually what I've done at some point when running 10.9. I've uninstalled the homebrew version and installed GPG Tools. That symlink, too, I had to create it, can't remember why.

    Later I upgraded to 10.10 and that's when the trouble started.

  5. 5 Posted by Jens Vagelpohl on 14 Dec, 2014 11:51 AM

    Jens Vagelpohl's Avatar

    Hi Emile,

    I have the GPG agent getting stuck issue with only the GPG Tools installed and not the Homebrew version, and /usr/local/bin/gpg links to the gpg2 binary from the GPG Tools distribution. If you had the issue and it went away something else must have changed...

  6. 6 Posted by Florin Andrei on 16 Dec, 2014 02:34 AM

    Florin Andrei's Avatar

    I've uninstalled GPGTools, and installed gpg2 and gpg-agent 2.0.26 from Homebrew. The problems are exactly the same. Authentication works for a while, then it stops. Kill / restart gpg-agent, unplug / replug smartcard, and it works again - for an hour or two. Then it's back to kill/restart/...

    This seems related:

    http://ludovicrousseau.blogspot.com/2014/12/os-x-yosemite-and-smart...

  7. Support Staff 7 Posted by Luke Le on 16 Dec, 2014 05:10 PM

    Luke Le's Avatar

    Hi all,

    the article Florin found includes the problems you're currently seeing.
    We will try to find a way to work around using Apple's PCSC Framework And directly use pcsc-lite if possible.

  8. 8 Posted by bmorgenthaler on 17 Dec, 2014 08:49 PM

    bmorgenthaler's Avatar

    Just adding my voice here, I recently setup a YubiKey NEO for use as my GPG smart card and ssh authenticator. Unfortunately I am also running into this hang. I've tried use the homebrew gnupg2 install instead of MacGPG2 to see if that would make a different but that didn't setup the gpg-agent correctly to work with GPGMail.

  9. 9 Posted by Florin Andrei on 17 Dec, 2014 08:54 PM

    Florin Andrei's Avatar

    Workaround: kill / relaunch gpg-agent, then unplug / replug the token. Works with both GPGTools and the Homebrew gpg. It's not exactly a deal breaker, but it can be pretty annoying.

    This is the script I use, I called it "fix-gpg" and I run it quickly whenever gpg gets stuck:

    #!/bin/bash
    
    echo "kill gpg-agent"
    code=0
    while [ 1 -ne $code ]; do
        killall gpg-agent
        code=$?
        sleep 1
    done
    
    echo "kill ssh"
    killall ssh
    
    echo "kill ssh muxers"
    for pid in `ps -ef | grep ssh | grep -v grep | awk '{print $2}'`; do
        kill $pid
    done
    
    echo "restart gpg-agent"
    eval $(gpg-agent --daemon)
    
    echo
    echo "All done. Now unplug / replug the token."
    echo
    
  10. 10 Posted by Florin Andrei on 17 Dec, 2014 09:42 PM

    Florin Andrei's Avatar

    Wow, OS X 10.10 is a huge mess.

    Trying to use gpg2 to change the PIN on a smartcard, or just do gpg2 --card-status. Before that I've used another token to generate an OTP.

    Now I have a bunch of pcsc-wrapper and scdaemon processes, hanging around, unkillable. gpg2 --card-status doesn't work anymore. I guess I'll have to reboot.

    If you need to admin smartcards, either keep 10.9 around, or switch to a non-broken OS.

  11. 11 Posted by bmorgenthaler on 17 Dec, 2014 09:46 PM

    bmorgenthaler's Avatar

    Florin,

    Yeah that works pretty well except in my use case where I also have TokenLock being used to lock my system when my Yubikey isn't in place. HAH... so every time gig hangs I end up locking/unlocking my system and since I'm using the system lock functionality and not the screensaver lock it also drops network connections. Dang...

  12. 12 Posted by bmorgenthaler on 23 Dec, 2014 05:52 PM

    bmorgenthaler's Avatar

    Does anyone know if using Homebrew's GPG2 & pcsc-lite would work around this issue? I tried to use GPG2 with GPGTools but the agent didn't want to start properly for use with ssh-authentication. Most likely a configuration issue but I didn't have time to dig further into it.

  13. Support Staff 13 Posted by Luke Le on 23 Dec, 2014 06:36 PM

    Luke Le's Avatar

    We've had a very close look into the issue and unfortunately the official pcsc-lite library won't help at all, since it can't properly comminucate with OS X's pcscd daemon due to many internal changes of Apple. We've already started to work on changes to scdaemon and pcsc-wrapper which might make it possible to work around Apple's bugs.
    Once we have a version to test, we'll post it here.
    We believe the problem is happening due to a bug in PCSC which prevents the framework from properly reporting a card reset.
    If would be great if you all Could check Console.app when this is happening and let us know if you find messages related to smart card removal (SecurityServer log messages might be seen)

  14. Support Staff 14 Posted by Luke Le on 23 Dec, 2014 06:39 PM

    Luke Le's Avatar

    Could someone of you link a tutorial on how they setup smart card access in the first place?
    Since gnupg wants exclusive access to the smart card, usually some system modifications are necessary to even get it working.

  15. 15 Posted by Jens Vagelpohl on 24 Dec, 2014 07:49 AM

    Jens Vagelpohl's Avatar

    There are many different tutorials but I don't think a single one captures it all. I have used the following as a base:

    http://support.gpgtools.org/discussions/problems/12500-ssh-smartcar...

    In addition, I turned off the OS X system service for the standard ssh-agent process (use a tool such as Lingon or Launchcontrol to find and disable service "org.openbsd.ssh-agent").

  16. 16 Posted by bmorgenthaler on 06 Jan, 2015 08:13 PM

    bmorgenthaler's Avatar

    I followed a number of different tutorials, but this is the main one I was following.

    Offline GnuPG Master Key and Subkeys on YubiKey NEO Smartcard

    I also followed Jens in disabling the default ssh-agent process.

  17. 17 Posted by Florin Andrei on 19 Jan, 2015 07:13 PM

    Florin Andrei's Avatar
  18. Support Staff 18 Posted by Steve on 26 Jan, 2015 11:00 PM

    Steve's Avatar

    Hi all,

    this issues should be fixed. Could you please download and install our latest nightly build and see if the problem persists. That page also has sig and SHA1 to verify the download.

    All the best, steve

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

  19. 19 Posted by Florin Andrei on 28 Jan, 2015 11:52 PM

    Florin Andrei's Avatar

    I've been using GPG Suite-1186n.dmg from the nightlies for a while now, so far no issues. Normally on 10.10 I would start seeing issues with authentication pretty quickly - within 1 hour maybe. Now it keeps going for several hours and nothing's wrong with it.

    The smartcard bug appears to have been squashed in the nightly builds - assuming my experience is consistent with other users'. At least it's far more stable than before.

  20. Support Staff 20 Posted by Steve on 29 Jan, 2015 09:17 PM

    Steve's Avatar

    Thanks for the feedback, Florin. Great news!

  21. Steve closed this discussion on 29 Jan, 2015 09:17 PM.

  22. Florin Andrei re-opened this discussion on 30 Jan, 2015 01:43 AM

  23. 21 Posted by Florin Andrei on 30 Jan, 2015 01:49 AM

    Florin Andrei's Avatar

    I've just experienced an authentication failure that was fixed by killing/restarting gpg-agent and unplugging/replugging the smartcard token. OS X 10.10, GPGTools nightly builds, YubiKey NEO. This was after quite a long time without problems.

    I was running ansible with a filter that should have opened ssh connections to 8 instances in parallel. Instead, I got this:

    $ ansible -i /path/to/ansible/inventory -l "North Pole" -u foobar -f 100 -s -m shell -a 'cat /etc/resolv.conf' all
    x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
    x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
    x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
    x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
    x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
    x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
    x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
    x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
    

    After gpg-agent restart it worked just fine.

    Do you need more info, trace, debug, etc?

  24. 22 Posted by Florin Andrei on 31 Jan, 2015 01:52 AM

    Florin Andrei's Avatar

    With the nightly builds, the problem seems to occur once per day. With the beta version, it occurs like once per hour. (very approximate averages)

  25. Support Staff 23 Posted by Steve on 02 Feb, 2015 10:30 PM

    Steve's Avatar

    Hi Florin,

    could you provide as much details as possible.

    If this exactly the same problem as before or does it differ somehow? If so, how?

    Does the hang persist if you disconnect and reconnect the smartcard?

    What happens when the issue occurs and you use gpg2 --card-status ?

    From the other users who have reported the #140 issue we've heard positive feedback that the issue is no longer happening. So there's the chance that the persisting problem you are seeing is something different.

    All the best,
    steve

  26. Support Staff 24 Posted by Steve on 06 Feb, 2015 10:31 AM

    Steve's Avatar

    Florin, I'm closing this ticket. For remaining problems please open a new discussion and provide as much details as possible.

  27. Steve closed this discussion on 06 Feb, 2015 10:31 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac