tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/30646-gpg-agent-gets-stuck-when-used-with-smartcards-in-ssh-agent-modeGPGTools: Discussion 2015-02-16T21:47:41Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-10T23:05:27Z2014-12-11T19:18:58Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p><strong>Which of our tools is giving you problems?</strong></p>
<p>gpg-agent</p>
<p><strong>Copy and past the version info of your installed
software:</strong> (how to do that: <a href=
"http://support.gpgtools.org/kb/faq/where-can-i-find-the-version-info-of-my-installed-tools">
http://support.gpgtools.org/kb/faq/where-can-i-find-the-version-inf...</a>)</p>
<p>GPG Suite - 2014.11.Yosemite-b3.dmg<br>
Version: 1.5b1<br>
Build: 704b</p>
<p>OS X 10.10</p>
<p><strong>Describe your problem. Add as much detail as
possible.</strong></p>
<p>I'm using gpg-agent in ssh-agent emulation mode, with a
smartcard, to authenticate my ssh connections. The setup is not
very coherently described here:</p>
<p><a href=
"http://forum.yubico.com/viewtopic.php?f=26&t=1171">http://forum.yubico.com/viewtopic.php?f=26&amp;t=1171</a></p>
<p>The smartcard is the YubiKey NEO:</p>
<p><a href=
"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/">https://www.yubico.com/products/yubikey-hardware/yubikey-neo/</a></p>
<p>Short version: in gpg-agent.conf I have this:</p>
<pre>
<code>pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
enable-ssh-support
write-env-file
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200</code>
</pre>
<p>And in .bash_profile I have this:</p>
<pre>
<code>source ~/.gpg-agent-info</code>
</pre>
<p>And then if I run ssh, it uses the private ssh key stored on the
smartcard, just as if I was using ssh-agent.</p>
<p>But I get all sorts of weird behavior, like authentication
failing, as if there's no ssh key, or the wrong key was provided.
Or sometimes the ssh client gets stuck in authentication forever,
until I CTRL-C it.</p>
<p>If any of that happens, I do "pkill gpg-agent" several times,
then run "gpg-agent --daemon" once from the terminal. That seems to
fix it, at least temporarily.</p>
<p><strong>What did you expect instead</strong></p>
<p>I can't be 100% sure, but I don't remember seeing these issues
on OS X 10.9, with the older GPG Tools (whatever version was
available back then for 10.9). AFAICT, authentication used to work
without a hitch on 10.9</p>
<p><strong>Describe steps leading to the problem.</strong></p>
<ol>
<li>...<br></li>
<li>...<br></li>
<li>...</li>
</ol>
<p><strong>If your problem concerns GPGMail, are you using any
other plugins?</strong></p>
<p>other Plugins go here</p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-10T23:17:28Z2014-12-10T23:17:28Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Hi Florin,</p>
<p>thanks for reporting this issue.<br>
We've already looked into it some time ago, it's due to a bug in
Apple's smart card framework of Yosemite, but have yet to find a
workaround.</p>
<p>We'll update this discussion once we know more.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-10T23:42:31Z2014-12-11T19:18:59Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Thanks, I'll be waiting for updates then.</p>
<p>BTW, I should mention that sometimes you also need to unplug /
replug the smartcard to make it work again.</p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-11T17:57:22Z2014-12-11T17:57:25Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>I had this problem previously, but it seems to have gone away. I
think the only change I made was to uninstall gpg version 1 (I had
installed it with homebrew) and symlink /usr/local/bin/gpg2 to
/usr/local/bin/gpg.</p>
<p>It may be a direction worth exploring.</p></div>Emile Cantintag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-11T19:13:50Z2014-12-11T19:13:51Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Emile, that's actually what I've done at some point when running
10.9. I've uninstalled the homebrew version and installed GPG
Tools. That symlink, too, I had to create it, can't remember
why.</p>
<p>Later I upgraded to 10.10 and that's when the trouble
started.</p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-14T11:51:49Z2014-12-14T11:51:49Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Hi Emile,</p>
<p>I have the GPG agent getting stuck issue with only the GPG Tools
installed and not the Homebrew version, and /usr/local/bin/gpg
links to the gpg2 binary from the GPG Tools distribution. If you
had the issue and it went away something else must have
changed...</p></div>Jens Vagelpohltag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-16T02:34:52Z2014-12-16T02:34:53Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>I've uninstalled GPGTools, and installed gpg2 and gpg-agent
2.0.26 from Homebrew. The problems are exactly the same.
Authentication works for a while, then it stops. Kill / restart
gpg-agent, unplug / replug smartcard, and it works again - for an
hour or two. Then it's back to kill/restart/...</p>
<p>This seems related:</p>
<p><a href=
"http://ludovicrousseau.blogspot.com/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html">
http://ludovicrousseau.blogspot.com/2014/12/os-x-yosemite-and-smart...</a></p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-16T17:10:12Z2014-12-16T17:10:12Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Hi all,</p>
<p>the article Florin found includes the problems you're currently
seeing.<br>
We will try to find a way to work around using Apple's PCSC
Framework And directly use pcsc-lite if possible.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-17T20:49:01Z2014-12-17T20:49:01Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Just adding my voice here, I recently setup a YubiKey NEO for
use as my GPG smart card and ssh authenticator. Unfortunately I am
also running into this hang. I've tried use the homebrew gnupg2
install instead of MacGPG2 to see if that would make a different
but that didn't setup the gpg-agent correctly to work with
GPGMail.</p></div>bmorgenthalertag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-17T20:54:56Z2014-12-17T20:54:58Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Workaround: kill / relaunch gpg-agent, then unplug / replug the
token. Works with both GPGTools and the Homebrew gpg. It's not
exactly a deal breaker, but it can be pretty annoying.</p>
<p>This is the script I use, I called it "fix-gpg" and I run it
quickly whenever gpg gets stuck:</p>
<pre>
<code>#!/bin/bash
echo "kill gpg-agent"
code=0
while [ 1 -ne $code ]; do
killall gpg-agent
code=$?
sleep 1
done
echo "kill ssh"
killall ssh
echo "kill ssh muxers"
for pid in `ps -ef | grep ssh | grep -v grep | awk '{print $2}'`; do
kill $pid
done
echo "restart gpg-agent"
eval $(gpg-agent --daemon)
echo
echo "All done. Now unplug / replug the token."
echo</code>
</pre></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-17T21:42:11Z2014-12-17T21:42:12Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Wow, OS X 10.10 is a huge mess.</p>
<p>Trying to use gpg2 to change the PIN on a smartcard, or just do
gpg2 --card-status. Before that I've used another token to generate
an OTP.</p>
<p>Now I have a bunch of pcsc-wrapper and scdaemon processes,
hanging around, unkillable. gpg2 --card-status doesn't work
anymore. I guess I'll have to reboot.</p>
<p>If you need to admin smartcards, either keep 10.9 around, or
switch to a non-broken OS.</p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-17T21:46:58Z2014-12-17T21:46:59Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Florin,</p>
<p>Yeah that works pretty well except in my use case where I also
have TokenLock being used to lock my system when my Yubikey isn't
in place. HAH... so every time gig hangs I end up locking/unlocking
my system and since I'm using the system lock functionality and not
the screensaver lock it also drops network connections. Dang...</p></div>bmorgenthalertag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-23T17:52:26Z2014-12-23T17:52:28Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Does anyone know if using Homebrew's GPG2 & pcsc-lite would
work around this issue? I tried to use GPG2 with GPGTools but the
agent didn't want to start properly for use with
ssh-authentication. Most likely a configuration issue but I didn't
have time to dig further into it.</p></div>bmorgenthalertag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-23T18:36:13Z2014-12-23T18:36:13Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>We've had a very close look into the issue and unfortunately the
official pcsc-lite library won't help at all, since it can't
properly comminucate with OS X's pcscd daemon due to many internal
changes of Apple. We've already started to work on changes to
scdaemon and pcsc-wrapper which might make it possible to work
around Apple's bugs.<br>
Once we have a version to test, we'll post it here.<br>
We believe the problem is happening due to a bug in PCSC which
prevents the framework from properly reporting a card reset.<br>
If would be great if you all Could check Console.app when this is
happening and let us know if you find messages related to smart
card removal (SecurityServer log messages might be seen)</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-23T18:39:00Z2014-12-24T09:33:39Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Could someone of you link a tutorial on how they setup smart
card access in the first place?<br>
Since gnupg wants exclusive access to the smart card, usually some
system modifications are necessary to even get it working.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512014-12-24T07:49:23Z2014-12-24T07:49:24Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>There are many different tutorials but I don't think a single
one captures it all. I have used the following as a base:</p>
<p><a href=
"http://support.gpgtools.org/discussions/problems/12500-ssh-smartcard-authentication-with-macgpg">
http://support.gpgtools.org/discussions/problems/12500-ssh-smartcar...</a></p>
<p>In addition, I turned off the OS X system service for the
standard ssh-agent process (use a tool such as Lingon or
Launchcontrol to find and disable service
"org.openbsd.ssh-agent").</p></div>Jens Vagelpohltag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-01-06T20:13:30Z2015-01-06T20:13:31Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>I followed a number of different tutorials, but this is the main
one I was following.</p>
<p><a href=
"http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/">
Offline GnuPG Master Key and Subkeys on YubiKey NEO
Smartcard</a></p>
<p>I also followed Jens in disabling the default ssh-agent
process.</p></div>bmorgenthalertag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-01-19T19:13:50Z2015-01-19T19:13:50Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Possible solution / workaround to this bug:</p>
<p><a href=
"http://support.gpgtools.org/discussions/problems/28634-gpg-agent-stops-working-after-osx-upgrade-to-yosemite#comment_35808149">
http://support.gpgtools.org/discussions/problems/28634-gpg-agent-st...</a></p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-01-26T23:00:14Z2015-01-26T23:00:14Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Hi all,</p>
<p>this issues should be fixed. Could you please download and
install our latest <a href=
"https://releases.gpgtools.org/nightlies/">nightly build</a> and
see if the problem persists. That page also has sig and SHA1 to
verify the download.</p>
<p>All the best, steve</p>
<p>Disclaimer: This is a development version which has not been
thoroughly tested yet - bugs or crashes are to be expected. Thanks
for helping us test.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-01-28T23:52:38Z2015-01-28T23:52:38Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>I've been using GPG Suite-1186n.dmg from the nightlies for a
while now, so far no issues. Normally on 10.10 I would start seeing
issues with authentication pretty quickly - within 1 hour maybe.
Now it keeps going for several hours and nothing's wrong with
it.</p>
<p>The smartcard bug appears to have been squashed in the nightly
builds - assuming my experience is consistent with other users'. At
least it's far more stable than before.</p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-01-29T21:17:30Z2015-01-29T21:17:30Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Thanks for the feedback, Florin. Great news!</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-01-30T01:49:40Z2015-01-30T13:26:31Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>I've just experienced an authentication failure that was fixed
by killing/restarting gpg-agent and unplugging/replugging the
smartcard token. OS X 10.10, GPGTools nightly builds, YubiKey NEO.
This was after quite a long time without problems.</p>
<p>I was running ansible with a filter that should have opened ssh
connections to 8 instances in parallel. Instead, I got this:</p>
<pre>
<code>$ ansible -i /path/to/ansible/inventory -l "North Pole" -u foobar -f 100 -s -m shell -a 'cat /etc/resolv.conf' all
x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue
x.x.x.x | FAILED => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue</code>
</pre>
<p>After gpg-agent restart it worked just fine.</p>
<p>Do you need more info, trace, debug, etc?</p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-01-31T01:52:33Z2015-01-31T01:52:33Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>With the nightly builds, the problem seems to occur once per
day. With the beta version, it occurs like once per hour. (very
approximate averages)</p></div>Florin Andreitag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-02-02T22:30:31Z2015-02-02T22:30:31Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Hi Florin,</p>
<p>could you provide as much details as possible.</p>
<p>If this exactly the same problem as before or does it differ
somehow? If so, how?</p>
<p>Does the hang persist if you disconnect and reconnect the
smartcard?</p>
<p>What happens when the issue occurs and you use gpg2
--card-status ?</p>
<p>From the other users who have reported the #140 issue we've
heard positive feedback that the issue is no longer happening. So
there's the chance that the persisting problem you are seeing is
something different.</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/355132512015-02-06T10:31:58Z2015-02-06T10:31:58Zgpg-agent gets stuck when used with smartcards in ssh-agent mode<div><p>Florin, I'm closing this ticket. For remaining problems please
open a new discussion and provide as much details as possible.</p></div>Steve