| Summary: | Yubico.com Yubikey NEO OTP+CCID not working for GPG | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Eric Christensen <sparks> |
| Component: | gnupg2 | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED WORKSFORME | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | nmavrogi, rrelyea, sparks |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-23 21:12:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Eric Christensen
2016-08-29 15:09:36 UTC
Hmmm if you are still having problems with gpg with pcsc-lite-ccid-1.4.10-11.el7 You are no longer running into a problem with pcsc-lite-ccid. Are you sure your card is provisioned already? Do you have the correct piv drivers installed? bob (In reply to Bob Relyea from comment #2) > Are you sure your card is provisioned already? Do you have the correct piv > drivers installed? That's a good question. This seems to Just Work on Fedora. I know the Yubikey "card" works as I use it on my personal laptop. Do you happen to know what packages should be installed so I can check them? I'm smelling a KB article here. Hmmm. I'm not sure I know what info I need to provide. I know the Yubikey is recognized by pcsc-lite-ccid. If there are still some issue with the application, or environment that would be a different bug in a different component. Okay, well, it doesn't seem to be recognized on RHEL 7.2. Running 'gpg --card-status' doesn't even show the possibility of the Yubikey as a card. This works fine under Fedora 25 and I'm using the same configuration on both systems. Do you have any troubleshooting tests I could do to determine if pcsc-lite-ccid is actually seeing the device? The patch was added to RHEL 7.3 IIRC. You need to upgrade to 7.3. I upgraded to 7.3, pcsc-lite-ccid.x86_64 1.4.10-12.el7, and it still isn't recognizing the Yubikey. OK, I've installed the yubikey tools and verified that the yubikey works in general: yubico-piv-tool : can be used to add piv applets to the card. Once PIV applets are on the card, coolkey can use the card through the piv interface (which uses the same CCID interface as gpg) ykpers : the yubikey personalization tool can modify the card, if ran as root. yubikey-personalization-gui : can read and modify the card as root. https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/#configure Describes how to configure the yubikey for gpg. The yubikey command 'ykpersonalize -m36" works just fine, but the gpg portion fails with: gpg: OpenPGP card not available: Unsupported certificate This appears to be an issue with the gnome-keyring. Killing 'gnome-keyring-daemon` changes the error from the above to: gpg-agent[23600]: Fatal: can't register GNU Pth with Libgcrypt: Not supported In all, it looks like some issue with gnome-keyring and gpg interaction, passing off to gpg for further evaluation there. clearing the devel_ack since it's a different component. (In reply to Bob Relyea from comment #8) > This appears to be an issue with the gnome-keyring. Killing > 'gnome-keyring-daemon` changes the error from the above to: > gpg-agent[23600]: Fatal: can't register GNU Pth with Libgcrypt: Not supported > Bob, the gpg-agent message is problem of libgcrypt in FIPS mode, can you please install the latest libgcrypt from the Brew and test further? now I get: gpg --card-status gpg: can't connect to the agent - trying fall back gpg: OpenPGP card not available: No SmartCard daemon It seems scdaemon isn't anywhere in our RHEL-7 rpms (yum provides can't seem to find it). It is in gnupg2-smime subpackage shipped in the optional channel. OK It now works for me. You need: gnupg2 gnupg2-smime libgcrypt-1.5.3-14.el7.x86_64 You need to kill gnome-keyring-daemon Once you have all that then gpg --card-status works: [bob@rrelyea-rhel7 tmp]$ gpg --card-status gpg: can't connect to the agent - trying fall back Application ID ...: D2760001240102000006047149960000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: 04714996 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] [bob@rrelyea-rhel7 tmp]$ gpg --card-status gpg: can't connect to the agent - trying fall back Application ID ...: D2760001240102000006047149960000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: 04714996 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] The web is full of articles about the gnome-keyring-daemon incompatibility with gpg smart card support. One example: http://www.grant-olson.net/news/2013/03/09/using-openpgp-smartcard-on-ubuntu-12-10.html bob Dang... killing gnome-keyring-daemon worked. *sigh* Thank you! |