Since about F36 I have to restart pcscd every time to get my keys listed with ssh-add -l. It may have to do with a lock obtained by something else than pcscd (I guess gnupg), and thus fails. Maybe I’m missing something in my ~/.gnupg/scdaemon.conf
I’ve tried all these (also the commented ones):
card-timeout 300
#reader-port Yubico Yubi
disable-ccid
#pcsc-driver /usr/lib64/libpcsclite.so.1
But basically the problem is that lock, because the restart of pcscd is what fixes it. Not systemctl --user restart gpg-agent.service, but systemctl restart pcscd.
Does anyone have a better fix? I have a YubiKey 5 NFC.
Related issue, but also no solution:
opened 01:25AM - 13 Mar 21 UTC
closed 03:27PM - 24 Jul 21 UTC
I'm running into an issue of yubikey-agent/ssh-add -L failing to read the conten… ts of the yubikey on each reboot, unless the pcscd.service is manually restarted. Not sure if this is an pcsc or yubikey-agent issue, however, there appears to be no errors thrown by pcscd.{service,socket}.
Installed yubikey-agent using the steps recommended for manual installation. Temporarily disabled SELinux, but the problem still persists.
`systemctl restart pcscd.service` always solves the issue, so it's not a major issue, however, a bit frustrating. I've included some debugging info below. If there is anything else I could provide to help please let me know.
```
$ uname -a
Linux $HOST 5.10.22-200.fc33.x86_64 #1 SMP Tue Mar 9 22:05:08 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
```
```
$ ssh-add -L
error fetching identities: agent refused operation
```
```
$ systemctl --user status yubikey-agent.service
yubikey-agent.service - Seamless ssh-agent for YubiKeys
Loaded: loaded (/home/rtmoran/.config/systemd/user/yubikey-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-03-12 20:19:31 EST; 19min ago
Docs: https://filippo.io/yubikey-agent
Main PID: 6703 (yubikey-agent)
Tasks: 7 (limit: 18707)
Memory: 1.3M
CPU: 17ms
CGroup: /user.slice/user-1000.slice/user@1000.service/yubikey-agent.service
└─6703 /usr/local/bin/yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock
Mar 12 20:19:31 rtm-fedora systemd[2139]: Started Seamless ssh-agent for YubiKeys.
Mar 12 20:19:31 rtm-fedora yubikey-agent[6703]: selinux: avc: netlink recvfrom: error 9
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 Connecting to the YubiKey...
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding
```
```
$ systemctl status pcscd.service
pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
Active: active (running) since Fri 2021-03-12 19:57:26 EST; 44min ago
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 1510 (pcscd)
Tasks: 18 (limit: 18707)
Memory: 4.9M
CPU: 10.454s
CGroup: /system.slice/pcscd.service
└─1510 /usr/sbin/pcscd --foreground --auto-exit
Mar 12 19:57:26 rtm-fedora systemd[1]: Started PC/SC Smart Card Daemon.
```
```
$ systemctl status pcscd.socket
pcscd.socket - PC/SC Smart Card Daemon Activation Socket
Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-03-12 19:57:26 EST; 45min ago
Triggers: ● pcscd.service
Listen: /run/pcscd/pcscd.comm (Stream)
Tasks: 0 (limit: 18707)
Memory: 0B
CPU: 0
CGroup: /system.slice/pcscd.socket
Mar 12 19:57:26 rtm-fedora systemd[1]: Listening on PC/SC Smart Card Daemon Activation Socket.
```
```
$ journalctl -b | grep -i yubikey-agent
Mar 12 20:19:31 rtm-fedora yubikey-agent[6703]: selinux: avc: netlink recvfrom: error 9
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 Connecting to the YubiKey...
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding
```
```
$ journalctl -b | grep -i pcscd
Mar 12 19:57:26 rtm-fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pcscd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
```
1 Like
Found the solution here:https://bugzilla.redhat.com/show_bug.cgi?id=1893131
~/.gnupg/scdaemon.conf must contain:
disable-ccid
pcsc-shared
pcsc-driver /usr/lib64/libpcsclite.so.1
Of course make sure the path to the pcsc-driver matches. Using rpm -ql pcsc-lite-libs | grep so shows you where it is. The shortest one is often best, it symlinks to the current release.
In my case I could remove the pcsc-driver line, I guess the pcsc-shared option is key.
1 Like