On 2019-08-09 09:08:35, NIIBE Yutaka wrote: > Antoine Beaupre <[email protected]> wrote: >> When I login in the morning, my Yubikey setup fails to let me connect >> to remove SSH servers: > > How do you invoke gpg-agent? If it is through your first SSH > invocation, gpg-agent wouldn't know the place where to ask PIN (TTY and > DISPLAY).
I don't directly invoke it. It might be through the first SSH connexion, or earlier (see below). But it's running under `systemd --user`. > You can check if you can use your tokan with SSH after your first > invocation of: > > $ gpg --card-status > > or > > $ gpg-connect-agent UPDATESTARTUPTTY /bye > > Then, that's the case. `gpg --card-status` works, as I said. > gpg-agent should know the place where to ask PIN (TTY and DISPLAY), and > it is told by gpg frontend or gpg-connct-agent. But in the case of SSH > (external/foreign program), there is no such mechanism telling the > place. Oh god, that TTY thing. I have this in my .bashrc because of problems with GPG on that front: # see http://bugs.debian.org/719908 export GPG_TTY=$(tty) I have no idea what it does or why it matters. It might be related. It wouldn't explain why this suddenly started failing. You know what, now that I think of it, one thing that changed recently in my startup sequence, and that might affect this, is this: | .config/systemd/user/{multi-user.target.wants => default.target.wants}/smd-pull.service | 0 This is me switching my "systemd --user"-level services from `multi-user.target` (which does nothing) to `default.target` (which does start services on session start. This peculiar service is something that connects over SSH to fetch my mail. It *might* try to talk to the Yubikey and fire up GPG agent (maybe even before Xorg comes up, and definitely before the Yubikey is entered). This might be the actual trigger for this problem I'll test this (and an older version of GPG) to see if I can backtrack the issue. >> aoû 08 09:51:37 curie gpg-agent[3298]: smartcard signing failed: Ioctl() >> inapproprié pour un périphérique >> aoû 08 09:51:37 curie gpg-agent[3298]: ssh sign request failed: Ioctl() >> inapproprié pour un périphérique <Pinentry> > > If it is "Inappropriate ioctl for device", it means that pinentry failed > because of no place to ask. Thanks! That's very useful information, although I can't help but think that a better error message would be useful here.. ;) >> Once gpg-agent is restarted, the Yubikey works fine again. And that >> is, even if it's unplugged and plugged back in again. > > For me, it sounds like... it is your first invocation of SSH (by systemd > watching the socket), which invokes gpg-agent. For what it's worth, gpg-agent runs as "supervised" here, i.e. it seems to be under the control of `systemd --user`. Not sure what that means, but when it's running, it's running under systemd and I can restart it with `systemctl --user restart gpg-agent`. But thanks for all the great information, I have a lot of things to move forward with now! A. -- Uncompromising war resistance and refusal to do military service under any circumstances. - Albert Einstein
