Nitrokey3 SSH (via gpg-agent) stops workin after ~3 minutes


I tested the Nitrokey on 4 different computers (2x Fedora, 1x Ubuntu, 1x Arch linux) for SSH authentication via gpg-agent and always run into the same issue:

SSH-Publickey authentication works after plugging the Nitrokey into the PC and then after around 3 minutes, it completely stops working. I tried multiple factory-resets (via gpg --edit-card) but the problem is always the same, across all computers and Linux distributions.

I did set up my new Nitrokey 3 as a GPG Smartcard for use with gpg-agent for SSH in multiple different ways:

  • RSA2048 keys generated on the device
  • RSA4096 keys generated on PC and transferred via keytocard
  • ED25519 keys generated on the device
  • ED25519 keys generated on PC and transferred via keytocard

plugging the Nitrokey in

~ ❯ ssh root@[REDACTED]
// PIN is requested and entered
root@[REDACTED]:~# echo "IT WORKS!"

After 2-4 minutes of waiting without touching anything on the computer:

~ ❯ ssh root@[REDACTED]
// No Pin dialog, nothing. The Nitrokey blinks green for a split second and then:
sign_and_send_pubkey: signing failed for RSA "cardno:000F_[REDACTED]" from agent: agent refused operation

The Nitrokey still answers to gpg --card-status sometimes !

~ ❯ lang=c gpg --card-status
Reader ...........: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Application ID ...: D276000124010304000FAEEF95980000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Nitrokey
Serial number ....: [REDACTED]
Name of cardholder: [REDACTED]
Language prefs ...: [REDACTED]
Salutation .......: [REDACTED]
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: 2BDE [REDACTED]
      created ....: 2024-01-24 20:18:43
Encryption key....: 8828 [REDACTED]
      created ....: 2024-01-24 20:18:43
Authentication key: 9384 [REDACTED]
      created ....: 2024-01-24 20:20:17
General key info..: pub  rsa4096/0x9B[REDACTED] 2024-01-24 [REDACTED] <[REDACTED]@[REDACTED].[REDACTED]>
sec>  rsa4096/0x9B[REDACTED]  erzeugt: 2024-01-24  verfällt: niemals   
ssb>  rsa4096/0x56[REDACTED]  erzeugt: 2024-01-24  verfällt: niemals   
ssb>  rsa4096/0x8B1[REDACTED]  erzeugt: 2024-01-24  verfällt: niemals   

Either removing the Nitrokey and plugging it back in or re-starting pcscd immediately resolves the problem. But then it also only works for about 2-4 minutes and the same problem occurs again. A Yubikey 5 AND a GnuPG SmartCard with external Card-Reader using the exact same setup does work reliably on all 4 computers. So fa, only the Nitrokey is kinda unusable for me as a GPG Smartcard for SSH public-key authentication. And it’s 100% consistend. After 2-4 minutes, it completely stops working.

Hardware: Nitrokey 3A NFC
Operating-Systems: Fedora 38, Fedora 39, Arch Linux, Ubuntu 23.10

(probably) Interesting Configuration-Files:


ttyname $GPG_TTY
default-cache-ttl-ssh 34560000 #Tested different values. Doesn't make any difference!
max-cache-ttl-ssh 34560000 #Doesn't make any difference!
pinentry-program /usr/bin/pinentry-qt



~/.config/fish/ (Shell-Configuration)

set -x GPG_TTY (tty)
set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

Does someone have an idea? In that state, the Nitrokey is not usable for me and using it as a GPG smartcard was the only reason, I bought it (not interested in FIDO or anything else).

Additional information, that might be helpful for troubleshooting:

~ ❯ nitropy nk3 version
Command line tool to interact with Nitrokey devices 0.4.45

~❯ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.45
UUID:               [REDACTED]
Firmware version:   v1.6.0
Init status:        ok
Free blocks (int):  29
Free blocks (ext):  465
Variant:            LPC55

 ❯ nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.4.45
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0

Running tests for Nitrokey 3 at /dev/hidraw0

[1/5]   uuid            UUID query                      SUCCESS         [REDACTED]
[2/5]   version         Firmware version query          SUCCESS         v1.6.0
[3/5]   status          Device status                   SUCCESS         Status(init_status=<InitStatus: 0>, ifs_blocks=29, efs_blocks=465, variant=<Variant.LPC55: 1>)
Running SE050 test: |                                                                                                                                                                                                                                        
[4/5]   se050           SE050                           SKIPPED         Testing SE050 functionality is not supported by the device
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5]   fido2           FIDO2                           SUCCESS  

5 tests, 4 successful, 1 skipped, 0 failed

Summary: 1 device(s) tested, 1 successful, 0 failed

Any suggestions or help is appreciated. If this doesn’t work reliably, the Nitrokey unfortunately is at no use for me at all.



To whom it may interest:

The problem was solved by deleting(!) the ~/.gnupg/scdaemon.conf …
I still don’t understand, why the Nitrokey behaves that way with those 2 configuration settings (disable-ccid and pcsc-shared) but after deleting the file, the NK works reliably for the past 7 hours on those computers. The main competitors keys had no problem with that.

However, my problem seems to be solved. The RSA4096 performance of the NK3 is really REALLY slow but that’s something, I can barely live with.

But isn’t this expected? If we are still talking about ssh I would recommend to switch over to ed25519. (Nowadays even nist recommends it. It’s secure. And it’s really fast. And it is well supported as far I can tell from my experience with different vendors and devices. Btw do you have any reasons to use gpg for ssh and not a fido2 ssh token?)