OpenPGP card not available: No such device

Folgendes Problem: Ich starte Rechner, auto-login in Regular User-Account und oeffne Terminal (PureOS). Befehl $gpg --card-status zeigt wie zu erwarten Nitrokey-Details an. Mit $su admin-user (poldi PAM) wechsel ich zu Admin-Account. PIN wird abgefragt. Soweit funktioniert alles. Wenn ich jetzt allerdinds wieder $gpg --card-status tippe, dann kommt:

gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
Oder

$ sudo apt update
can’t connect to /home/admin/.gnupg/S.gpg-agent': Connection refused scdaemon[12703]: ccid open error: skip scdaemon[12703]: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) Insert authentication card for useradmin’
scdaemon[12703]: ccid open error: skip
scdaemon[12703]: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
scdaemon[12703]: scdaemon (GnuPG) 2.2.12 stopped

Hi!

There might be conflict in access to the smart card via the scdaemon process. It is started per each user. You can kill / try to disable scdaemon service, and run gpg --card-status while being root.

Es sieht so aus, als würde der scdaemon sich nach dem Login aufhängen, aber mit Sicherheit kann ich das auch nicht sagen. Wie @szszszsz schon schrieb, lohnt es sich vermutlich, den scdaemon und/oder gpg-agent abzuschießen.

pkill gpg-agent

thanks for your attention. Here more observations:

If I kill or not kill gpg-agent and scdaemon with:
“$ pkill gpg-agent” a. “$ pkill scdaemon” and check with
“$ pgrep”,

“$ gpg --card-status” never shows results in admin-account.

If I return to user-account then “$ gpg --card-status” works.
Most time when I then return to admin-account the PIN is also being asked again. Some times not:

“$ su admin”
scdaemon[2085]: ccid open error: skip
scdaemon[2085]: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
Bitte Authentifikationskarte für Benutzer ‘admin’ einlegen
scdaemon[2085]: ccid open error: skip
scdaemon[2085]: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
scdaemon[2085]: scdaemon (GnuPG) 2.2.12 angehalten

In such cases playing with “pkill gpg-agent”, “pkill scdaemon” and systemctl stop?start? pcscd.service changes this and the PIN is being asked again.

In admin-account “$ gpg --card-status” leads to “… no such devices” and i.e. “$ sudo apt update” never leads to a PIN request.

“$ sudo apt update”
can’t connect to /home/admin/.gnupg/S.gpg-agent': Connection refused scdaemon[2537]: ccid open error: skip scdaemon[2537]: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) Insert authentication card for useradmin’
scdaemon[2537]: ccid open error: skip
scdaemon[2537]: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
scdaemon[2537]: scdaemon (GnuPG) 2.2.12 stopped

What else could I share, check or look into?

thx for your efforts. A lot appreciated.

It looks to me as if something messed with you gnupg configuration for the admin folder. I do not know, what is happening there, but if scdaemon is complaining right after using “su admin” then there must something try to access gnupg features and the smart card keys right away. What this might be I can only speculate on as I do not know your configuration. Maybe you did some pam.d stuff? Maybe you changed some configuration files inside /home/admin/.gnupg? …

What I tried:

delete all existing .gnupg folders. In admin account import public key and do gpg --card-status in terminal.

Observations:

When I log into admin account Nitrokey is always detected. Authenticating always works (login, sudo), gpg --card-status always shows card.

Logging into user account, gpg --card-status in terminal always shows card. su admin usually works and PIN is being requested. In user account GUI admin psswd requests always ask for PIN and works.

Only after I have successfully logged into admin account via su admin and then do sudo or gpg --card-status, then Nitrokey is not detected.

On Pam I have:

$ sudo nano /etc/pam.d/common-auth

auth    [success=2 default=ignore]              pam_poldi.so
auth    [success=1 default=ignore]              pam_unix.so	nullok_secure
auth    requisite                               pam_deny.so
auth    required                                pam_permit.so
auth    optional                                pam_cap.so

$ sudo nano /etc/poldi/localdb/users
D27611112411121111151111365E1111 admin

$ sudo sh -c 'gpg-connect-agent "/datafile /etc/poldi/localdb/keys/D27611112411121111151111365E1111" "SCD READKEY --advanced OPENPGP.3" /bye'
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
OK 

Kind regards,

It might be worth to investigate, whether GnuPG is adjusted to work with scdaemon under root at all.

Okay, so you did use pam.d, great, because then I am quite confident the error is somewhere there as it makes sense that after switching to the user you immediately get error message. So… we need to find out why :smile:

I am not sure what you mean by that. Do you try to tell me that scdaemon generally does not like running on root? As far as I understand, the root account is just called “admin” under PureOS, so that could be a hint…

Thx for your replies. I am not sure about the next step. I have setup a fresh PureOS in gnome boxes and this is what I do and observe with regards to ‘no such device’-issue:

:: PureOS fresh setup (gnome boxes)

:: Login as Admin
$ sudo apt install nitrokey-app
$ sudo apt-get install libpam-poldi
$ sudo su
gpg --import /home/admin/public.key
gpg --card-status
:: Card is detected
nano /etc/poldi/localdb/users
D276000124010304000400009A000000 admin
ls -l /root/.gnupg/
sh -c ‘gpg-connect-agent “/datafile /etc/poldi/localdb/keys/D276000124010304000400009A000000” “SCD READKEY --advanced OPENPGP.3” /bye’
OK
nano /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_poldi.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

reboot
:: Made sure Nitrokey USB-redirection is still active

:: Login as Admin
$ sudo apt update
Insert authentication card for user admin' Trying authentication as useradmin’…
Please unlock the card

Number: 0004 00009A00
Holder:

$ gpg --card-status
:: Card is detected

$ sudo reboot
:: PIN is being asked and accepted, reboots
:: Made sure Nitrokey USB-redirection is still active

:: Login as regular User
$ su admin
scdaemon[3336]: ccid open error: skip
Insert authentication card for user admin' scdaemon[3336]: ccid open error: skip Trying authentication as useradmin’…
scdaemon[3336]: DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0004 00009A00%0AHolder: ’
Please unlock the card

Number: 0004 00009A00
Holder:

$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

:: Very motivated to understand this issue. Best regards

After further attempts it shows that -as you indicated right at start- killing gpg-agent with pkill gpg-agent solves the issue temporarily.

Login to admin account, then kill gpg-agent. With this gpg --card-status works as well as sudo s.th. and the PIN is being requested. At some point to do systemctl start pcscd also appears to be necessary.

How could this be solved permanently?

Kind regards,

I did the following:

$ sudo nano /home/$username/.gnupg/scd-event
.#!/bin/sh
.# ~/.gnupg/scd-event

state=$8

if [ “$state” = “NOCARD” ]; then
pkill -9 scdaemon
fi

Now it looks as if the problem has been solved.

2 Likes

Well, it is not a beautiful solution, but better than nothing. I am sorry that I can not really help here…

If I gain a better understanding, I will share the experience. As a regular user, it is very difficult for me to dig deeper. I also use the Librem Key (+changing stubs). To me it looks as if these two smart-cards do not show identical behavior but I may be mistaken. I also played with Ubuntu. I had more difficulties. At the moment I am very happy with PureOS and Nitrokey’s smart-card. I can boot the encrypted laptop with only entering a short PIN. I can also login-in and/or gain admin privileges just with a short PIN. If no smart-card is present, the traditional password works as a fallback. A smaller smart-card that would not stand-out as much would be my favorite (similar to the ‘nano’). In the future I hopefully find similar ways to unlock the key-ring for automatic logins and open the password manager such as KeePass. If I didn’t need to unplug the smart-card occasionally to work, this would be ideal. Nevertheless, thanks for the great products and support. I am looking forward to your future products and solutions. This support forum is very helpful.

1 Like