Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Card cannot be accessed because of other connections #111

Open
delucca opened this issue Dec 14, 2021 · 2 comments
Open

Card cannot be accessed because of other connections #111

delucca opened this issue Dec 14, 2021 · 2 comments

Comments

@delucca
Copy link

delucca commented Dec 14, 2021

Hi!

First and foremost, congrats on the project! It is pretty good and solves a pretty big problem for me :)

I've the following setup:

  • 1 GPG key in my Yubikey
  • 1 SSH key in my Yubikey

I use them both a lot. My SSH key is mainly for connecting to some servers I manage, but also for pushing commit using Git. My GPG key is used both for encryption, but also for signing git commits.

Anyway, I followed this guide to setup my GPG inside my Yubikey, and it works as expected. But, it seems that the usage of my GPG key somehow breaks the Yubikey-agent.

Let me explain.

Every time I run git commit ... I'm prompted by my OS to type my GPG key password (from inside my Yubikey). Them, afterwards, usually I run git push and when I do so I got an error like the following:

Load key "/home/delucca/.ssh/id_yubikey.pub": invalid format
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

After that, if I check my yubikey-agent service, I see the following:

❯ systemctl --user status yubikey-agent.service
● yubikey-agent.service - Seamless ssh-agent for YubiKeys
     Loaded: loaded (/usr/lib/systemd/user/yubikey-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-12-14 17:15:31 -03; 15s ago
       Docs: https://filippo.io/yubikey-agent
   Main PID: 568094 (yubikey-agent)
      Tasks: 8 (limit: 38436)
     Memory: 2.5M
        CPU: 7ms
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/yubikey-agent.service
             └─568094 yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock

dez 14 17:15:31 delucca-workstation systemd[2422]: Started Seamless ssh-agent for YubiKeys.
dez 14 17:15:35 delucca-workstation yubikey-agent[568094]: 2021/12/14 17:15:35 Connecting to the YubiKey...
dez 14 17:15:35 delucca-workstation yubikey-agent[568094]: 2021/12/14 17:15:35 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding

Even if I run systemctl --user restart yubikey-agent.service the error persists. What I need to do is physically remove the Yubikey, wait 1-2s and them plug it again. Them, restart the Yubikey agent and my SSH key works in the git push

After that, if I only run commands using my SSH keys (connect to a given server, fetch, push, etc) it works every time. But, as soon as I use my GPG key from within my Yubikey, the same issue happens again.

Anyone have any idea how to fix this?

Edit 1: I've just found out that the same issue happens in the other direciton. If I'm using my Yubikey for the SSH key I can't sign any GPG commits, neither encrypt data (with my GPG key inside the Yubikey). I need to phisically remove and insert again in other do use it for GPG 🤔

@saxonww
Copy link

saxonww commented Aug 11, 2023

I run into this with another command line utility that uses the yubikey to get an SSH certificate. I added the following to my .bashrc, wrapping that utility:

function ssh-add {
  local _usbdev=$(lsusb | grep Yubico | awk '{x=$2+0;print x}')
  sudo sh -c "echo 'usb${_usbdev}' >/sys/bus/usb/drivers/usb/unbind"
  sudo sh -c "echo 'usb${_usbdev}' >/sys/bus/usb/drivers/usb/bind"
  sleep 1
  /path/to/ssh-add $*
}

This only supports one Yubico device being plugged in, but that's OK for me. It parses the lsusb output to get the bus device the yubikey is plugged into, resets that bus, sleeps a second (this could be shortened probably), then runs the utility. So far, it seems to work for me.

@andsens
Copy link

andsens commented Nov 15, 2024

From #98 (comment)
Use sudo lsof +E /run/pcscd/pcscd.comm to see which processes may access the yubikey. In my case it was gnomes gsd-smartcard daemon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants