Yubikey Card Error "sign_and_send_pubkey: signing failed: agent refused operation"

Lawrence Larabee lawrence.larabee at ephibian.com
Tue Aug 7 18:52:25 CEST 2018


I've got a new Yubikey NEO that I am trying to set up for SSH authentication. I've already personalized the card and loaded the keys, following all the creation rules (2048-bit max RSA, etc.) and loaded all the packages I am supposed to load. However I can't make it work. My platform is AMD64 GNU/Linux Ubuntu 16.04 running the Lubuntu flavor. I have tried it on two different machines with this same configuration.

I have verified that I am not running ssh-agent or gnome-keyring, as I have read these can interfere. 

"ssh-agent -L" shows my key 

I run 
export GPG_TTY="$(tty)" 
export SSH_AUTH_SOCK=/home/$USER/.gnupg/S.gpg-agent.ssh 
gpg - connect - agent updatestartuptty /bye 

I confirm that gpg-agent is running and that the auth sock environment variable is pointing to the correct place. 

gpg-agent.conf is: 

default-cache-ttl 36000 
pinentry-program /usr/bin/pinentry-gtk-2 
no-grab 
enable-ssh-support 

(tried disabling no-grab, no difference) 

scdaemon.conf: 

reader-port "Yubico Yubikey NEO OTP CCID 00 00" 
card-timeout 1 

(these don't make a difference, but some threads said to try it. it does same thing without the scdaemon options)

I turned on debugging, here is a dump of attempting to connect via SSH: 

<redacted>@<redacted>:~$ ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so <redacted>@<redacted> 
no slots 
gpg-agent[24850]: ssh handler 0x7fa474d1a700 for fd 5 started 
gpg-agent[24850]: ssh request handler for request_identities (11) started 
gpg-agent[24850]: new connection to SCdaemon established (reusing) 
gpg-agent[24850]: DBG: chan_6 -> GETATTR $AUTHKEYID 
gpg-agent[24850]: DBG: chan_6 <- S $AUTHKEYID OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> GETATTR SERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S SERIALNO <redacted> 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> READKEY OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- [ <redacted> ...(286 byte(s) skipped) ] 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> GETATTR $DISPSERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S $DISPSERIALNO <redacted> 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: ssh request handler for request_identities (11) ready 
gpg-agent[24850]: ssh request handler for sign_request (13) started 
gpg-agent[24850]: DBG: chan_6 -> SERIALNO 
gpg-agent[24850]: DBG: chan_6 <- S SERIALNO <redacted> 0 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: detected card with S/N <redacted> 
gpg-agent[24850]: DBG: encoded hash: <redacted> 
gpg-agent[24850]: DBG: chan_6 -> SETDATA <redacted> 
gpg-agent[24850]: DBG: chan_6 <- OK 
gpg-agent[24850]: DBG: chan_6 -> PKAUTH OPENPGP.3 
gpg-agent[24850]: DBG: chan_6 <- INQUIRE NEEDPIN ||Please enter the PIN 
gpg-agent[24850]: starting a new PIN Entry 
gpg-agent[24850]: DBG: connection to PIN entry established 
gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 started 
gpg-agent[24850]: DBG: chan_10 -> OK Pleased to meet you, process 24850 
gpg-agent[24850]: DBG: chan_8 <- OK Pleased to meet you, process 24850 
gpg-agent[24850]: DBG: chan_8 -> GETINFO pid 
gpg-agent[24850]: DBG: chan_10 <- GETINFO pid 
gpg-agent[24850]: DBG: chan_10 -> D 24850 
gpg-agent[24850]: DBG: chan_10 -> OK 
gpg-agent[24850]: DBG: chan_8 <- D 24850 
gpg-agent[24850]: DBG: chan_8 <- OK 
gpg-agent[24850]: DBG: chan_8 -> BYE 
gpg-agent[24850]: DBG: chan_10 <- BYE 
gpg-agent[24850]: DBG: chan_10 -> OK closing connection 
gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 terminated 
gpg-agent[24850]: DBG: chan_6 -> [ <redacted> ...(76 byte(s) skipped) ] 
gpg-agent[24850]: DBG: chan_6 -> END 
gpg-agent[24850]: DBG: chan_6 <- ERR 100663404 Card error <SCD> 
gpg-agent[24850]: smartcard signing failed: Card error 
gpg-agent[24850]: ssh sign request failed: Card error <SCD> 
gpg-agent[24850]: ssh request handler for sign_request (13) ready 
sign_and_send_pubkey: signing failed: agent refused operation 
<redacted>@<redacted>'s password: 

As you can see, PIN entry works correctly, but after this everything fails with an error 100663404 and returns "signing failed: agent refused operation" 

I have Googled this extensively and have tried everything I can find to try to resolve this, but I've run out of things to try. 

Please help, 
LL 



More information about the Gnupg-users mailing list