Getting OpenSC PKCS#11 and GnuPG to play nice with a YubiKey 5

Stuart Longland stuartl at longlandclan.id.au
Sun Oct 31 07:26:29 CET 2021


Hi all,

At my workplace, we've recently adopted YubiKeys as a means for doing
2FA, I've been using mine for 2FA-based authentication with OpenSSH
servers (using `gpg-agent` and the YubiKey OpenPGP applet), and we plan
to use the PIV component of these keys to authenticate with some HTTPS
services.

I've also set up the OpenPGP part for code signing and email security.

Under GnuPG 2.2, I mostly had this working.  Sometimes GnuPG would
block `opensc-pkcs11` or vice versa and I'd have to either re-plug the
dongle and/or tickle it with `gpg --card-status` when I try to commit
something or log into a server.

It seems under GnuPG 2.3 (v2.3.2 currently on Gentoo Linux), OpenSC
seems completely unable to communicate with the PIV applet on the same
YubiKey as GnuPG.  As it's likely we'll be swapping between using HTTPS
and SSH frequently, I'd like the two services to co-operate if at all
possible, nothing on paper suggests why these should be in conflict.

- Has anyone managed to do the above?
- any particular advice regarding `opensc` drivers, is `pcscd` needed?
- Is this just a quirk of the YubiKey?  (e.g. is NitroKey¹ affected?)
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.


1. Watching these from a distance, but I'm waiting for the COVID-19
situation to settle down so that the shipping price between DE and AU
can come down from the stratosphere.  I'm open to other "open hardware"
alternatives too -- contact me off-list about that.



More information about the Gnupg-users mailing list