[Pcsclite-muscle] Issue when plugging yubikey after pcscd has started

Ludovic Rousseau ludovic.rousseau at gmail.com
Wed Jan 17 07:22:38 PST 2024


Le mer. 17 janv. 2024 à 09:19, Laurent Bigonville <bigon at bigon.be> a écrit :
> I've attached the scdaemon logs (both when the yubikey is connected
> before and after) here, I can see a call to "open_pcsc_reader()"
>
> It seems that the only variable here is whether pcscd is started before
> or after the yubikey is plugged. Starting scdaemon before or after pcscd
> doesn't make a difference.

I think I found the cause of the problem.

In the working case you have:
jan 17 07:55:04 eriador gpg-agent[117359]: scdaemon[117359]: detected
reader 'Yubico YubiKey OTP+FIDO+CCID 00 00'
jan 17 07:55:04 eriador gpg-agent[117359]: scdaemon[117359]: detected
reader 'Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 01
00'
jan 17 07:55:04 eriador gpg-agent[117359]: scdaemon[117359]: reader
slot 0: not connected
jan 17 07:55:04 eriador gpg-agent[117359]: scdaemon[117359]: DBG:
open_pcsc_reader => slot=0

In the non-working case you have:
jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: detected
reader 'Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 00
00'
jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: detected
reader 'Yubico YubiKey OTP+FIDO+CCID 01 00'
jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: reader
slot 0: not connected
jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: DBG:
open_pcsc_reader => slot=0
jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: DBG:
enter: apdu_connect: slot=0
jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: reader
slot 0: not connected
jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: DBG:
leave: apdu_connect => sw=0x10008

The difference is the order of the readers.
If the YubiKey is found first (in slot 0) then it works.
If the YubiKey is found after the Broadcom reader then gpg does not work.

It looks like the problem is that scdaemon does not try to use slot 1
if slot 0 fails.
It is a very strange limitation or feature of scdaemon.


One solution is to ignore the Broadcom reader so the YubiKey token
will always be in slot 0 for scdaemon.
See PCSCLITE_FILTER_IGNORE_READER_NAMES from "Remove and/or customize
PC/SC reader names"
https://blog.apdu.fr/posts/2015/12/remove-andor-customize-pcsc-reader-names/

Bye

-- 
 Dr. Ludovic Rousseau



More information about the pcsclite-muscle mailing list