[Pcsclite-muscle] Issue when plugging yubikey after pcscd has started

Laurent Bigonville bigon at bigon.be
Thu Jan 18 01:29:27 PST 2024 

Le 17/01/24 à 16:22, Ludovic Rousseau a écrit :
> Le mer. 17 janv. 2024 à 09:19, Laurent Bigonville <bigon at bigon.be> a écrit :
>> I've attached the scdaemon logs (both when the yubikey is connected
>> before and after) here, I can see a call to "open_pcsc_reader()"
>>
>> It seems that the only variable here is whether pcscd is started before
>> or after the yubikey is plugged. Starting scdaemon before or after pcscd
>> doesn't make a difference.
> I think I found the cause of the problem.
>
> In the working case you have:
> jan 17 07:55:04 eriador gpg-agent[117359]: scdaemon[117359]: detected
> reader 'Yubico YubiKey OTP+FIDO+CCID 00 00'
> jan 17 07:55:04 eriador gpg-agent[117359]: scdaemon[117359]: detected
> reader 'Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 01
> 00'
> jan 17 07:55:04 eriador gpg-agent[117359]: scdaemon[117359]: reader
> slot 0: not connected
> jan 17 07:55:04 eriador gpg-agent[117359]: scdaemon[117359]: DBG:
> open_pcsc_reader => slot=0
>
> In the non-working case you have:
> jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: detected
> reader 'Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 00
> 00'
> jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: detected
> reader 'Yubico YubiKey OTP+FIDO+CCID 01 00'
> jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: reader
> slot 0: not connected
> jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: DBG:
> open_pcsc_reader => slot=0
> jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: DBG:
> enter: apdu_connect: slot=0
> jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: reader
> slot 0: not connected
> jan 17 07:49:59 eriador gpg-agent[116210]: scdaemon[116210]: DBG:
> leave: apdu_connect => sw=0x10008
>
> The difference is the order of the readers.
> If the YubiKey is found first (in slot 0) then it works.
> If the YubiKey is found after the Broadcom reader then gpg does not work.
>
> It looks like the problem is that scdaemon does not try to use slot 1
> if slot 0 fails.
> It is a very strange limitation or feature of scdaemon.
Thanks for your time and effort, I'll bring that issue to the gnupg project.
> One solution is to ignore the Broadcom reader so the YubiKey token
> will always be in slot 0 for scdaemon.
> See PCSCLITE_FILTER_IGNORE_READER_NAMES from "Remove and/or customize
> PC/SC reader names"
> https://blog.apdu.fr/posts/2015/12/remove-andor-customize-pcsc-reader-names/
FTR, there is also the "reader-port" option at scdaemon level.

More information about the pcsclite-muscle mailing list