greve at fsfeurope
Dec 23, 2011, 2:10 PM
Post #1 of 1
(156 views)
Permalink
|
|
Issues with smart card since update to FC16
|
|
Hi all,
I've been using the Fellowship smart card for years under Debian and Fedora,
up until updating to Fedora 16.
Ever since I keep having issues that are, well, odd.
Take the following instructions of pinentry-qt4 upon trying to decrypt an
email in Kontact (screenshot attached). This is the gpg --card-status output
for the very same card:
Application ID ...: D2760001240101010001000003500000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000350
Name of cardholder: Georg C.F. Greve
Language prefs ...: ende
Sex ..............: male
URL of public key : http://gnuhh.org/greve-public.asc
Login data .......: greve
Private DO 1 .....: [not set]
Private DO 2 .....: [7] Georg C. F. Greve <greve [at] fsfe>
CA fingerprint 1 .: C485 A6CD 7EC6 6E9E EC33 65F2 70F2 75E4 C32F 6CA5
Signature PIN ....: not forced
Key attributes ...: 1024R 1024R 1024R
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 0 3
Signature counter : 48318
Signature key ....: E2E7 DABF 1B6D 948E A55E 07B4 293D B14C B7DB 041C
created ....: 2005-05-02 11:35:48
Encryption key....: ECDA 0869 1DCE 2C60 C265 281D F953 D01F 7DF1 6B24
created ....: 2005-05-02 11:36:44
Authentication key: DF41 4ED5 A2C5 42D7 BF92 67D1 4742 F5AD 5378 AB47
created ....: 2005-05-02 11:37:16
General key info..: pub 1024R/B7DB041C 2005-05-02 Georg C. F. Greve (Kolab
Systems AG, CEO) <greve [at] kolabsys>
sec# 1024D/86574ACA created: 1999-02-20 expires: never
ssb> 1024R/B7DB041C created: 2005-05-02 expires: never
card-no: 0001 00000350
ssb> 1024R/7DF16B24 created: 2005-05-02 expires: never
card-no: 0001 00000350
ssb> 1024R/5378AB47 created: 2005-05-02 expires: never
card-no: 0001 00000350
When trying to decrypt a file on the command line, I get:
gpg: anonymous recipient; trying secret key C3C6A26D ...
gpg: protection algorithm 1 (IDEA) is not supported
gpg: the IDEA cipher plugin is not present
gpg: please see http://www.gnupg.org/faq/why-not-idea.html for more
information
gpg: anonymous recipient; trying secret key 7487FC5D ...
gpg: anonymous recipient; trying secret key A1783953 ...
gpg: anonymous recipient; trying secret key B7DB041C ...
gpg: fingerprint on card does not match requested one
gpg: anonymous recipient; trying secret key 7DF16B24 ...
Please enter the PIN
gpg: verify CHV2 failed: invalid passphrase
gpg: anonymous recipient; trying secret key 5378AB47 ...
gpg: fingerprint on card does not match requested one
gpg: encrypted with RSA key, ID 00000000
gpg: encrypted with ELG-E key, ID 00000000
gpg: decryption failed: secret key not available
when entering the correct PIN.
Trying to ssh into another machine does not even attempt smart card
authentication, which I guess may have to do with my running the agent without
scdaemon support, via:
--disable-scdaemon --pinentry-program /usr/bin/pinentry-qt4 --enable-ssh-
support --daemon --sh --write-env-file=/home/greve/.gpg-agent-info
So I guess the key should be listed in .gnupg/sshcontrol, which it is not.
But then, ssh-add -l, which I guess should add it, tells me:
The agent has no identities.
The environment variables in the session look okay, I guess:
declare -x GPG_AGENT_INFO="/home/greve/.gnupg/S.gpg-agent:1750:1"
declare -x SSH_AGENT_PID="1750"
declare -x SSH_ASKPASS="/usr/libexec/openssh/gnome-ssh-askpass"
declare -x SSH_AUTH_SOCK="/home/greve/.gnupg/S.gpg-agent.ssh"
and the pinentry dialogue pops up as expected.
So what's going on? Did something change to which I should have adapted my
setup when upgrading to FC 16? Or is this an issue with the new kernel series?
Or something else?
Pointers appreciated.
Best regards,
Georg
--
Georg C. F. Greve <greve [at] fsfeurope>
Member of the General Assembly
http://fsfe.org/about/greve/
http://blogs.fsfe.org/greve/
http://identi.ca/greve
|
agent.png
