Required to manually restart pcscd.service each boot

[rtmor]

I'm running into an issue of yubikey-agent/ssh-add -L failing to read the contents of the yubikey on each reboot, unless the pcscd.service is manually restarted. Not sure if this is an pcsc or yubikey-agent issue, however, there appears to be no errors thrown by pcscd.{service,socket}.

Installed yubikey-agent using the steps recommended for manual installation. Temporarily disabled SELinux, but the problem still persists.

systemctl restart pcscd.service always solves the issue, so it's not a major issue, however, a bit frustrating. I've included some debugging info below. If there is anything else I could provide to help please let me know.

$ uname -a
Linux $HOST 5.10.22-200.fc33.x86_64 #1 SMP Tue Mar 9 22:05:08 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

$ ssh-add -L
error fetching identities: agent refused operation

$ systemctl --user status yubikey-agent.service

yubikey-agent.service - Seamless ssh-agent for YubiKeys
     Loaded: loaded (/home/rtmoran/.config/systemd/user/yubikey-agent.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2021-03-12 20:19:31 EST; 19min ago
       Docs: https://filippo.io/yubikey-agent
   Main PID: 6703 (yubikey-agent)
      Tasks: 7 (limit: 18707)
     Memory: 1.3M
        CPU: 17ms
     CGroup: /user.slice/user-1000.slice/[email protected]/yubikey-agent.service
             └─6703 /usr/local/bin/yubikey-agent -l /run/user/1000/yubikey-agent/yubikey-agent.sock

Mar 12 20:19:31 rtm-fedora systemd[2139]: Started Seamless ssh-agent for YubiKeys.
Mar 12 20:19:31 rtm-fedora yubikey-agent[6703]: selinux: avc:  netlink recvfrom: error 9
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 Connecting to the YubiKey...
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding

$ systemctl status pcscd.service  
                                                                                                                                                                        
pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
     Active: active (running) since Fri 2021-03-12 19:57:26 EST; 44min ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
   Main PID: 1510 (pcscd)
      Tasks: 18 (limit: 18707)
     Memory: 4.9M
        CPU: 10.454s
     CGroup: /system.slice/pcscd.service
             └─1510 /usr/sbin/pcscd --foreground --auto-exit

Mar 12 19:57:26 rtm-fedora systemd[1]: Started PC/SC Smart Card Daemon.

$ systemctl status pcscd.socket 

pcscd.socket - PC/SC Smart Card Daemon Activation Socket
     Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-03-12 19:57:26 EST; 45min ago
   Triggers: ● pcscd.service
     Listen: /run/pcscd/pcscd.comm (Stream)
      Tasks: 0 (limit: 18707)
     Memory: 0B
        CPU: 0
     CGroup: /system.slice/pcscd.socket

Mar 12 19:57:26 rtm-fedora systemd[1]: Listening on PC/SC Smart Card Daemon Activation Socket.

$ journalctl -b | grep -i yubikey-agent
Mar 12 20:19:31 rtm-fedora yubikey-agent[6703]: selinux: avc:  netlink recvfrom: error 9
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 Connecting to the YubiKey...
Mar 12 20:19:36 rtm-fedora yubikey-agent[6703]: 2021/03/12 20:19:36 agent 11: could not reach YubiKey: connecting to smart card: the smart card cannot be accessed because of other connections outstanding

$ journalctl -b | grep -i pcscd
Mar 12 19:57:26 rtm-fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pcscd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

[FiloSottile]

the smart card cannot be accessed because of other connections outstanding

Hmm, do you have anything (like gpg-agent) that at boot takes a lock on the YubiKey? Restarting pcscd would release that lock

[odevroed]

hi @FiloSottile ,

I have the exact same problem. I can help debugging.
How do I know if something has a hold on the key?
I tried with 'lsof | grep yubike' but I could not see anything strange.

[tacf]

Couple day ago i started not being able to use yubikey as ssh key and today decided to change from gpg to yubikey-agent (already uninstalled gpg) and i have this same issue. I'm no expert on this but i can provide more details to help figure out this (but i'll most likely need some advice how to gather said details :) )

[FiloSottile]

This doesn't sound like something we can fix in yubikey-agent, sorry. Either something in the system is taking a lock with pcscd before yubikey-agent is, or—less likely—piv-go is failing to talk to pcscd.

[gnumoksha]

@rtmor did you find a solution?

[rtmor]

@rtmor did you find a solution?

Unfortunately not. I originally had a solution using gpg prior to switching to yubikey-agent. Perhaps an issue carried over.

I've since switched to FIDO2 resident keys for SSH with Yubikey (https://www.yubico.com/blog/github-now-supports-ssh-security-keys/).

Good luck!

[kees-closed]

@rtmor did you find a solution?

The solution is to add pcsc-shared to ~/.gnupg/scdaemon.conf

More info: https://ask.fedoraproject.org/t/pcscd-has-to-be-restarted-at-every-boot-to-get-my-ssh-keys-from-my-yubikey/24571

[peterge1998]

The solution is to add pcsc-shared to ~/.gnupg/scdaemon.conf

More info: https://ask.fedoraproject.org/t/pcscd-has-to-be-restarted-at-every-boot-to-get-my-ssh-keys-from-my-yubikey/24571

For me this solution does not work :(
Nitrokey Start on Fedora 37

[rtmor]

@rtmor did you find a solution?

The solution is to add pcsc-shared to ~/.gnupg/scdaemon.conf

More info: https://ask.fedoraproject.org/t/pcscd-has-to-be-restarted-at-every-boot-to-get-my-ssh-keys-from-my-yubikey/24571

Sorry for just coming across your response now. When I get a chance, I will see if this solution works for me. I have a feeling that flag might have already been defined within scdaemon.conf, but will take a look and get back to you all.

[dszmaj]

@peterge1998 I'm also on Fedora 37 now and it worked. I had the same issue of having to restart pcscd.

[peterge1998]

@peterge1998 I'm also on Fedora 37 now and it worked. I had the same issue of having to restart pcscd.

Honestly i must say after being on 37 for a while, that i never needed to restart it manually (at the time of writing i was on 37 for about a day :P)

[dszmaj]

I'm on main GNOME version, when I tested KDE I didn't have this problem, but GNOME has it no matter how I install it.

[kees-closed]

I'm on Fedora 37 (GNOME) as well, I still have the same issue.