yubico-piv-tool: SCardBeginTransaction on card #16389519 failed after 0 retries, rc=ffffffff8010001d

Hi there!

I’m encountering an issue that I’ve spent some time digging into and I wonder if the authors of this library + Yubico would be able to provide any further details or remediations.

We use our Yubikey’s in PIV mode and add them to ssh-agent using the dylib provided by this tool.

I’ve noticed recently (specifically, when I got a new M1 laptop, but still with macOS 11.6) that, even though the keys in the ssh-agent have not expired (we expire them at 14400 seconds), usage of the keys by ssh returns:

sign_and_send_pubkey: signing failed for RSA "Public key for PIV Authentication" from agent: agent refused operation

It seemed to happen at random times, and after this occurred, running ssh-add -l would still show the two keys in ssh-agent.

I decided today to spend some time debugging this, and ran YKCS11_DBG=1 ssh-agent -d. The logs are here https://gist.github.com/skevy/9a9f2662ac1143b5ba5352296aa3cb35 (first file is the log when the error happens, second log is the log when I can successfully use the key).

Looking at these logs, I noticed it logged:

SCardBeginTransaction on card #16389519 failed after 0 retries, rc=ffffffff8010001d

And digging into the actual return code, it’s SCARD_E_NO_SERVICE. After some Googling, it became apparent that this can occur when PCSC stops running on the machine.

Sure enough, after I successfully add my Yubikey to my ssh-agent, I see /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd running. After some undetermined amount of time, this process is forced to exit by the kernel with this log message:

memorystatus: killing_idle_process pid 28470 [com.apple.ctkpcscd] jetsam_reason->osr_code: 9.

In addition, by killing this process manually, I can now provide a consistent reproduction of the bug that started my investigation.

My question is: have you seen or heard of this before? Is this a bug in Apple’s PSCS driver? Is there anyway for this tool to somehow force this process to continue running on macOS? It seems to be started automatically when doing ssh-add -s…not sure how that’s happening though.

Thanks in advance for the help!

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 36 (15 by maintainers)

Most upvoted comments

Just checking in on the release @qpernil … we’d love to roll this out to folks.

+1
skevy on Jan 15, 2022

Sorry for the delay, we’re struggling a bit to create binaries that have the right linkage without creating a complete release

+1
qpernil on Nov 15, 2021

Would you be able to merge this soon and cut a release?

+1
skevy on Nov 9, 2021

Hello, if this helps, there is always one PCSC running, and PCSC respawns automatically if it is killed. In the Activity Monitor, I also see Idle Wake-Ups are running every second on this process(so it never dies).

But, when you start ssh-agent, it also starts the second PCSC process, which dies due to inactivity. Here are some examples:

ps aux | grep PCSC                                                                                                                                                                                                                                                                                                     
geiger           37086   0.1  0.1 408106080   4592   ??  Ss    1:02PM   1:03.36 /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd
geiger           52137   0.0  0.0 408067536   3248   ??  Ss   10:23AM   0:00.07 /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd

PID 37086 is always running PID 52137 - started by ssh-agend and will die after some inactivity time(see launchd.log below)

2021-11-03 10:51:23.661065 (pid/52136/com.apple.ctkpcscd [52137]) <Notice>: service exited: dirty = 0, supported pressured-exit = 1
2021-11-03 10:51:23.661089 (pid/52136/com.apple.ctkpcscd [52137]) <Notice>: jettisoned: JETSAM_REASON_MEMORY_IDLE_EXIT
2021-11-03 10:51:23.661096 (pid/52136/com.apple.ctkpcscd [52137]) <Notice>: service state: exited
2021-11-03 10:51:23.661105 (pid/52136/com.apple.ctkpcscd [52137]) <Notice>: internal event: EXITED, code = 0
2021-11-03 10:51:23.661136 (pid/52136/com.apple.ctkpcscd [52137]) <Notice>: service state: not running
2021-11-03 10:51:23.661150 (pid/52137 [com.apple.ctkpc]) <Notice>: shutting down
2021-11-03 10:51:23.661177 (pid/52137/com.apple.MTLCompilerService) <Notice>: internal event: PETRIFIED, code = 0
2021-11-03 10:51:23.661202 (pid/52137/com.apple.audio.Core-Audio-Driver-Service.helper) <Notice>: internal event: PETRIFIED, code = 0
2021-11-03 10:51:23.661237 (pid/52137/com.apple.audio.Core-Audio-Driver-Service) <Notice>: internal event: PETRIFIED, code = 0
2021-11-03 10:51:23.661293 (pid/52137 [com.apple.ctkpc]) <Notice>: cleaning up
2021-11-03 10:51:23.661308 (system) <Notice>: removing child: pid/52137
+1
geigeralex on Nov 3, 2021
Read more comments on GitHub
← yubico-piv-tool: Problem generating key through PKCS11 library
yubico-piv-tool: sign_and_send_pubkey: signing failed: agent refused operation (after some inactivity) →