yubico-piv-tool: SCardBeginTransaction on card #16389519 failed after 0 retries, rc=ffffffff8010001d
Hi there!
I’m encountering an issue that I’ve spent some time digging into and I wonder if the authors of this library + Yubico would be able to provide any further details or remediations.
We use our Yubikey’s in PIV mode and add them to ssh-agent using the dylib provided by this tool.
I’ve noticed recently (specifically, when I got a new M1 laptop, but still with macOS 11.6) that, even though the keys in the ssh-agent have not expired (we expire them at 14400 seconds), usage of the keys by ssh returns:
sign_and_send_pubkey: signing failed for RSA "Public key for PIV Authentication" from agent: agent refused operation
It seemed to happen at random times, and after this occurred, running ssh-add -l
would still show the two keys in ssh-agent.
I decided today to spend some time debugging this, and ran YKCS11_DBG=1 ssh-agent -d
. The logs are here https://gist.github.com/skevy/9a9f2662ac1143b5ba5352296aa3cb35 (first file is the log when the error happens, second log is the log when I can successfully use the key).
Looking at these logs, I noticed it logged:
SCardBeginTransaction on card #16389519 failed after 0 retries, rc=ffffffff8010001d
And digging into the actual return code, it’s SCARD_E_NO_SERVICE
. After some Googling, it became apparent that this can occur when PCSC stops running on the machine.
Sure enough, after I successfully add my Yubikey to my ssh-agent, I see /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd
running. After some undetermined amount of time, this process is forced to exit by the kernel with this log message:
memorystatus: killing_idle_process pid 28470 [com.apple.ctkpcscd] jetsam_reason->osr_code: 9
.
In addition, by killing this process manually, I can now provide a consistent reproduction of the bug that started my investigation.
My question is: have you seen or heard of this before? Is this a bug in Apple’s PSCS driver? Is there anyway for this tool to somehow force this process to continue running on macOS? It seems to be started automatically when doing ssh-add -s
…not sure how that’s happening though.
Thanks in advance for the help!
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 1
- Comments: 36 (15 by maintainers)
Just checking in on the release @qpernil … we’d love to roll this out to folks.
Sorry for the delay, we’re struggling a bit to create binaries that have the right linkage without creating a complete release
Would you be able to merge this soon and cut a release?
Hello, if this helps, there is always one PCSC running, and PCSC respawns automatically if it is killed. In the Activity Monitor, I also see Idle Wake-Ups are running every second on this process(so it never dies).
But, when you start ssh-agent, it also starts the second PCSC process, which dies due to inactivity. Here are some examples:
PID 37086 is always running PID 52137 - started by ssh-agend and will die after some inactivity time(see launchd.log below)