A comparison of cryptographic keycards

Posted Oct 17, 2017 23:38 UTC (Tue) by nix (subscriber, #2304)
In reply to: A comparison of cryptographic keycards by anarcat
Parent article: A comparison of cryptographic keycards

> For a long time, this was impossible: the Neo is really three keys in one, and disconnects and reconnects from the USB bus as appropriate, morphing from OTP to U2F to CCID on demand.
Really? I don't see this behavior here.

Hmmm. I saw this in older kernels, but not any more. Since this is clearly kernel-specific, it can't be anything to do with the behaviour of the key: so I must be wrong.

I *did* have trouble with pcsscd with the upgrade to Debian stretch, as I documented here

Those bugs are bang in the time window when I tried this last (and gave up), so I guess the problem was indeed solved because you had more determination than me.

Indeed, removing disable-ccid now makes scdaemon work fine for me, even when generating OTPs and doing HMAC challenges at the same time. I can't use PIV keys because scdaemon is still an unspeakable pile that sprays incomprehensible error messages rather than working, but I frankly don't care much (and forgot all my PINs long ago, and lost the piece of paper I wrote them down on). At least I can use GPG smartcard keys now, which means I can migrate to SSH keys on my smartcard via gpg-agent, as long as I can convince it to work across multiple chains of sshes (a very frequent use case for me, but since the agent connection is part of SSH, not GnuPG, I already know that part works).