Presetting passphrases when using scdaemon

Werner Koch wk at gnupg.org
Fri Dec 13 16:08:05 CET 2019 

On Wed, 11 Dec 2019 13:00, Franklin, Jason said:

> Why am I not able to preset passphrases for keys that are stored on the
> smart card?  What am I missing?

Right.  There is no cache for the PINs of smartcards in GnuPG.  What
might look like a cache is that a smartcard usually requires the PIN
only once and then keeps the key unlocked until the card is powered down
or reset.

In case you use an OpenPGP card, there is a hack to disable the PIN
requirement for a card.  You need to put this sequence into the login
data (gpg --card-edit):

  arbitrary data up to a linefeed<LF><DC4>F=02<LF>

It is best to create a file with that data:

  $ printf "foobar\n\x14F=03\n" >foo.inp

Then make sure that the default PIN is set for the card (i.e. 123456)
and use:

  $ gpg --card-edit
  gpg/card> admin
  gpg/card> login <foo.inp
  gpg/card> quit

to put the magic spell into the login data object.  From now on you
should not anymore be asked for the PIN but the default PIN is passed
internally to the card.  This does not work for the Admin key.

Please test this procedure first with a test card so that you don't
accidently brick your real on-card keys.  The code takes some
precautions but it is just too easy to get things wrong.


Shalom-Salam,

   Werner


ps.
Here is the description of the login hack:
/* GnuPG makes special use of the login-data DO, this function parses
   the login data to store the flags for later use.  It may be called
   at any time and should be called after changing the login-data DO.

   Everything up to a LF is considered a mailbox or account name.  If
   the first LF is followed by DC4 (0x14) control sequence are
   expected up to the next LF.  Control sequences are separated by FS
   (0x18) and consist of key=value pairs.  There are two keys defined:

    F=<flags>

    Where FLAGS is a plain hexadecimal number representing flag values.
    The lsb is here the rightmost bit.  Defined flags bits are:

      Bit 0 = CHV1 and CHV2 are not synchronized
      Bit 1 = CHV2 has been set to the default PIN of "123456"
              (this implies that bit 0 is also set).

    P=<pinpad-request>

    Where PINPAD_REQUEST is in the format of: <n> or <n>,<m>.
    N for user PIN, M for admin PIN.  If M is missing it means M=N.
    0 means to force not to use pinpad.

*/
-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20191213/b479abdc/attachment.sig>

More information about the Gnupg-devel mailing list