Presetting passphrases when using scdaemon
wk at gnupg.org
Fri Dec 13 16:08:05 CET 2019
On Wed, 11 Dec 2019 13:00, Franklin, Jason said:
> Why am I not able to preset passphrases for keys that are stored on the
> smart card? What am I missing?
Right. There is no cache for the PINs of smartcards in GnuPG. What
might look like a cache is that a smartcard usually requires the PIN
only once and then keeps the key unlocked until the card is powered down
In case you use an OpenPGP card, there is a hack to disable the PIN
requirement for a card. You need to put this sequence into the login
data (gpg --card-edit):
arbitrary data up to a linefeed<LF><DC4>F=02<LF>
It is best to create a file with that data:
$ printf "foobar\n\x14F=03\n" >foo.inp
Then make sure that the default PIN is set for the card (i.e. 123456)
$ gpg --card-edit
gpg/card> login <foo.inp
to put the magic spell into the login data object. From now on you
should not anymore be asked for the PIN but the default PIN is passed
internally to the card. This does not work for the Admin key.
Please test this procedure first with a test card so that you don't
accidently brick your real on-card keys. The code takes some
precautions but it is just too easy to get things wrong.
Here is the description of the login hack:
/* GnuPG makes special use of the login-data DO, this function parses
the login data to store the flags for later use. It may be called
at any time and should be called after changing the login-data DO.
Everything up to a LF is considered a mailbox or account name. If
the first LF is followed by DC4 (0x14) control sequence are
expected up to the next LF. Control sequences are separated by FS
(0x18) and consist of key=value pairs. There are two keys defined:
Where FLAGS is a plain hexadecimal number representing flag values.
The lsb is here the rightmost bit. Defined flags bits are:
Bit 0 = CHV1 and CHV2 are not synchronized
Bit 1 = CHV2 has been set to the default PIN of "123456"
(this implies that bit 0 is also set).
Where PINPAD_REQUEST is in the format of: <n> or <n>,<m>.
N for user PIN, M for admin PIN. If M is missing it means M=N.
0 means to force not to use pinpad.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: not available
More information about the Gnupg-devel