Should Poldi lock the smart card when the screen locks?

Niibe Yutaka gniibe at fsij.org
Mon Sep 23 07:58:51 CEST 2019 

Hello,

Franklin, Jason wrote:
> I'm continuing my work on the integration of Poldi and the KDE screen
> locker.

Well, It's not clear for me what kind of scenario you expect.  Could you
please elaborate?

I'm writing some of my ideas in this message.

With current implementations (Poldi, gpg-agent+scdaemon) in mind, there
are three usages of OpenPGP card in possible scenario(s).

 (1) Login authentication to user by Poldi with OpenPGP card
 (2) In user session, use OpenPGP card by gpg-agent+scdaemon,
     for gpg and/or SSH, possibly Scute.
 (3) (possible) authentication to user by Poldi for screen locker,
     to unlock screen

I think that those three can work well, when/if there are three
independent OpenPGP cards for each purpose.  If you share a single
OpenPGP card among three purposes, you need to write a couple of hook
scripts, I suppose.

Sharing between (1) and (2), I think that there would be no/less
problem.  It depends on how you invoke gpg-agent+scdaemon.  You need to
make sure that scdaemon is no longer active after logout.  In a
configuration of automatic socket activation of gpg-agent by systemd,
I'm afraid scdaemon remains some seconds after logout.

Sharing between (2) and (3) is problematic.  I think you need to write a
hook script for screen locker, to make sure scdaemon will be killed
before screen is locked and Poldi can invoke new scdaemon for
authentication.

I'd say, sharing a single OpenPGP card for those multiple purposes is
not that simple.  It's compilicated, because for (3), Poldi runs by user
privilege and it runs by system privilege for (1).


			*	*	*

And... I think that a typical use case of such a user authentication
with Smartcard is something like:

* A smartcard is used for login authentication
* When it is removed from card reader, either the user session
  is suspended by screen locker, or the user gets log out.
* In case of suspended session, when user insert the card again,
  that user will be asked PIN for the authentication using the card.
  Then, user session resumes.

In this use case, there should be some program watching the card reader
to detect card removal.

To achieve this kind of Smartcard use, I think that Poldi is not good
enough, because it simply handles basic authentication by OpenPGP card.

Perhaps, it's good to investigate how other smartcards are used to
support this scenario, by other software.

I have a quick look at:

    http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html

It seems that the use case above is supported by the PAM-PKCS#11 module.
--

More information about the Gnupg-devel mailing list