poldi: [PATCH] Add option 'killscd'.

NIIBE Yutaka gniibe at fsij.org
Mon Mar 2 05:55:06 CET 2020

Ben Kibbey <bjk at luxsci.net> wrote:
> According to the manual page of scdaemon, when 'card-timeout' is
> non-zero in /etc/poldi/scdaemon.conf the card should be powered down
> after the next timer tick.

Yes.  The option is deprecated.  I pushed the change of the manual in
master, perhaps, I need to apply the change to 2.2, too.

> This doesn't seem to work: I can lock my X session, then unlock it
> without the pin of the card. I am using xlockmore as the screen
> locker.

IIUC, a single process of xlockmore keeps running under a user's
session.  If so, the behaviour can be explained.

> The attached patch fixes things by sending KILLSCD to scdaemon when
> 'killscd' is set in /etc/poldi/poldi.conf.

I see your intention of killing scdaemon.  But, I'm afraid if it really
matches (a typical) expected behaviour with screen locker / sudo.

I think that the card should reset (to nullify existing verification
status) _before_ poldi tries to use it for the authentication.  And
after unlocking a screen, it is OK (or good) to keep card's verification
status; A user can use the card for SSH with no further verification.

More information about the Gnupg-devel mailing list