libpam_poldi without entering pin
Werner Koch
wk at gnupg.org
Tue Oct 4 08:25:36 CEST 2005
On Sun, 02 Oct 2005 21:26:15 +0200, Jörn Bratzke said:
> I am sucessfully using libpam_poldi with my OpenPGP Smartcard to
> authenticate myself, but i still have a question, is there a way to
> authenticate without entering the pin? I allready tried to set the
> "Force signature pin" Option to no but this didnt work.
With force signature pin option the card itself requires that a PIN is
presented before each signature creation; i.e. the card does not cache
the PIN internally.
We have a hack using the login-data to tell the code that the card
uses a standard pin. There is parsing code in app-openpg.c but it is
not currently used. It is on my todo list.
/* GnuPG makes special use of the login-data DO, this function parses
the login data to store the flags for later use. It may be called
at any time and should be called after changing the login-data DO.
Everything up to a LF is considered a mailbox or account name. If
the first LF is followed by DC4 (0x14) control sequence are
expected up to the next LF. Control sequences are separated by FS
(0x28) and consist of key=value pairs. There is one key defined:
F=<flags>
Were FLAGS is a plain hexadecimal number representing flag values.
The lsb is here the rightmost bit. Defined flags bits are:
Bit 0 = CHV1 and CHV2 are not syncronized
Bit 1 = CHV2 has been been set to the default PIN of "123456"
(this implies that bit 0 is also set).
*/
CHV2 is used with the authentication key.
Salam-Shalom,
Werner
More information about the Gnupg-users
mailing list