cache-timeout not working with smartcard

marco+gnupg at websource.ch marco+gnupg at websource.ch
Thu Dec 17 11:27:53 CET 2009


Werner Koch wrote:
> On Wed, 16 Dec 2009 16:27:29 +0100, Marco Steinacher wrote:
> 
>> option (scdaemon) seem to work. I have set all timeouts to very low
>> values but the PIN is still cached forever (by the card?), as long as
> 
> There is no cache for a PIN.  A card is usually unlocked after the PIN
> as been given until the card is powered down.   Thus is seems that
> there is a cache.

OK, so my question is about powering down the card and not about caching.


> You can power down the card using the option
> 
>   @item --card-timeout @var{n}

As I wrote in my posting I have tried to use this option but it does not
work. I added 'card-timeout 15' to my scdaemon.conf and nothing happens
 15 seconds after accessing the card. The card remains unlocked as long
as scdaemon is running. Nothing is written to the logfile after 15
seconds, even when the 'guru' debugging level is set. What could prevent
this from working properly? BTW, I'm using the following versions:

scdaemon (GnuPG) 2.0.13
libgcrypt 1.4.1
libksba 1.0.3


>> Another thing, which is probably connected to the cache problem, is that
>> I have to kill the scdaemon (with SIGKILL) after disconnecting and
> 
> Better use "gpgconf --reload scdaemon".

OK, thanks for that hint. This leads me to some (maybe naïve?) thoughts:

1. Couldn't gpg-agent reload scdaemon in the same way when
default/max-cache-ttl is exceeded? This would provide the same
functionality for unlocked smartcards as for cached passphrases, which
would make sense since both are affected by the same security risk
(agent hijacking).

2. Couldn't scdaemon be configured to also access the signature key on
the card every time, even if only the authentication or encryption key
is needed? Then, entering the PIN would be required also every time for
e.g. ssh authentication (if the force-sig flag is set on the card). This
would basically provide the same functionality as 'card-timeout 1'
(provided that it works) without the trouble of powering down and up the
card.

Marco





More information about the Gnupg-users mailing list