cache-timeout not working with smartcard

marco+gnupg at websource.ch marco+gnupg at websource.ch
Thu Dec 17 11:06:34 CET 2009


Olav Seyfarth wrote:
> Hi Marco,
> 
>> I'm using gnupg with an OpenPGP smartcard since a few days now and
>> basically it works very well. However, one thing bothers me a bit:
>> Neither the cache-timeout options (gpg-agent) nor the card-timeout
>> option (scdaemon) seem to work. I have set all timeouts to very low
>> values but the PIN is still cached forever (by the card?), as long as
>> the card is not removed and scdaemon is running. Sending SIGHUP to
>> scdaemon does not work either although the manpage is suggesting this.
>> Only killing scdaemon with SIGKILL helps. The LED on the card reader
>> (SCR-335) remains always on after using it for the first time. For keys
>> that are not on the smartcard the cache-timeout works correctly.
> 
> in --card-status, what's the setting of "Signature PIN ....: " ?
> You may alter it to "forced" using --card-edit   admin   forcesig

Thanks, Olav, for this hint. Unfortunately it does not help in my case.
I forgot to mention that I'm referring mainly to ssh-authentication
through gpg-agent. In that case (and also for decryption) the 'Signature
PIN' setting doesn't have an effect (it works perfectly for signatures,
though). My main concern is that the probability that the hijacking of
the gpg-agent/ssh-agent is successful is much higher when the PIN is
cached for a long time than it would be with short cache-timeout settings.

Marco





More information about the Gnupg-users mailing list