cache-timeout not working with smartcard

Werner Koch wk at
Thu Dec 17 13:56:34 CET 2009

On Thu, 17 Dec 2009 11:27:53 +0100, marco+gnupg at wrote:

> As I wrote in my posting I have tried to use this option but it does not
> work. I added 'card-timeout 15' to my scdaemon.conf and nothing happens
>  15 seconds after accessing the card. The card remains unlocked as long

Actually it should release the card immediatley after use. It is only
a boolean switch for now.

I forgot to mention that this feature is only available with pcsc and
not with the internal driver.

> 1. Couldn't gpg-agent reload scdaemon in the same way when
> default/max-cache-ttl is exceeded? This would provide the same
> functionality for unlocked smartcards as for cached passphrases, which
> would make sense since both are affected by the same security risk
> (agent hijacking).

If you are talking about malware on your box, nothing will help you.
You don't have any control anymore on your box.  The only advantage
you have is that the bot needs to wait until you enter the PIN the
next time and then it can replay the PIN as needed.  Oh, you are using
a pinpad reader - well in this case the malware just et you sign
something it is interested in and not what you assume.

> 2. Couldn't scdaemon be configured to also access the signature key on
> the card every time, even if only the authentication or encryption key
> is needed? Then, entering the PIN would be required also every time for
> e.g. ssh authentication (if the force-sig flag is set on the card). This
> would basically provide the same functionality as 'card-timeout 1'
> (provided that it works) without the trouble of powering down and up the

Why would you want to do that?  See above.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list