cache-timeout not working with smartcard

marco+gnupg at websource.ch marco+gnupg at websource.ch
Thu Dec 17 18:04:32 CET 2009


Werner Koch wrote:
> On Thu, 17 Dec 2009 11:27:53 +0100, marco+gnupg at websource.ch wrote:
> 
>> As I wrote in my posting I have tried to use this option but it does not
>> work. I added 'card-timeout 15' to my scdaemon.conf and nothing happens
>>  15 seconds after accessing the card. The card remains unlocked as long
> 
> Actually it should release the card immediatley after use. It is only
> a boolean switch for now.
> 
> I forgot to mention that this feature is only available with pcsc and
> not with the internal driver.

That's it. I was using the internal driver. Thanks for pointing this out!


>> 1. Couldn't gpg-agent reload scdaemon in the same way when
>> default/max-cache-ttl is exceeded? This would provide the same
>> functionality for unlocked smartcards as for cached passphrases, which
>> would make sense since both are affected by the same security risk
>> (agent hijacking).
> 
> If you are talking about malware on your box, nothing will help you.
> You don't have any control anymore on your box.  The only advantage
> you have is that the bot needs to wait until you enter the PIN the
> next time and then it can replay the PIN as needed.  Oh, you are using
> a pinpad reader - well in this case the malware just et you sign
> something it is interested in and not what you assume.

I agree that this would not completely prevent malware from hijacking
the agent for ssh authentication on a remote host. But at least it would
make it more difficult, and, more importantly, the chances that I would
notice the break-in are much bigger. In contrast, when the card is
unlocked all the time it is sufficient for a user with superuser
privileges to set some environment variables to be able to connect to a
remote host using my authentication key at any time and I have no chance
to notice it.

BTW: Doesn't your argument also apply to cached passphrases? Why would
you use max-cache-ttl when you assume that you are lost anyway once you
lose control over your box?

In any case, what I was suggesting can easily be done by a script that
regularly checks the gpg-agent log and resets the card if the last
access is older than default/max-cache-ttl. So it doesn't need to be
built into gpg-agent/scdaemon.

Marco



More information about the Gnupg-users mailing list