Do smartcards stay unlocked forever by design?
marco+gnupg at websource.ch
Tue Jan 18 17:21:44 CET 2011
On 01/17/2011 04:03 PM, Grant Olson wrote:
> I've been using a smartcard for several months now. It's a cryptostick
> if the model is important. Every time I sign something, it asks me for
> my pin. But once the card is unlocked, ssh authentication and
> decryption seem to happen forever, regardless of any ttl-cache settings
> in gpg-agent.conf. I just want to make sure I understand the semantics
> It seems:
> 1) Once I enter my pin, the card is unlocked as long as it's connected.
> 2) I get prompted when making a signature because the sig counter gets
> incremented, and that's a write operation to the card. Decrypting and
> authenticating don't prompt because the operations don't write to the card.
I think it's rather because signing is considered more precarious than
decrypting or authenticating and not because it involves a write
operation. You can disable this behavior by changing the signature PIN
flag to 'not forced' with 'gpg --card-edit'.
> 3) The proper way to 'lock' the card is to remove it from the reader.
Yes, or if you can reload the scdaemon with 'gpgconf --reload scdaemon'.
This should have the same effect. I wrote a small script that does this
for me whenever the smartcard hasn't been used for some time. I do this
to reduce the chance that someone can use the unlocked card while I'm
away or when I forget to pull the card.
More information about the Gnupg-users