Smartcard not seen when reinserted

Matthias Apitz guru at unixarea.de
Sun Oct 1 20:33:28 CEST 2017


El día domingo, octubre 01, 2017 a las 06:37:46p. m. +0200, Franck Routier escribió:

> Hi,
> 
> I have a problem where my OpenPGP smartcard is not recognized when I
> remove it from the reader and reinsert it.
> 
> Moreover I like to remove the card and reinsert it when needed, as when
> used for authentication with Poldi, I'm only asked for the PIN once, and
> then the PIN is cached (at the smardcard level if I am to believe this
> https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312)
> 
> ...

I'm using a GnuPG-card for SSH and signing. I do not think, that it
would be a good idea, that the secre on the card remain unlocked after
withdraw (power reset) of the card, and mine does not cash it. It works
like this:

card insert
ssh server              --> PIN requested
ssh server              --> no PIN requested
gpg2 ... --sign ...     --> no PIN requested
gpg2 ... --decrypt .... --> no PIN requested
card remove
card insert
gpg2 ... --sign ...     --> PIN requested
ssh server              --> PIN requested
ssh server              --> no PIN requested

i.e. it seems that unlocking the SSH key unlocks the signing key as
well, but not the other way around.

Imagine you pull-out the card in your office/restaurant, loose the card,
someone finds it before you note the lost and insert the card in your
system... No, that a card "survives" unlocked a withdraw is not a good
idea.

	matthias

-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20171001/bdac98ef/attachment-0001.sig>


More information about the Gnupg-users mailing list