Smartcard not seen when reinserted

Franck Routier alci at mecadu.org
Mon Oct 2 13:35:16 CEST 2017


Le 01/10/2017 à 20:33, Matthias Apitz a écrit :
> El día domingo, octubre 01, 2017 a las 06:37:46p. m. +0200, Franck Routier escribió:
>
>> Hi,
>>
>> I have a problem where my OpenPGP smartcard is not recognized when I
>> remove it from the reader and reinsert it.
>>
>> Moreover I like to remove the card and reinsert it when needed, as when
>> used for authentication with Poldi, I'm only asked for the PIN once, and
>> then the PIN is cached (at the smardcard level if I am to believe this
>> https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312)
>>
>> ...
> I'm using a GnuPG-card for SSH and signing. I do not think, that it
> would be a good idea, that the secre on the card remain unlocked after
> withdraw (power reset) of the card, and mine does not cash it.
I agree with you, and I'm not asking for that. In fact I would like it
to ask for the pin each time I need to authenticate...
>  It works
> like this:
>
> card insert
> ssh server              --> PIN requested
> ssh server              --> no PIN requested
> gpg2 ... --sign ...     --> no PIN requested
> gpg2 ... --decrypt .... --> no PIN requested
> card remove
> card insert
> gpg2 ... --sign ...     --> PIN requested
> ssh server              --> PIN requested
> ssh server              --> no PIN requested
Thanks Matthias for your input. I think I was not clear, so let me
restate my problem.

My problem, in addition to the pin being cached "forever" (as long as
the card is inserted, with no time limit), is that when I remove and
reinsert the card, it is not recognized unless I restart gpg-agent.

So here is what happens:

card inserted
pam_poldi.so called (sudo)   --> PIN requested
pam_poldi.so called (sudo)   --> no PIN requested 
pam_poldi.so called (sudo)   --> no PIN requested
card removed (I don't like to let my card inserted, with no PIN
validation needed !)
card inserted                        --> card not seen (card error,
OpenPGP card unavailable)
gpgconf --kill gpg-agent       --> card seen
pam_poldi.so called (sudo)   --> PIN requested
pam_poldi.so called (sudo)   --> no PIN requested 
etc...

Hence my questions:
1) can I force PIN for authentication each time I use it (it seems that
the forcesig option is for signature only, not for authentication)
2) what can I do to have my card recognized on reinsert, without
ressorting to killing gpg-agent
    --> probably with some scd-event magic that's beyond my know-how for
now...

Thanks,
Franck

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20171002/6aae463e/attachment.sig>


More information about the Gnupg-users mailing list