Smartcard not seen when reinserted

Matthias Apitz guru at unixarea.de
Mon Oct 2 16:37:58 CEST 2017


El día lunes, octubre 02, 2017 a las 01:35:16p. m. +0200, Franck Routier escribió:

> My problem, in addition to the pin being cached "forever" (as long as
> the card is inserted, with no time limit), is that when I remove and
> reinsert the card, it is not recognized unless I restart gpg-agent.
> 
> So here is what happens:
> 
> card inserted
> pam_poldi.so called (sudo)   --> PIN requested
> pam_poldi.so called (sudo)   --> no PIN requested 
> pam_poldi.so called (sudo)   --> no PIN requested
> card removed (I don't like to let my card inserted, with no PIN
> validation needed !)
> card inserted                        --> card not seen (card error,
> OpenPGP card unavailable)
> gpgconf --kill gpg-agent       --> card seen
> pam_poldi.so called (sudo)   --> PIN requested
> pam_poldi.so called (sudo)   --> no PIN requested 
> etc...
> 
> Hence my questions:
> 1) can I force PIN for authentication each time I use it (it seems that
> the forcesig option is for signature only, not for authentication)
> 2) what can I do to have my card recognized on reinsert, without
> ressorting to killing gpg-agent
>     --> probably with some scd-event magic that's beyond my know-how for
> now...

I'm using the attach 'scd-event' script to lock my display on card
removal and to unlock it on card-insert. The real work in the script is
at line 107++

Maybe it can serve you a bit.

	matthias

-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
#!/bin/sh
#
# this script must be placed into GNUPGHOME dir and named 'scd-event';
# it is triggered by the scdaemon on card removal with the arg 'NOCARD'
# it will also run delayd after card insertion and *after* the first access to the card
#
# we use this to lock the KDE screen on card removal and run a loop of
# 'gpg2 --card-status' to unlock the screen after card insertion
#
# guru at unxarea.de, July 2017

echo $0 $* >> /tmp/scd-event.log

PGM=scd-event

reader_port=
old_code=0x0000
new_code=0x0000
status=

tick='`'
prev=
while [ $# -gt 0 ]; do
  arg="$1"
  case $arg in
      -*=*) optarg=$(echo "X$arg" | sed -e '1s/^X//' -e 's/[-_a-zA-Z0-9]*=//')
            ;;
         *) optarg=
            ;;
  esac
  if [ -n "$prev" ]; then
    eval "$prev=\$arg"
    prev=
    shift
    continue
  fi
  case $arg in
      --help|-h)
          cat <<EOF
Usage: $PGM [options]
$PGM is called by scdaemon on card reader status changes

Options:
  --reader-port N        Reports change for port N
  --old-code 0xNNNN      Previous status code
  --old-code 0xNNNN      Current status code
  --status USABLE|ACTIVE|PRESENT|NOCARD 
                         Human readable status code

Environment:

GNUPGHOME=DIR            Set to the active homedir

EOF
          exit 0
          ;;
    
      --reader-port)  
          prev=reader_port
          ;;
      --reader-port=*)
          reader_port="$optarg"
          ;;
      --old-code)  
          prev=old_code
          ;;
      --old-code=*)
          old_code="$optarg"
          ;;
      --new-code)  
          prev=new_code
          ;;
      --new-code=*)
          new_code="$optarg"
          ;;
      --status)  
          prev=status
          ;;
      --new-code=*)
          status="$optarg"
          ;;

      -*)
          echo "$PGM: invalid option $tick$arg'" >&2
          exit 1
          ;;

      *)
          break
          ;;
  esac
  shift
done
if [ -n "$prev" ]; then
  echo "$PGM: argument missing for option $tick$prev'" >&2
  exit 1
fi

cat <<EOF >> /tmp/scd-event.log
========================
port:     $reader_port
old-code: $old_code
new-code: $new_code
status:   $status
EOF

DISPLAY=:0 export DISPLAY
if [ x$status = xNOCARD ]; then
    echo DISPLAY: $DISPLAY >> /tmp/scd-event.log
    echo /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock >> /tmp/scd-event.log
    nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock &
    pid=$!
    echo ${pid}  > /tmp/scd-event.pid
    echo locked by PID ${pid} >> /tmp/scd-event.log
    echo killing fetchmail >> /tmp/scd-event.log
    fetchmail -q
    while true; do
      # is the kscreenlocker_greet still running? user might have unlocked it with PAM
      /bin/kill -0 ${pid} || {
        echo kscreenlocker_greet ${pid} disappeared >> /tmp/scd-event.log
	break
      }
      # gpg2 --card-status >> /tmp/scd-event.log 2>> /tmp/scd-event.log
      # Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      gpg2 --card-status | grep '5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11' >> /tmp/scd-event.log  && {
        # OK, key is fine unlocking the movies
        echo OK, key is fine unlocking the movies, killall kscreenlocker_greet >> /tmp/scd-event.log
        killall kscreenlocker_greet
	fetchmail
        break
      }
      sleep 1  
    done
fi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20171002/47f33abd/attachment.sig>


More information about the Gnupg-users mailing list