Using gnupg to crypt credentials used by application to access a database server

Werner Koch wk at gnupg.org
Tue Jul 17 19:02:55 CEST 2018


On Mon, 16 Jul 2018 09:51, wk at gnupg.org said:

> If you use a smartcard there is a hack in scdaemon which allows to work
> without a PIN. 

Here is what scdaemon's code has to say about this hack:

   GnuPG makes special use of the login-data DO, this function parses
   the login data to store the flags for later use.  It may be called
   at any time and should be called after changing the login-data DO.

   Everything up to a LF is considered a mailbox or account name.  If
   the first LF is followed by DC4 (0x14) control sequence are
   expected up to the next LF.  Control sequences are separated by FS
   (0x18) and consist of key=value pairs.  There are two keys defined:

    F=<flags>

    Where FLAGS is a plain hexadecimal number representing flag values.
    The lsb is here the rightmost bit.  Defined flags bits are:

      Bit 0 = CHV1 and CHV2 are not syncronized
      Bit 1 = CHV2 has been set to the default PIN of "123456"
              (this implies that bit 0 is also set).

    P=<pinpad-request>

    Where PINPAD_REQUEST is in the format of: <n> or <n>,<m>.
    N for user PIN, M for admin PIN.  If M is missing it means M=N.
    0 means to force not to use pinpad.

I have not used this for ages but something like

  $ printf "\n\x14F=03\x18" >login.data
  $ gpg --card-edit
  gpg/card> admin
  gpg/card> login <login.data

should do the trick.


Salam-Shalom,

   Werner


-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180717/98a542cc/attachment.sig>


More information about the Gnupg-users mailing list