OpenPGP card: how to lock the card again so that PIN is required

Matthias Apitz guru at unixarea.de
Wed Jan 2 07:02:09 CET 2019 

El día martes, enero 01, 2019 a las 06:40:56p. m. +0100, Dirk Gottschalk escribió:

> Hello Matthias.
> 
> Am Dienstag, den 01.01.2019, 08:36 +0100 schrieb Matthias Apitz:
> > Hello,
> 
> > This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of
> > the System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work
> > anymore with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card
> > Reader) after withdraw and re-insert. It works fine after boot, I
> > have to enter the PIN to unlock the card and all tested functions are
> > working.
> 
> Did you check the config for pcscd? Probably it was overwrittenby the
> update process.

There is no config file for pcscd, only for serial devices.

Interestingly the pcscd started via devd at boot time works fine:

$ ps ax | grep pc
 536 v0- S     0:00,98 /usr/local/sbin/pcscd --debug --foreground

When I disable this start at boot time and start the same command as
root from the shell (to investigate/debug), this just hangs. Also system
USB commands, like 'ucbconfig list', show the same problem. It looks
like something in the boot process after start of the above PID damages
the USB stack.

> > I have to investigate this further or change the 'scdaemon' to let it
> > directly access the OpenPGP bypassing the 'pcscd' (comments on this
> > are welcome).
> 
> You can use the internal ccid-reader of scdaemon. This should work with
> the OmniKey readers, AFAIK. You have to disable PC/SC, oherwise this
> won't work.

I did so, it shows (as started after boot) the same problem.

> > How can I meanwhile 'reset' the OpenPGP card so that on next request
> > for the secrets (decrypt, signing, ssh) the PIN is requested?
> 
> For the signature PIN just enable the forcepin option as admin with
> --card-edit. The for the other functions you need to power cycle the
> card, easiest done by removal and re-insertion.

Yes, this was what I did before the update :-)

Thanks for your replay anyway.

	mattihas
-- 
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba
instead of Nazis, to live instead of to survive.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190102/89481fb3/attachment.sig>

More information about the Gnupg-users mailing list