Le 01/10/2017 à 20:33, Matthias Apitz a écrit : > El día domingo, octubre 01, 2017 a las 06:37:46p. m. +0200, Franck Routier > escribió: > >> Hi, >> >> I have a problem where my OpenPGP smartcard is not recognized when I >> remove it from the reader and reinsert it. >> >> Moreover I like to remove the card and reinsert it when needed, as when >> used for authentication with Poldi, I'm only asked for the PIN once, and >> then the PIN is cached (at the smardcard level if I am to believe this >> https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312) >> >> ... > I'm using a GnuPG-card for SSH and signing. I do not think, that it > would be a good idea, that the secre on the card remain unlocked after > withdraw (power reset) of the card, and mine does not cash it. I agree with you, and I'm not asking for that. In fact I would like it to ask for the pin each time I need to authenticate... > It works > like this: > > card insert > ssh server --> PIN requested > ssh server --> no PIN requested > gpg2 ... --sign ... --> no PIN requested > gpg2 ... --decrypt .... --> no PIN requested > card remove > card insert > gpg2 ... --sign ... --> PIN requested > ssh server --> PIN requested > ssh server --> no PIN requested Thanks Matthias for your input. I think I was not clear, so let me restate my problem.
My problem, in addition to the pin being cached "forever" (as long as the card is inserted, with no time limit), is that when I remove and reinsert the card, it is not recognized unless I restart gpg-agent. So here is what happens: card inserted pam_poldi.so called (sudo) --> PIN requested pam_poldi.so called (sudo) --> no PIN requested pam_poldi.so called (sudo) --> no PIN requested card removed (I don't like to let my card inserted, with no PIN validation needed !) card inserted --> card not seen (card error, OpenPGP card unavailable) gpgconf --kill gpg-agent --> card seen pam_poldi.so called (sudo) --> PIN requested pam_poldi.so called (sudo) --> no PIN requested etc... Hence my questions: 1) can I force PIN for authentication each time I use it (it seems that the forcesig option is for signature only, not for authentication) 2) what can I do to have my card recognized on reinsert, without ressorting to killing gpg-agent --> probably with some scd-event magic that's beyond my know-how for now... Thanks, Franck
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users