Re: Smartcard not seen when reinserted
Le 02/10/2017 à 16:37, Matthias Apitz a écrit : > El día lunes, octubre 02, 2017 a las 01:35:16p. m. +0200, Franck Routier > escribió: > >> My problem, in addition to the pin being cached "forever" (as long as >> the card is inserted, with no time limit), is that when I remove and >> reinsert the card, it is not recognized unless I restart gpg-agent. >> >> So here is what happens: >> >> card inserted >> pam_poldi.so called (sudo) --> PIN requested >> pam_poldi.so called (sudo) --> no PIN requested >> pam_poldi.so called (sudo) --> no PIN requested >> card removed (I don't like to let my card inserted, with no PIN >> validation needed !) >> card inserted--> card not seen (card error, >> OpenPGP card unavailable) >> gpgconf --kill gpg-agent --> card seen >> pam_poldi.so called (sudo) --> PIN requested >> pam_poldi.so called (sudo) --> no PIN requested >> etc... >> >> Hence my questions: >> 1) can I force PIN for authentication each time I use it (it seems that >> the forcesig option is for signature only, not for authentication) >> 2) what can I do to have my card recognized on reinsert, without >> ressorting to killing gpg-agent >> --> probably with some scd-event magic that's beyond my know-how for >> now... > I'm using the attach 'scd-event' script to lock my display on card > removal and to unlock it on card-insert. The real work in the script is > at line 107++ > > Maybe it can serve you a bit. > > matthias Thanks Matthias for the input. I couldn't make the 'remove card' event trigger anything... (with NOCARD status). After browsing the internet a bit more, I finally tried to install pcscd and tell scdaemon not to use its internal CCID implementation, and this worked... It also solves my other problem (IPN code being cached "forever"), as I suppose pcscd reinitializes the card state after so time. So this is solved for, by using pcscd. Thanks again, Franck signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard not seen when reinserted
El día lunes, octubre 02, 2017 a las 01:35:16p. m. +0200, Franck Routier escribió: > My problem, in addition to the pin being cached "forever" (as long as > the card is inserted, with no time limit), is that when I remove and > reinsert the card, it is not recognized unless I restart gpg-agent. > > So here is what happens: > > card inserted > pam_poldi.so called (sudo) --> PIN requested > pam_poldi.so called (sudo) --> no PIN requested > pam_poldi.so called (sudo) --> no PIN requested > card removed (I don't like to let my card inserted, with no PIN > validation needed !) > card inserted--> card not seen (card error, > OpenPGP card unavailable) > gpgconf --kill gpg-agent --> card seen > pam_poldi.so called (sudo) --> PIN requested > pam_poldi.so called (sudo) --> no PIN requested > etc... > > Hence my questions: > 1) can I force PIN for authentication each time I use it (it seems that > the forcesig option is for signature only, not for authentication) > 2) what can I do to have my card recognized on reinsert, without > ressorting to killing gpg-agent > --> probably with some scd-event magic that's beyond my know-how for > now... I'm using the attach 'scd-event' script to lock my display on card removal and to unlock it on card-insert. The real work in the script is at line 107++ Maybe it can serve you a bit. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. #!/bin/sh # # this script must be placed into GNUPGHOME dir and named 'scd-event'; # it is triggered by the scdaemon on card removal with the arg 'NOCARD' # it will also run delayd after card insertion and *after* the first access to the card # # we use this to lock the KDE screen on card removal and run a loop of # 'gpg2 --card-status' to unlock the screen after card insertion # # g...@unxarea.de, July 2017 echo $0 $* >> /tmp/scd-event.log PGM=scd-event reader_port= old_code=0x new_code=0x status= tick='`' prev= while [ $# -gt 0 ]; do arg="$1" case $arg in -*=*) optarg=$(echo "X$arg" | sed -e '1s/^X//' -e 's/[-_a-zA-Z0-9]*=//') ;; *) optarg= ;; esac if [ -n "$prev" ]; then eval "$prev=\$arg" prev= shift continue fi case $arg in --help|-h) cat <&2 exit 1 ;; *) break ;; esac shift done if [ -n "$prev" ]; then echo "$PGM: argument missing for option $tick$prev'" >&2 exit 1 fi cat <> /tmp/scd-event.log port: $reader_port old-code: $old_code new-code: $new_code status: $status EOF DISPLAY=:0 export DISPLAY if [ x$status = xNOCARD ]; then echo DISPLAY: $DISPLAY >> /tmp/scd-event.log echo /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock >> /tmp/scd-event.log nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock & pid=$! echo ${pid} > /tmp/scd-event.pid echo locked by PID ${pid} >> /tmp/scd-event.log echo killing fetchmail >> /tmp/scd-event.log fetchmail -q while true; do # is the kscreenlocker_greet still running? user might have unlocked it with PAM /bin/kill -0 ${pid} || { echo kscreenlocker_greet ${pid} disappeared >> /tmp/scd-event.log break } # gpg2 --card-status >> /tmp/scd-event.log 2>> /tmp/scd-event.log # Signature key : 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11 gpg2 --card-status | grep '5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11' >> /tmp/scd-event.log && { # OK, key is fine unlocking the movies echo OK, key is fine unlocking the movies, killall kscreenlocker_greet >> /tmp/scd-event.log killall kscreenlocker_greet fetchmail break } sleep 1 done fi signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard not seen when reinserted
Le 01/10/2017 à 20:33, Matthias Apitz a écrit : > El día domingo, octubre 01, 2017 a las 06:37:46p. m. +0200, Franck Routier > escribió: > >> Hi, >> >> I have a problem where my OpenPGP smartcard is not recognized when I >> remove it from the reader and reinsert it. >> >> Moreover I like to remove the card and reinsert it when needed, as when >> used for authentication with Poldi, I'm only asked for the PIN once, and >> then the PIN is cached (at the smardcard level if I am to believe this >> https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312) >> >> ... > I'm using a GnuPG-card for SSH and signing. I do not think, that it > would be a good idea, that the secre on the card remain unlocked after > withdraw (power reset) of the card, and mine does not cash it. I agree with you, and I'm not asking for that. In fact I would like it to ask for the pin each time I need to authenticate... > It works > like this: > > card insert > ssh server --> PIN requested > ssh server --> no PIN requested > gpg2 ... --sign ... --> no PIN requested > gpg2 ... --decrypt --> no PIN requested > card remove > card insert > gpg2 ... --sign ... --> PIN requested > ssh server --> PIN requested > ssh server --> no PIN requested Thanks Matthias for your input. I think I was not clear, so let me restate my problem. My problem, in addition to the pin being cached "forever" (as long as the card is inserted, with no time limit), is that when I remove and reinsert the card, it is not recognized unless I restart gpg-agent. So here is what happens: card inserted pam_poldi.so called (sudo) --> PIN requested pam_poldi.so called (sudo) --> no PIN requested pam_poldi.so called (sudo) --> no PIN requested card removed (I don't like to let my card inserted, with no PIN validation needed !) card inserted--> card not seen (card error, OpenPGP card unavailable) gpgconf --kill gpg-agent --> card seen pam_poldi.so called (sudo) --> PIN requested pam_poldi.so called (sudo) --> no PIN requested etc... Hence my questions: 1) can I force PIN for authentication each time I use it (it seems that the forcesig option is for signature only, not for authentication) 2) what can I do to have my card recognized on reinsert, without ressorting to killing gpg-agent --> probably with some scd-event magic that's beyond my know-how for now... Thanks, Franck signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard not seen when reinserted
El día domingo, octubre 01, 2017 a las 06:37:46p. m. +0200, Franck Routier escribió: > Hi, > > I have a problem where my OpenPGP smartcard is not recognized when I > remove it from the reader and reinsert it. > > Moreover I like to remove the card and reinsert it when needed, as when > used for authentication with Poldi, I'm only asked for the PIN once, and > then the PIN is cached (at the smardcard level if I am to believe this > https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312) > > ... I'm using a GnuPG-card for SSH and signing. I do not think, that it would be a good idea, that the secre on the card remain unlocked after withdraw (power reset) of the card, and mine does not cash it. It works like this: card insert ssh server --> PIN requested ssh server --> no PIN requested gpg2 ... --sign ... --> no PIN requested gpg2 ... --decrypt --> no PIN requested card remove card insert gpg2 ... --sign ... --> PIN requested ssh server --> PIN requested ssh server --> no PIN requested i.e. it seems that unlocking the SSH key unlocks the signing key as well, but not the other way around. Imagine you pull-out the card in your office/restaurant, loose the card, someone finds it before you note the lost and insert the card in your system... No, that a card "survives" unlocked a withdraw is not a good idea. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Smartcard not seen when reinserted
Hi, I have a problem where my OpenPGP smartcard is not recognized when I remove it from the reader and reinsert it. Moreover I like to remove the card and reinsert it when needed, as when used for authentication with Poldi, I'm only asked for the PIN once, and then the PIN is cached (at the smardcard level if I am to believe this https://security.stackexchange.com/questions/147267/gpg-agent-keeps-saving-pin-for-a-smartcard/168312) My problem when reinserting the card seems to be very similar to this https://lists.gt.net/gnupg/users/79006 , except I'm using a GemPC Twin SmartCard usb card reader (ID 08e6:3437 Gemalto (was Gemplus)). Restarting gpg-agent with gpgconf --kill gpg-agent does the trick but is far from ideal... the solution should be to use scd-event, if I understand the thread well. So here are my (quite unrelated) questions: 1) is there a way to be asked for the PIN on each authentication operation ? (fellowship openpgp card) 2) where is scd-event supposed to be located to be used ? ($GNUPGHOME is not assigned on my ubuntu system) 3) the example scd-event is full of... examples I don't really understand. Would someone be as kind as to give the magic that would make the card recognized on reinsert... I'm sorry for not being more autonomous on this, but I couldn't make my way through the docs :-( Best regards, Franck ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users