[prev in list] [next in list] [prev in thread] [next in thread]
List: gpg4win-users-en
Subject: [Gpg4win-users-en] gpg-agent or scdaemon timeout not working
From: Mwyann <mwyann () gmail ! com>
Date: 2015-10-16 15:02:00
Message-ID: CANN-dTS==5o3NJuZEO9GT0iVoUnoFRc=pX_YpK5drdh5kOhTKg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Oops, didn't reply to the list... my bad.
Hi Bernhard, and thanks for your answer.
2015-10-16 10:10 GMT+02:00 Bernhard Reiter <bernhard@intevation.de>:
> Hi Yann,
>
> On Wednesday 14 October 2015 at 12:26:10, Mwyann wrote:
> > I'm using a GPG smartcard with a Gemalto reader. I'm using it to sign
> > things and authenticate to my SSH servers. It's working quite well, but
> > there's something that doesn't work as expected.
>
> it is good that you write up your feedback here, so we can investigate
> together. I take it that you are using Gpg4win 2.2.6 (latest version)
> with the GnuPG coming with it?
>
> (It is always good to recheck and give the version number of the software
> you
> are using when writing about specific software behaviour.)
>
That's right, latest GPG4Win 2.2.6, all the gpg software come from it.
gpg (GnuPG) 2.0.29 (Gpg4win 2.2.6)
libgcrypt 1.6.4
>
> > When I try to configure the gpg-agent timeouts (both personal codes and
> SSH
> > keys), or even the scdaemon idle function, it just never forgets my code,
>
> > The file AppData\Roaming\gnupg\gpg-agent.conf is correctly created and
> > reflects the changes, but the options are just ignored.
>
> > The "enable-putty-support" option is recognized and useful though, so the
> > file is correctly readed too.
>
> You could try to get a verbose diagnostic output from gpg-agent and look
> into it.
>
>
I started gpg-agent and scdaemon with "guru" logging, and with a quick test
here are some interesting lines:
First login (with PIN)
scdaemon:
scdaemon[8384]: chan_00000268 <- PKAUTH OPENPGP.3
2015-10-16 14:27:43 scdaemon[8384] DBG: check_pcsc_pinpad: command ,
r'265
2015-10-16 14:27:43 scdaemon[8384] DBG: asking for PIN '||Veuillez entrer
le code personnel'
scdaemon[8384]: chan_00000268 -> INQUIRE NEEDPIN ||Veuillez entrer le code
personnel
scdaemon[8384]: chan_00000268 <- [ 44 20 34 34 33 34 36 31 37 00 00 00 00
00 00 00 ...(76 byte(s) skipped) ]
scdaemon[8384]: chan_00000268 <- END
2015-10-16 14:27:46 scdaemon[8384] DBG: send apdu: c� i p1� p2‚
lc=7 le=-1 em=0
gpg-agent:
gpg-agent[4668]: chan_0000017C -> PKAUTH OPENPGP.3
gpg-agent[4668]: chan_0000017C <- INQUIRE NEEDPIN ||Veuillez entrer le code
personnel
2015-10-16 14:27:43 gpg-agent[4668] starting a new PIN Entry
gpg-agent[4668]: chan_00000180 <- OK Your orders please
2015-10-16 14:27:43 gpg-agent[4668] DBG: connection to PIN entry established
[..snip..PIN entry..]
gpg-agent[4668]: chan_00000180 -> BYE
gpg-agent[4668]: chan_0000017C -> [ 44 20 34 34 33 34 36 31 37 00 00 00 00
00 00 00 ...(76 byte(s) skipped) ]
gpg-agent[4668]: chan_0000017C -> END
gpg-agent[4668]: chan_0000017C <- [ 44 20 7a 01 1e 05 e6 1b ec 56 a3 5e b6
24 cb 91 ...(380 byte(s) skipped) ]
gpg-agent[4668]: chan_0000017C <- OK
2015-10-16 14:27:46 gpg-agent[4668] ssh request handler for sign_request
(13) ready
Second time, after 30 minutes, so should really have timeouted (but without
PIN):
scdaemon:
scdaemon[8384]: chan_00000260 <- PKAUTH OPENPGP.3
2015-10-16 14:57:40 scdaemon[8384] DBG: send apdu: c� iˆ p1� p2�
lc5 le 48 em=1
gpg-agent:
gpg-agent[4668]: chan_000001A4 -> PKAUTH OPENPGP.3
gpg-agent[4668]: chan_000001A4 <- [ 44 20 88 97 af 6d 95 cc e4 89 5c a5 f4
25 30 41 ...(386 byte(s) skipped) ]
gpg-agent[4668]: chan_000001A4 <- OK
2015-10-16 14:57:40 gpg-agent[4668] ssh request handler for sign_request
(13) ready
Clearly something is bypassed, but I don't know what, nor who is storing
the PIN information.
Another step would be to ask: Does somebody else work with a smartcard
> on windows and have the timeouts working or not working?
>
>
When I did some Google research about my issue, all I found was people
trying to do the opposite: that is enable cache indefinitely to never have
to enter their code again (and I don't really see the point of having a
code if you don't want to use it, but anyway, that's not the question
here). So it wasn't very helpful, besides the fact that they were told to
change the cache options I tried myself, with no luck.
Yann
[Attachment #5 (text/html)]
<div dir="ltr">Oops, didn't reply to the list... my bad.<br><br><div><div \
class="gmail_quote"><br><br><div dir="ltr">Hi Bernhard, and thanks for your \
answer.<br><div><div class="gmail_extra"><br><div class="gmail_quote"><span \
class="">2015-10-16 10:10 GMT+02:00 Bernhard Reiter <span dir="ltr"><<a \
href="mailto:bernhard@intevation.de" \
target="_blank">bernhard@intevation.de</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Hi Yann,<br> <span><br>
On Wednesday 14 October 2015 at 12:26:10, Mwyann wrote:<br>
> I'm using a GPG smartcard with a Gemalto reader. I'm using it to \
sign<br> > things and authenticate to my SSH servers. It's working quite well, \
but<br> > there's something that doesn't work as expected.<br>
<br>
</span>it is good that you write up your feedback here, so we can investigate<br>
together. I take it that you are using Gpg4win 2.2.6 (latest version)<br>
with the GnuPG coming with it?<br>
<br>
(It is always good to recheck and give the version number of the software you<br>
are using when writing about specific software \
behaviour.)<br></blockquote><div><br></div></span><div>That's right, latest \
GPG4Win 2.2.6, all the gpg software come from it.<br><br>gpg (GnuPG) 2.0.29 (Gpg4win \
2.2.6)<br>libgcrypt 1.6.4<br> </div><span class=""><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> <span><br>
> When I try to configure the gpg-agent timeouts (both personal codes and SSH<br>
> keys), or even the scdaemon idle function, it just never forgets my code,<br>
<br>
</span><span>> The file AppData\Roaming\gnupg\gpg-agent.conf is correctly created \
and<br> > reflects the changes, but the options are just ignored.<br>
<br>
</span><span>> The "enable-putty-support" option is recognized and \
useful though, so the<br> > file is correctly readed too.<br>
<br>
</span>You could try to get a verbose diagnostic output from gpg-agent and look<br>
into it.<br>
<br></blockquote><div><br></div></span><div>I started gpg-agent and scdaemon with \
"guru" logging, and with a quick test here are some interesting \
lines:<br><br></div><div>First login (with \
PIN)<br></div><div><br></div><div>scdaemon:<br><br>scdaemon[8384]: chan_00000268 \
<- PKAUTH OPENPGP.3<br>2015-10-16 14:27:43 scdaemon[8384] DBG: check_pcsc_pinpad: \
command=20, r=27265<br>2015-10-16 14:27:43 scdaemon[8384] DBG: asking for PIN \
'||Veuillez entrer le code personnel'<br>scdaemon[8384]: chan_00000268 -> \
INQUIRE NEEDPIN ||Veuillez entrer le code personnel<br>scdaemon[8384]: chan_00000268 \
<- [ 44 20 34 34 33 34 36 31 37 00 00 00 00 00 00 00 ...(76 byte(s) skipped) \
]<br>scdaemon[8384]: chan_00000268 <- END<br>2015-10-16 14:27:46 scdaemon[8384] \
DBG: send apdu: c=00 i=20 p1=00 p2=82 lc=7 le=-1 \
em=0<br><br></div><div>gpg-agent:<br><br>gpg-agent[4668]: chan_0000017C -> PKAUTH \
OPENPGP.3<br>gpg-agent[4668]: chan_0000017C <- INQUIRE NEEDPIN ||Veuillez entrer \
le code personnel<br>2015-10-16 14:27:43 gpg-agent[4668] starting a new PIN \
Entry<br>gpg-agent[4668]: chan_00000180 <- OK Your orders please<br>2015-10-16 \
14:27:43 gpg-agent[4668] DBG: connection to PIN entry \
established<br></div><div>[..snip..PIN entry..]<br></div><div>gpg-agent[4668]: \
chan_00000180 -> BYE<br>gpg-agent[4668]: chan_0000017C -> [ 44 20 34 34 33 34 \
36 31 37 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]<br>gpg-agent[4668]: \
chan_0000017C -> END<br>gpg-agent[4668]: chan_0000017C <- [ 44 20 7a 01 1e 05 \
e6 1b ec 56 a3 5e b6 24 cb 91 ...(380 byte(s) skipped) ]<br>gpg-agent[4668]: \
chan_0000017C <- OK<br>2015-10-16 14:27:46 gpg-agent[4668] ssh request handler for \
sign_request (13) ready<br><br><br></div><div>Second time, after 30 minutes, so \
should really have timeouted (but without \
PIN):<br><br>scdaemon:<br><br>scdaemon[8384]: chan_00000260 <- PKAUTH \
OPENPGP.3<br>2015-10-16 14:57:40 scdaemon[8384] DBG: send apdu: c=00 i=88 p1=00 p2=00 \
lc=35 le=2048 em=1<br><br></div><div>gpg-agent:<br><br>gpg-agent[4668]: chan_000001A4 \
-> PKAUTH OPENPGP.3<br>gpg-agent[4668]: chan_000001A4 <- [ 44 20 88 97 af 6d 95 \
cc e4 89 5c a5 f4 25 30 41 ...(386 byte(s) skipped) ]<br>gpg-agent[4668]: \
chan_000001A4 <- OK<br>2015-10-16 14:57:40 gpg-agent[4668] ssh request handler for \
sign_request (13) ready<br></div><div><br></div><div><br>Clearly something is \
bypassed, but I don't know what, nor who is storing the PIN \
information.<br><br></div><span class=""><div><br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> Another step would be to ask: Does somebody else \
work with a smartcard<br> on windows and have the timeouts working or not \
working?<br> <br></blockquote><div><br></div></span><div>When I did some Google \
research about my issue, all I found was people trying to do the opposite: that is \
enable cache indefinitely to never have to enter their code again (and I don't \
really see the point of having a code if you don't want to use it, but anyway, \
that's not the question here). So it wasn't very helpful, besides the fact \
that they were told to change the cache options I tried myself, with no \
luck.<br></div><div><br><br><br></div><div>Yann</div></div><br></div></div></div> \
</div><br></div></div>
_______________________________________________
Gpg4win-users-en mailing list
Gpg4win-users-en@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic