[Gpg4win-users-en] gpg-agent or scdaemon timeout not working

Fri Oct 16 17:02:00 CEST 2015

Oops, didn't reply to the list... my bad.

Hi Bernhard, and thanks for your answer.

2015-10-16 10:10 GMT+02:00 Bernhard Reiter <bernhard at intevation.de>:

> Hi Yann,
>
> On Wednesday 14 October 2015 at 12:26:10, Mwyann wrote:
> > I'm using a GPG smartcard with a Gemalto reader. I'm using it to sign
> > things and authenticate to my SSH servers. It's working quite well, but
> > there's something that doesn't work as expected.
>
> it is good that you write up your feedback here, so we can investigate
> together. I take it that you are using Gpg4win 2.2.6 (latest version)
> with the GnuPG coming with it?
>
> (It is always good to recheck and give the version number of the software
> you
> are using when writing about specific software behaviour.)
>

That's right, latest GPG4Win 2.2.6, all the gpg software come from it.

gpg (GnuPG) 2.0.29 (Gpg4win 2.2.6)
libgcrypt 1.6.4

>
> > When I try to configure the gpg-agent timeouts (both personal codes and
> SSH
> > keys), or even the scdaemon idle function, it just never forgets my code,
>
> > The file AppData\Roaming\gnupg\gpg-agent.conf is correctly created and
> > reflects the changes, but the options are just ignored.
>
> > The "enable-putty-support" option is recognized and useful though, so the
> > file is correctly readed too.
>
> You could try to get a verbose diagnostic output from gpg-agent and look
> into it.
>
>
I started gpg-agent and scdaemon with "guru" logging, and with a quick test
here are some interesting lines:

First login (with PIN)

scdaemon:

scdaemon[8384]: chan_00000268 <- PKAUTH OPENPGP.3
2015-10-16 14:27:43 scdaemon[8384] DBG: check_pcsc_pinpad: command=20,
r=27265
2015-10-16 14:27:43 scdaemon[8384] DBG: asking for PIN '||Veuillez entrer
le code personnel'
scdaemon[8384]: chan_00000268 -> INQUIRE NEEDPIN ||Veuillez entrer le code
personnel
scdaemon[8384]: chan_00000268 <- [ 44 20 34 34 33 34 36 31 37 00 00 00 00
00 00 00 ...(76 byte(s) skipped) ]
scdaemon[8384]: chan_00000268 <- END
2015-10-16 14:27:46 scdaemon[8384] DBG: send apdu: c=00 i=20 p1=00 p2=82
lc=7 le=-1 em=0

gpg-agent:

gpg-agent[4668]: chan_0000017C -> PKAUTH OPENPGP.3
gpg-agent[4668]: chan_0000017C <- INQUIRE NEEDPIN ||Veuillez entrer le code
personnel
2015-10-16 14:27:43 gpg-agent[4668] starting a new PIN Entry
gpg-agent[4668]: chan_00000180 <- OK Your orders please
2015-10-16 14:27:43 gpg-agent[4668] DBG: connection to PIN entry established
[..snip..PIN entry..]
gpg-agent[4668]: chan_00000180 -> BYE
gpg-agent[4668]: chan_0000017C -> [ 44 20 34 34 33 34 36 31 37 00 00 00 00
00 00 00 ...(76 byte(s) skipped) ]
gpg-agent[4668]: chan_0000017C -> END
gpg-agent[4668]: chan_0000017C <- [ 44 20 7a 01 1e 05 e6 1b ec 56 a3 5e b6
24 cb 91 ...(380 byte(s) skipped) ]
gpg-agent[4668]: chan_0000017C <- OK
2015-10-16 14:27:46 gpg-agent[4668] ssh request handler for sign_request
(13) ready

Second time, after 30 minutes, so should really have timeouted (but without
PIN):

scdaemon:

scdaemon[8384]: chan_00000260 <- PKAUTH OPENPGP.3
2015-10-16 14:57:40 scdaemon[8384] DBG: send apdu: c=00 i=88 p1=00 p2=00
lc=35 le=2048 em=1

gpg-agent:

gpg-agent[4668]: chan_000001A4 -> PKAUTH OPENPGP.3
gpg-agent[4668]: chan_000001A4 <- [ 44 20 88 97 af 6d 95 cc e4 89 5c a5 f4
25 30 41 ...(386 byte(s) skipped) ]
gpg-agent[4668]: chan_000001A4 <- OK
2015-10-16 14:57:40 gpg-agent[4668] ssh request handler for sign_request
(13) ready

Clearly something is bypassed, but I don't know what, nor who is storing
the PIN information.

Another step would be to ask: Does somebody else work with a smartcard
> on windows and have the timeouts working or not working?
>
>
When I did some Google research about my issue, all I found was people
trying to do the opposite: that is enable cache indefinitely to never have
to enter their code again (and I don't really see the point of having a
code if you don't want to use it, but anyway, that's not the question
here). So it wasn't very helpful, besides the fact that they were told to
change the cache options I tried myself, with no luck.

Yann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151016/cd6e186e/attachment.html>