Werner Koch wrote: > On Thu, 17 Dec 2009 11:27:53 +0100, marco+gn...@websource.ch wrote: > >> As I wrote in my posting I have tried to use this option but it does not >> work. I added 'card-timeout 15' to my scdaemon.conf and nothing happens >> 15 seconds after accessing the card. The card remains unlocked as long > > Actually it should release the card immediatley after use. It is only > a boolean switch for now. > > I forgot to mention that this feature is only available with pcsc and > not with the internal driver.
That's it. I was using the internal driver. Thanks for pointing this out! >> 1. Couldn't gpg-agent reload scdaemon in the same way when >> default/max-cache-ttl is exceeded? This would provide the same >> functionality for unlocked smartcards as for cached passphrases, which >> would make sense since both are affected by the same security risk >> (agent hijacking). > > If you are talking about malware on your box, nothing will help you. > You don't have any control anymore on your box. The only advantage > you have is that the bot needs to wait until you enter the PIN the > next time and then it can replay the PIN as needed. Oh, you are using > a pinpad reader - well in this case the malware just et you sign > something it is interested in and not what you assume. I agree that this would not completely prevent malware from hijacking the agent for ssh authentication on a remote host. But at least it would make it more difficult, and, more importantly, the chances that I would notice the break-in are much bigger. In contrast, when the card is unlocked all the time it is sufficient for a user with superuser privileges to set some environment variables to be able to connect to a remote host using my authentication key at any time and I have no chance to notice it. BTW: Doesn't your argument also apply to cached passphrases? Why would you use max-cache-ttl when you assume that you are lost anyway once you lose control over your box? In any case, what I was suggesting can easily be done by a script that regularly checks the gpg-agent log and resets the card if the last access is older than default/max-cache-ttl. So it doesn't need to be built into gpg-agent/scdaemon. Marco _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
