Is it possible to disable the PIN cache for (SSH) authentication for the Nitrokey Start?

I only have to enter the PIN for the first SSH connection after inserting the Nitrokey. On every subsequent SSH connection the Nitrokey seems to cache the PIN (or rather: keeps the private key open in its memory). Especially when using SSH agent forwarding I don’t have a good feeling about that.

Generally this is proper behavior per OpenPGP specification, the verified password (PIN) is in verified status until card reset (or some other peculiar event, rather irrelevant here). So technically you can unplug the key to achieve that, but that not a great UX, I know. There’s a request to implement a SW-level feature for that in GnuPG: https://dev.gnupg.org/T3362 (and BTW Nitrokey Start supports the “VERIFY-based reset” feature they’re talking about there), but it’s not very active and is not implemented yet AFAICS.

So if unplugging is not an option for you and you run the scdaemon, you can probably try restarting it, like the last comment in that request illustrates (I haven’t tried that myself). If anyone has any better ideas - please chime in!

I have found to workaround to reset the Nitrokey without having to remove it physically. This script resets the USB device:

#!/bin/bash

dev=`grep -H 4211 /sys/bus/usb/devices/*/idProduct`

if [ $? == 0 ]; then
        file=`echo $dev | sed 's/idProduct:4211/authorized/'`
        echo 0 > $file
        echo 1 > $file
else
        echo "Nitrokey Start not found."
        exit 1
fi

Yep, that’s one of the ways of doing that. Thanks for sharing!