Not sure if “touch policy” is the right term, but when using nitrokey u2f functions (webauth or to login to the desktop via pam) nitrokey could be set to require it to be physically touched. That’s desirable. However, I cannot find such option for gpg smart card. I expected there to be some way for the user to confirm gpg operations by touching the device, but out of the box it’s not required and I can’t seem to find any setting to add this.
Any ideas would be much appreciated.
For signatures you can configure to force an authentication. For encryption it is required once when you plug it in until the gpg agent PIN caching times out.
$ gpg --card-edit
> admin
> forcesig
# enter your admin PIN
User presence is available for FIDO2 or the secrets module.
I don’t mean PIN, I mean requirement to physically touch the device. Considering scenario where malicious user controls your account and uses cached password.
User presence is available for FIDO2 or the secrets module.
Thanks, I didn’t know it’s called “user presence” - are you saying it’s ONLY available for FIDO2 and secrets? Why not gpg?
The implementation follows the OpenPGP Smartcard Standard that uses entering the PIN to detect the user presence and to verify it is the rightful user of the card.
The PIN caching can be configured to timeout fast and that it is only valid for the currently logged in user. Killing the agent immediately drops access to the card.
Additionaly, most users remove their key after use or use it remotely and temporarily pass on the connection socket to the smartcard.
Thank you, I wasn’t aware of these practices, however I wouldn’t follow them personally - inserting/removing usb or turning a server on/off each time you access a password or sign a git commit would be too inconvenient and eventually would lead you to keeping them always on, which on a compromised machine/account with a keylogger getting your password would defeat the purpose. I liked the idea of “user presence” being signaled by simple gesture of touching the device - it seems to strike the right balance between convenience and security.
I understand that this may be part of OpenPGP standard, but I imagine that enhancements to the standard are still possible?
Could this work?
Wow, I’m such a moron, thank you, I’ve never noticed UIF (User Interaction Flag). off by default, setting it to on (I’ll try to set it to permanent later) solves it - key prompts for being touched on ssh or decryption commands. Perfect!
I also appreciate that Nitrokey documentation clearly explains how permanent setting works.