PIN cache timeout


#1

Hi all,

I’m having Nitrokey Pro on Debian (buster/testing) and I’m trying to set a timeout for caching the PIN.

When I plug it and use it for ssh (or file decryption), the PIN is required only the first time. When I use it again (without unplug it first) - PIN is not required (no matter how long I wait).

(The issue is only with decryption/authentication. Signing requires PIN every time (because of Signature PIN is set to forced).

I’ve tried to add a timeout settings in gpg-agent.conf, scdaemon.conf, but with no success.
The cache is cleared only if I unplug the Nitrokey or if I restart the scdaemon.

Could you have any ideas how a timeout can be set, so after a specific time - the PIN to be required for decryption/authentication.

Thank you in advance!


#2

Hello @ddz39747,

it is a bit late, but hopefully it still helps.

I could reproduce the behaviour you are describing. It is not working for me as well. After asking the people on the mailinglist of gnupg it turns out, that the smartcards are caching the PIN and gpg is not capable of turning this off. So it seems that the setting we have made in gpg-agent.conf etc. is solely for caching of “normal” keys and not for smartcards. That means to stop the caching you probably have to pull out the card. I am sorry.

https://lists.gt.net/gnupg/users/81257

Kind regards
Alex


#3

For current status and follow up discussions: nitroalex submitted this issue ticket to GnuPG.


#4

I am also interested in disabling the PIN cache or having it timeout sooner.

While I do try to disconnect the key as soon as it is no longer needed, it does feel awkward to have little to no control over which processes access the nitrokey and the gpg keys in the meantime.