Mailing List Archive

poldi: [PATCH] Add option 'killscd'.
According to the manual page of scdaemon, when 'card-timeout' is
non-zero in /etc/poldi/scdaemon.conf the card should be powered down
after the next timer tick. This doesn't seem to work: I can lock my X
session, then unlock it without the pin of the card. I am using
xlockmore as the screen locker.

The attached patch fixes things by sending KILLSCD to scdaemon when
'killscd' is set in /etc/poldi/poldi.conf.

--
Ben Kibbey
Re: poldi: [PATCH] Add option 'killscd'. [ In reply to ]
Ben Kibbey <bjk@luxsci.net> wrote:
> According to the manual page of scdaemon, when 'card-timeout' is
> non-zero in /etc/poldi/scdaemon.conf the card should be powered down
> after the next timer tick.

Yes. The option is deprecated. I pushed the change of the manual in
master, perhaps, I need to apply the change to 2.2, too.

> This doesn't seem to work: I can lock my X session, then unlock it
> without the pin of the card. I am using xlockmore as the screen
> locker.

IIUC, a single process of xlockmore keeps running under a user's
session. If so, the behaviour can be explained.

> The attached patch fixes things by sending KILLSCD to scdaemon when
> 'killscd' is set in /etc/poldi/poldi.conf.

I see your intention of killing scdaemon. But, I'm afraid if it really
matches (a typical) expected behaviour with screen locker / sudo.

I think that the card should reset (to nullify existing verification
status) _before_ poldi tries to use it for the authentication. And
after unlocking a screen, it is OK (or good) to keep card's verification
status; A user can use the card for SSH with no further verification.
--

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: poldi: [PATCH] Add option 'killscd'. [ In reply to ]
NIIBE Yutaka wrote:
>> This doesn't seem to work: I can lock my X session, then unlock it
>> without the pin of the card. I am using xlockmore as the screen
>> locker.
>
> IIUC, a single process of xlockmore keeps running under a user's
> session. If so, the behaviour can be explained.

Sorry, I was confused. There are two modes running Poldi: by root
and by normal user.

For screen locker and sudo, Poldi accesses scdaemon through gpg-agent,
thus, the verification status is kept.
--

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: poldi: [PATCH] Add option 'killscd'. [ In reply to ]
On March 2, 2020 7:33:13 AM UTC, Niibe Yutaka <gniibe@fsij.org> wrote:
>NIIBE Yutaka wrote:
>>> This doesn't seem to work: I can lock my X session, then unlock it
>>> without the pin of the card. I am using xlockmore as the screen
>>> locker.
>>
>> IIUC, a single process of xlockmore keeps running under a user's
>> session. If so, the behaviour can be explained.
>
>Sorry, I was confused. There are two modes running Poldi: by root
>and by normal user.
>
>For screen locker and sudo, Poldi accesses scdaemon through gpg-agent,
>thus, the verification status is kept.


--
Ben Kibbey

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: poldi: [PATCH] Add option 'killscd'. [ In reply to ]
On March 2, 2020 4:55:06 AM UTC, NIIBE Yutaka <gniibe@fsij.org> wrote:

>I think that the card should reset (to nullify existing verification
>status) _before_ poldi tries to use it for the authentication. And
>after unlocking a screen, it is OK (or good) to keep card's verification
>status; A user can use the card for SSH with no further verification.

I think this makes more sense. Unfortunately no time for me to patch poldi myself.

Thank you,


--
Ben Kibbey

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: poldi: [PATCH] Add option 'killscd'. [ In reply to ]
Benjamin Kibbey <bjk@luxsci.net> wrote:
> On March 2, 2020 4:55:06 AM UTC, NIIBE Yutaka <gniibe@fsij.org> wrote:
>
>>I think that the card should reset (to nullify existing verification
>>status) _before_ poldi tries to use it for the authentication. And
>>after unlocking a screen, it is OK (or good) to keep card's verification
>>status; A user can use the card for SSH with no further verification.
>
> I think this makes more sense. Unfortunately no time for me to patch
> poldi myself.

OK. I will try to improve Poldi this month. My plan is doing
two things.

(1) As you pointed out (and we agree): a change of Poldi

Always require user's PIN input.

(2) Adding a command to scdaemon so that an application can be notified
for card removal.

Currently, we have "scd-event" feature, but it is not well-designed.
I'm thinking about adding WATCH command which informs status change.


I'll report about changes here.
--

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel