Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. devel
Feature Request: Add a --card parameter
gnupg-devel at gnupg
Jan 22, 2022, 12:57 AM
Post #1 of 2 (284 views)
Permalink
Hello,

When having several identical Yubikeys, it's not possible to choose
among them in a deterministic way.
I use different local user for daily work and admin. I want 2
different Yubikeys to hold the keys for those identities, and have the
2 yubikeys plugged all-time.

I can't use the reader-port parameter for this as both card reports
the same reader name.
$ echo scd getinfo reader_list | gpg-connect-agent --decode
D 1050:0407:X:0
D 1050:0407:X:0
OK

I did not succeed using the port number under usb neither, and I guess
this number would change depending on the insertion order of the
smartcards.

Instead I would like to use the Application ID in gnupg/card_list
number/SERIALNO:
$ echo scd getinfo card_list | gpg-connect-agent
S SERIALNO D2760001240103040006XXXXXXXX0000
OK

e.g. setting up in scdaemon.conf:
card D2760001240103040006XXXXXXXX0000
would select only this Yubikey for scdaemon operations.

scdaemon should also not lock the other readers to that several log-in
users could use their own Yubikey.

Thank you.

Romain

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: Feature Request: Add a --card parameter [ In reply to ]
gnupg-devel at gnupg
Jan 23, 2022, 6:47 AM
Post #2 of 2 (284 views)
Permalink
On Sat, 22 Jan 2022 09:57, Romain Griffiths said:

> When having several identical Yubikeys, it's not possible to choose
> among them in a deterministic way.

You don't need to. GnuPG selects the approriate Yubikey automagically.
In afct, I often have several tokens inserted all wth different keys and
the correct one is always selected: For gpg as weel as for ssh.

You just need to use ghupg 2.3 or gpg4win 4.0 and don't set any
reader-port.

> scdaemon should also not lock the other readers to that several log-in
> users could use their own Yubikey.

Assuming that your are on Linux, you can setup udev rules to assign
Yubikeys to users by granting the right permissions. But having several
tokens on a multi-user machine is imho not a good idea. But I may have
misunderstood your use-case.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal