Package: scdaemon Version: 2.4.8-3 Severity: normal Hi,
I recently moved my smartcard setup from a custom OpenPGP smartcard (using SmartPGP applet [1]) to a Yubikey 5. Like a lot of people using that kind of setup, I have issues here and there when using the other features of the Yubikey (FIDO for hardware-backed ssh keys or 2FA), where gnupg/scdaemon can't access the card. Following the great blog posts [2,3,4] by Ludovic I added `pcsc-shared` to my .scdaemon.conf (`disable-ccid` was already there). Now I don't have issues with the sharing, but I then discovered that everytime I need to use a key (whether for SSH using my authentication key, or for my password manager using the encryption key) I need to provide the PIN. Indeed, scdaemon won't cache the PIN in shared mode [5]. I can understand the rationale but it makes it really painful to use the keys. Some things puzzle me though: - I had the impression that the PIN was cached by the smartcard itself, not by scdaemon (inside gpg-agent), but the source code seems to imply the opposite. - there is a discrepancy (I think) between the various levels of abstraction: pcscd will allow access to all the smartcard features, but only scdaemon will talk to the OpenPGP application In my opinion, if caching is not done anymore in pcsc_shared mode, it would be helpful then to implement the card-timeout or similar features in exclusive mode. This way the PIN cache would be useful during a specific duration but not prevent working with other features all the time. Regards, -- Yves-Alexis [1]: https://github.com/github-af/SmartPGP [2]: https://blog.apdu.fr/posts/2019/06/gnupg-and-pcsc-conflicts/ [3]: https://blog.apdu.fr/posts/2024/04/gnupg-and-pcsc-conflicts-episode-2/ [4]: https://blog.apdu.fr/posts/2024/12/gnupg-and-pcsc-conflicts-episode-3/ [5]: https://sources.debian.org/src/gnupg2/2.4.8-3/scd/app-openpgp.c?hl=2627#L2631 -- System Information: Debian Release: forky/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.16.3+deb14-amd64 (SMP w/14 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages scdaemon depends on: ii gpg-agent 2.4.8-3 ii libassuan9 3.0.2-2 ii libc6 2.41-12 ii libgcrypt20 1.11.2-2 ii libgpg-error0 1.55-2 ii libksba8 1.6.7-2+b1 ii libnpth0t64 1.8-3 ii libreadline8t64 8.3-2 ii libusb-1.0-0 2:1.0.29-2 scdaemon recommends no packages. scdaemon suggests no packages. -- no debconf information
