Hello,
On 2025-09-16 05:17, Yves-Alexis Perez wrote:
On Mon, 2025-09-08 at 18:57 +0200, Ludovic Rousseau wrote:
I add Yves-Alexis in Cc: since he has the exact same problem.
He created https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113729 on
scdaemon.
But I think the "problem" should be reported upstream to GnuPG
https://dev.gnupg.org/
or
https://www.gnupg.org/documentation/mailing-lists.html
It is not a problem with pcsc-lite. It is a "feature" of GnuPG.
Hi there,
I have some new data points which I would like to share. Adding both bugs on
CC: as well as Zack, who experienced issues as well and pointed me to stuff.
1) There are two GnuPG bug reports (https://dev.gnupg.org/T5436#148796 and
https://dev.gnupg.org/T7041) with similar issues. There's been a change of
behavior between 2.2 and 2.3, some of it maybe relevant to MacOS platforms,
not sure. Anyway, it seems that the PIN caching in scdaemon and/or the PIN
caching in the card itself might be wiped when the card is switched to a
different "application". So there's an advice to add `disable-application piv`
in .gnupg/scdaemon.conf. So on top of the other directives, that would be:
cat .gnupg/scdaemon.conf
pcsc-shared
disable-ccid
disable-application piv
Thanks Yves-Alexis for the added details!
I've just tried the above cocktail of options and found at first that I
could ssh to multiple hosts without getting multiple pin prompts, which
is better!
however, as soon as I login to a site in firefox with Webauthn, then the
next ssh login will again bring up the pin prompt.
so it's working better, but still not in the same way than how it was
before (i.e. I used to get one pin prompt and then not one more till I
unplugged my yubikey), unfortunately
I'll try using the above options for a bit longer to see if it's too
annoying or not. for now it's a tiny bit better than having to remember
to restart pcscd every time I plug the yubikey back in, or getting a pin
prompt every time I use the key for anything.
