subject:"scdaemon does not \"see\" card insertion"

Re: scdaemon does not "see" card insertion

2017-07-04 Thread Matthias Apitz

El día miércoles, julio 05, 2017 a las 09:23:06a. m. +0900, NIIBE Yutaka 
escribió:

> Hello,
> 
> Matthias Apitz  wrote:
> > The script 'scd-event' is only invoked on card removal (I do just en
> > echo of the args):
> [...]
> > A card insert is only seen *after* some agent requires something, for
> > example the SSH client needs access to the secret key on the card;
> 
> Right.  Scdaemon only watches the event of card removal and card reader
> removal.
> 
> ...

Hello,

Thanks for all explanations. For now I implemented the scd-event script
as:

...

DISPLAY=:0 export DISPLAY
if [ x$status = xNOCARD ]; then
nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock &
while true; do
  # Signature key : 5E69 FBAC ...
  gpg2 --card-status | grep '5E69 FBAC' >> /tmp/scd-event.log  && {
  killall kscreenlocker_greet
  break
  }
  sleep 1  
done
fi

which works nice: on card removal it locks the screen and on card insert
it unlocks it fine.

> > On the UNIX system level the card insert triggers via devd(8) the start
> > of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'.
> > This is working fine, i.e. an inserted card is useable immediately, 
> > requesting 
> > the PIN entry.
> 
> IIUC, system level service like devd can only handle the event of card
> reader insertion, not card insertion.  I may be wrong here.

No, you are correct, I was inprecise.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon does not "see" card insertion

2017-07-04 Thread NIIBE Yutaka

Hello,

Matthias Apitz  wrote:
> The script 'scd-event' is only invoked on card removal (I do just en
> echo of the args):
[...]
> A card insert is only seen *after* some agent requires something, for
> example the SSH client needs access to the secret key on the card;

Right.  Scdaemon only watches the event of card removal and card reader
removal.

In the past, once, scdaemon implementation in 2.0 partially tried to
support watching insertion, too.  The name "scdaemon" would have implied
that, perhaps.  We couldn't go this road well, because a card reader is
shared resource and there are valid use cases for other cards.

Then, the development of scdaemon evolved as openpgp-card-helper for
GnuPG.

This focus could stabilize the use case for GnuPG, and it resulted
less conflict for other use cases for card and card reader.

> On the UNIX system level the card insert triggers via devd(8) the start
> of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'.
> This is working fine, i.e. an inserted card is useable immediately, 
> requesting 
> the PIN entry.

IIUC, system level service like devd can only handle the event of card
reader insertion, not card insertion.  I may be wrong here.

I think that it is good for your use case to use PC/SC daemon
and its related tool.

I found a tool named card_eventmgr in:

https://github.com/OpenSC/pam_pkcs11/tree/master/src/tools/

This may help.  (No, I don't have any experience with this tool.)
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

scdaemon does not "see" card insertion

2017-07-04 Thread Matthias Apitz


Hello,

I have now the GnuPG card working fine for signing mails, SSH access and
even for using GnuPG crypted credentials in Firefox. The last issue I'm
struggling with is the use of card removal and card insert via the
'scd-event' to lock and unlock the KDE desktop.

The script 'scd-event' is only invoked on card removal (I do just en
echo of the args):

scd-event --reader-port 0 --old-code 0x0007 --new-code 0x --status NOCARD

A card insert is only seen *after* some agent requires something, for
example the SSH client needs access to the secret key on the card; than
it says:

scd-event --reader-port 0 --old-code 0x --new-code 0x0007 --status 
USABLE

On the UNIX system level the card insert triggers via devd(8) the start
of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'.
This is working fine, i.e. an inserted card is useable immediately, requesting 
the PIN entry.

I created a file scdaemon.conf to get debug information, here is the
resulting log:

...
2017-07-04 11:33:51 scdaemon[4945.802016000] DBG: enter: apdu_get_status: 
slot=0 hang=0
2017-07-04 11:33:51 scdaemon[4945.802016000] DBG: leave: apdu_get_status => 
sw=0x0 status=7
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_get_status: 
slot=0 hang=0

now the card is removed and /usr/local/sbin/pcscd is killed

2017-07-04 11:33:52 scdaemon[4945.802016000] pcsc_get_status_change failed: no 
service (0x8010001d)
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_get_status => 
sw=0x1000c status=0
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: Removal of a card: 0
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_close_reader: 
slot=0
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_disconnect: slot=0
2017-07-04 11:33:52 scdaemon[4945.802016000] pcsc_disconnect failed: no service 
(0x8010001d)
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_disconnect => 
sw=0x1000a
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: apdu_close_reader => 0x1000a 
(apdu_disconnect)
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_close_reader => 
0x0 (close_reader)

now scdaemon sits there, the card was already inserted again, nothing
happens

now SSH needs the key, this awakes scdaemon again and it sees the card:

2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: chan_7 <- SERIALNO
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: enter: apdu_open_reader: 
portstr=(null)
2017-07-04 11:34:28 scdaemon[4945.802017900] detected reader 'Identiv uTrust 
3512 SAM slot Token (55511514602745) 00 00'
2017-07-04 11:34:28 scdaemon[4945.802017900] detected reader ''
2017-07-04 11:34:28 scdaemon[4945.802017900] reader slot 0: not connected
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: leave: apdu_open_reader => 
slot=0 [pc/sc]
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: enter: apdu_connect: slot=0
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: feature: code=12, len=4, 
v=42330012
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: TLV properties: tag=01, 
len=2, v=
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: TLV properties: tag=03, 
len=1, v=

What should be changed too let scdaemon see the card insertion?

Thanks

matthias


-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon does not "see" card insertion

Re: scdaemon does not "see" card insertion

scdaemon does not "see" card insertion

3 matches

Site Navigation

Mail list logo

Footer information