Passphrase cache w/Yubikey varies: sign vs auth

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Passphrase cache w/Yubikey varies: sign vs auth

Steve McKown
Hi,

I'm using a Yubikey NEO with GnuPG 2.1.11 on Ubuntu 16.04 LTS.
Everything is working fine except that caching of the passphrase works
differently depending upon whether the first operation is sign or
authenticate.  I can show this with two GnuPG operations: sign a file
and ssh key-based login (I'm using gpg-agent.conf enable-ssh-support).

If after inserting the Yubikey I sign first and then ssh second, both
operations ask for the passphrase via pinentry.

  gpg2 --clearsign somefile  # pinentry dialog
  ssh someserver             # pinentry dialog

I'm not sure why the ssh login above asks again for the passphrase.

If after re-inserting the Yubikey I do ssh before sign, the sign uses
the passphrase cached from the previous ssh, as expected:

  ssh someserver             # pinentry dialog
  gpg2 --clearsign somefile  # NO pinentry dialog

It is true that the passphrase entered on first sign is cached, because
if I run two back to back the second doesn't ask.  Again, after
re-inserting the Yubikey:

  gpg2 --clearsign somefile  # pinentry dialog
  gpg2 --clearsign somefile  # NO pinentry dialog

The pinentry dialog for signing includes the text "[sigs done:NNN]" that
is not present for auth or crypt operations.

Can someone explain why ssh after sign asks for the passphrase again,
and what I might be able to do to avoid this condition?  It's not a big
deal, but I do wonder if it suggests a misconfiguration on my part.

Thanks,
Steve

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Passphrase cache w/Yubikey varies: sign vs auth

NIIBE Yutaka
Steve McKown <[hidden email]> wrote:
> Can someone explain why ssh after sign asks for the passphrase again,
> and what I might be able to do to avoid this condition?  It's not a big
> deal, but I do wonder if it suggests a misconfiguration on my part.

It is not misconfiguration.  It is expected behavior.

Please note that there is no passphrase cache on host side for
smartcard.  It is the OpenPGP card which has the "authenticated" status.
Once it gets authenticated by PIN, a user can ask crypto operations.

And there are two different authenticated statuses for a user.  We call
them CHV1 and CHV2, where CHV means Card Holder Verification.  One for
signing (CHV1) and another for others (= decryption and authentication,
CHV2).

For OpenPGP card itself, CHV1 and CHV2 are independent (for v2 and
later).

By using GnuPG, they are not independent.  When a user authenticate for
CHV2, CHV1 is also authenticated automatically (provided the flag of the
card for "Signature PIN" is "not forced").  When a user authenticate for
CHV1, CHV2 is not affected.

I agree this is a bit confusing.  I don't know why it is so.  Perhaps,
we had some compatibility issue with older OpenPGP card.

I don't think we have an easy way to avoid being asked PIN for SSH after
signing.
--

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Passphrase cache w/Yubikey varies: sign vs auth

Steve McKown
On 04/09/2017 08:49 PM, NIIBE Yutaka wrote:

> Steve McKown <[hidden email]> wrote:
>> Can someone explain why ssh after sign asks for the passphrase again,
>> and what I might be able to do to avoid this condition?  It's not a big
>> deal, but I do wonder if it suggests a misconfiguration on my part.
>
> It is not misconfiguration.  It is expected behavior.
>
> Please note that there is no passphrase cache on host side for
> smartcard.  It is the OpenPGP card which has the "authenticated" status.
> Once it gets authenticated by PIN, a user can ask crypto operations.
>
> And there are two different authenticated statuses for a user.  We call
> them CHV1 and CHV2, where CHV means Card Holder Verification.  One for
> signing (CHV1) and another for others (= decryption and authentication,
> CHV2).
>
> For OpenPGP card itself, CHV1 and CHV2 are independent (for v2 and
> later).
>
> By using GnuPG, they are not independent.  When a user authenticate for
> CHV2, CHV1 is also authenticated automatically (provided the flag of the
> card for "Signature PIN" is "not forced").  When a user authenticate for
> CHV1, CHV2 is not affected.
>
> I agree this is a bit confusing.  I don't know why it is so.  Perhaps,
> we had some compatibility issue with older OpenPGP card.
>
> I don't think we have an easy way to avoid being asked PIN for SSH after
> signing.
>

Thanks for the clear and informative answer.  Much appreciated!

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...