scdaemon does not "see" card insertion

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

scdaemon does not "see" card insertion

Matthias Apitz

Hello,

I have now the GnuPG card working fine for signing mails, SSH access and
even for using GnuPG crypted credentials in Firefox. The last issue I'm
struggling with is the use of card removal and card insert via the
'scd-event' to lock and unlock the KDE desktop.

The script 'scd-event' is only invoked on card removal (I do just en
echo of the args):

scd-event --reader-port 0 --old-code 0x0007 --new-code 0x0000 --status NOCARD

A card insert is only seen *after* some agent requires something, for
example the SSH client needs access to the secret key on the card; than
it says:

scd-event --reader-port 0 --old-code 0xFFFFFFFF --new-code 0x0007 --status USABLE

On the UNIX system level the card insert triggers via devd(8) the start
of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'.
This is working fine, i.e. an inserted card is useable immediately, requesting
the PIN entry.

I created a file scdaemon.conf to get debug information, here is the
resulting log:

...
2017-07-04 11:33:51 scdaemon[4945.802016000] DBG: enter: apdu_get_status: slot=0 hang=0
2017-07-04 11:33:51 scdaemon[4945.802016000] DBG: leave: apdu_get_status => sw=0x0 status=7
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_get_status: slot=0 hang=0

now the card is removed and /usr/local/sbin/pcscd is killed

2017-07-04 11:33:52 scdaemon[4945.802016000] pcsc_get_status_change failed: no service (0x8010001d)
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_get_status => sw=0x1000c status=0
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: Removal of a card: 0
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_close_reader: slot=0
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: enter: apdu_disconnect: slot=0
2017-07-04 11:33:52 scdaemon[4945.802016000] pcsc_disconnect failed: no service (0x8010001d)
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_disconnect => sw=0x1000a
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: apdu_close_reader => 0x1000a (apdu_disconnect)
2017-07-04 11:33:52 scdaemon[4945.802016000] DBG: leave: apdu_close_reader => 0x0 (close_reader)

now scdaemon sits there, the card was already inserted again, nothing
happens

now SSH needs the key, this awakes scdaemon again and it sees the card:

2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: chan_7 <- SERIALNO
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: enter: apdu_open_reader: portstr=(null)
2017-07-04 11:34:28 scdaemon[4945.802017900] detected reader 'Identiv uTrust 3512 SAM slot Token (55511514602745) 00 00'
2017-07-04 11:34:28 scdaemon[4945.802017900] detected reader ''
2017-07-04 11:34:28 scdaemon[4945.802017900] reader slot 0: not connected
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: enter: apdu_connect: slot=0
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: feature: code=12, len=4, v=42330012
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: TLV properties: tag=01, len=2, v=00000000
2017-07-04 11:34:28 scdaemon[4945.802017900] DBG: TLV properties: tag=03, len=1, v=00000000

What should be changed too let scdaemon see the card insertion?

Thanks

        matthias


--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: scdaemon does not "see" card insertion

NIIBE Yutaka
Hello,

Matthias Apitz <[hidden email]> wrote:
> The script 'scd-event' is only invoked on card removal (I do just en
> echo of the args):
[...]
> A card insert is only seen *after* some agent requires something, for
> example the SSH client needs access to the secret key on the card;

Right.  Scdaemon only watches the event of card removal and card reader
removal.

In the past, once, scdaemon implementation in 2.0 partially tried to
support watching insertion, too.  The name "scdaemon" would have implied
that, perhaps.  We couldn't go this road well, because a card reader is
shared resource and there are valid use cases for other cards.

Then, the development of scdaemon evolved as openpgp-card-helper for
GnuPG.

This focus could stabilize the use case for GnuPG, and it resulted
less conflict for other use cases for card and card reader.

> On the UNIX system level the card insert triggers via devd(8) the start
> of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'.
> This is working fine, i.e. an inserted card is useable immediately, requesting
> the PIN entry.

IIUC, system level service like devd can only handle the event of card
reader insertion, not card insertion.  I may be wrong here.

I think that it is good for your use case to use PC/SC daemon
and its related tool.

I found a tool named card_eventmgr in:

    https://github.com/OpenSC/pam_pkcs11/tree/master/src/tools/

This may help.  (No, I don't have any experience with this tool.)
--

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: scdaemon does not "see" card insertion

Matthias Apitz
El día miércoles, julio 05, 2017 a las 09:23:06a. m. +0900, NIIBE Yutaka escribió:

> Hello,
>
> Matthias Apitz <[hidden email]> wrote:
> > The script 'scd-event' is only invoked on card removal (I do just en
> > echo of the args):
> [...]
> > A card insert is only seen *after* some agent requires something, for
> > example the SSH client needs access to the secret key on the card;
>
> Right.  Scdaemon only watches the event of card removal and card reader
> removal.
>
> ...
Hello,

Thanks for all explanations. For now I implemented the scd-event script
as:

...

DISPLAY=:0 export DISPLAY
if [ x$status = xNOCARD ]; then
    nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock &
    while true; do
      # Signature key ....: 5E69 FBAC ...
      gpg2 --card-status | grep '5E69 FBAC' >> /tmp/scd-event.log  && {
      killall kscreenlocker_greet
      break
      }
      sleep 1  
    done
fi

which works nice: on card removal it locks the screen and on card insert
it unlocks it fine.

> > On the UNIX system level the card insert triggers via devd(8) the start
> > of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'.
> > This is working fine, i.e. an inserted card is useable immediately, requesting
> > the PIN entry.
>
> IIUC, system level service like devd can only handle the event of card
> reader insertion, not card insertion.  I may be wrong here.

No, you are correct, I was inprecise.

        matthias
--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Loading...