Page MenuHome GnuPG
Create Task
Maniphest T6406

gpg-agent: Fail on expiring YubiKey PIN
Closed, ResolvedPublic
Actions

Description

My OS is Artix Linux (rolling release).

My GnuPG version is:

gpg (GnuPG) 2.2.41
libgcrypt 1.10.1-unknown

installed from the pacman package manager.

I have a YubiKey 5 NFC as a smartcard of OpenPGP, where I have my sub-keys. The master key only has the Certification attribute, my sub-keys have the remaining attributes.

My ~/.gnupg/gpg-agent.conf is:

default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-curses
allow-emacs-pinentry
enable-ssh-support

If I plug my YubiKey into the USB plug, and enter my PIN for example, to decrypt some file, and then wait more than 2 minutes; the gpg-agent cache doesn't seem to be expiring, because it does not ask for the PIN again. In fact, to me, it always uses the first PIN that I entered, like if the cache is forever.

I want my YubiKey PIN to expire after 2 minutes, but I don't know what else to do.

I suppose this is a gpg-agent bug, because I seem to have done things right.

I need help, please.

Details

Version
2.2.41

Event Timeline

danisanti created this task.Mar 11 2023, 4:50 PM
werner edited projects, added Not A Bug; removed Bug Report.Mar 13 2023, 7:29 AM
werner added a subscriber: werner.

Smartcard PINs are different from passphrase for on-disk keys. Once a PIN is entered the smartcard is unlocked as long as it is powered up. In theory we could power down and power up the card to lock it. The question here is what is your threat model? If you have malware on your system it could simply brick your token or, more common, peek at your PIN.

danisanti added a comment.Mar 13 2023, 10:00 PM

I never made a threat model. But definitely *any* cracker, should be out of my system, either from governmental agencies or from a kiddo in Russia.
I know that I have someone that is remote accessing my machine, since I got some tells. And that this cracker have used my Emacs text editor.

Well, is seems I can only unplug the YubiKey when I am not using it.

Thank you.

werner closed this task as Resolved.Mar 14 2023, 9:31 AM
werner claimed this task.