#701062 scdaemon: card-timeout doesn't work

Package:
scdaemon
Source:
gnupg2
Description:
GNU privacy guard - smart card support
Submitter:
Yves-Alexis Perez
Date:
2025-09-01 19:41:01 UTC
Severity:
important
#701062#5
Date:
2013-02-21 06:55:50 UTC
From:
To:
Package: scdaemon
Version: 2.0.19-2
Severity: important

Hi,

I'm using an OpenPGP smartcard with gpg2 and scdaemon, and it seems that
I can't manage to make card-timeout work. I have card-timeout 10 in my
.gnupg/scdaemon.conf and the card is not powered down after 10s of
inactivity. Nothing shows up in the log when enabling them.

My current use case is ssh (with enable-ssh-support of gpg-agent) where
I'd like to prevent the card to be used without my knowledge. force-sign
on the card itself provides it for signature, not for
decryption/authentication.

card-timeout is supposed to do something like that, but it fails here
somehow.

Regards,

#701062#10
Date:
2013-02-21 07:51:47 UTC
From:
To:
Hi,

are you using pcscd or the internal ccid driver?  The timeout will only
work with pcscd.  Using a timeout for the internal driver does not make
much sense.


Shalom-Salam,

   Werner

#701062#15
Date:
2013-02-21 13:05:55 UTC
From:
To:
I'm using pcscd.
#701062#20
Date:
2014-01-06 15:30:41 UTC
From:
To:
I've now switched to a non-pcsc based setup, and that indeed doesn't
change anything. But I'm a bit puzzled. Why would it not make sense for
the internal driver? I'd say quite the contrary, powering down the card
means something else could open the device, while when scdaemon holds it
noone can (I know if multiple clients are expected it's a better idea to
use pcsc, but still).

And in any case, if scdaemon is the only holder of the connection to the
card, it can surely manage the timeout itself?

Sorry if this is obvious, I might miss something.

Regards,

#701062#25
Date:
2017-07-24 11:34:41 UTC
From:
To:
It's been a while, but I still have the issue. I looked at the code, and it
does indeed seem that --card-timeout does nothing. It sets the
opt.card_timeout variable in src/scdaemon.c but it's never used.

Looking at git log, it seems the card-timeout handling was removed in
4cc9fc5eb9bd91d943c185d59da4a2b4cb885ee6 (later than my bug report).

I guess something might have been overlooked when scdaemon was refactored last
year. In any case it'd be nice to have a working card-timeout feature.

Regards,

#701062#30
Date:
2025-09-01 19:32:27 UTC
From:
To:
I'm replying to myself more than 10 years after, in case someones stumbles
upon this. When using PC/SC shared mode scdaemon won't cache the PIN and thus
require it for each operation (ssh authentication), fixing the initial issue.

To do that add to .scdaemon.conf
disable-ccid # disable internal smartcard support to use PCSC
pcsc-shared  # use PCSC in shared mode

Then gpgconf --kill scdaemon.

It's not perfect, see #1113729 for drawbacks.

Regards,