1

I use a RSA key on a smartcard with an OpenSSH client. The smartcard is read by a smartcard reader with a pinpad. The key is protected with a PIN.

Is it possible to cache the PIN somehow? I don't really like the need to write the PIN using the card reader keyboard every time I use ssh... It's not only annoying but it also makes IMHO too many possibilities for other people's eyes.

My setup is Debian/Devuan + OpenSC + the typical "PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" in .ssh/config.

I tried to add to opensc.conf, framework pkcs15 following lines, but with no effect:

use_pin_caching = true;
pin_cache_counter = 64;
pin_cache_ignore_user_consent = true;

I use the same configuration on OpenBSD, and it's the same.

As a smart card I use Aventra MyEID 4.5.5. As I am trying to learn as much as possible before using the technology in production, I have different card readers I can try: Cherry, Gemalto (now Thales) and SCM/Identiv.

d.c.
  • 887
  • 1
  • 7
  • 14
  • In general, no: the PIN is the 2nd factor with having the card. However, some commercial grade SC allow for certain conveniences, so: make, model, and versionnof your SC? – bishop Mar 21 '23 at 02:41
  • I will add the info by edit. THX! I keep on being suprised, how diverse and "unspecified on purpose" the world of PKCS is. – d.c. Mar 21 '23 at 10:35

0 Answers0