scdaemon(1)

1SCDAEMON(1)                    GNU Privacy Guard                   SCDAEMON(1)
2
3
4

NAME

6       scdaemon - Smartcard daemon for the GnuPG system
7

SYNOPSIS

9       scdaemon [--homedir dir] [--options file] [options] --server
10       scdaemon  [--homedir  dir]  [--options  file]  [options] --daemon [com‐
11       mand_line]
12
13
14

DESCRIPTION

16       The scdaemon is a daemon to manage smartcards.  It is  usually  invoked
17       by gpg-agent and in general not used directly.
18
19
20
21

COMMANDS

23       Commands  are  not  distinguished from options except for the fact that
24       only one command is allowed.
25
26
27       --version
28              Print the program version and licensing information.   Not  that
29              you can abbreviate this command.
30
31
32       --help, -h
33              Print  a  usage message summarizing the most useful command-line
34              options.  Not that you can abbreviate this command.
35
36
37       --dump-options
38              Print a list of all available options and  commands.   Not  that
39              you can abbreviate this command.
40
41
42       --server
43              Run  in server mode and wait for commands on the stdin.  This is
44              default mode is to create  a  socket  and  listen  for  commands
45              there.
46
47
48       --multi-server
49              Run in server mode and wait for commands on the stdin as well as
50              on an additional Unix Domain socket.  The server command GETINFO
51              may be used to get the name of that extra socket.
52
53
54       --daemon
55              Run  the  program in the background.  This option is required to
56              prevent it from being accidentally running in the background.
57
58
59
60

OPTIONS

62       --options file
63              Reads configuration from file instead of from the  default  per-
64              user  configuration  file.   The  default  configuration file is
65              named ‘scdaemon.conf’ and expected  in  the  ‘.gnupg’  directory
66              directly below the home directory of the user.
67
68
69       --homedir dir
70              Set the name of the home directory to dir. If this option is not
71              used, the home directory defaults to  ‘~/.gnupg’.   It  is  only
72              recognized  when  given  on the command line.  It also overrides
73              any home  directory  stated  through  the  environment  variable
74              ‘GNUPGHOME’  or  (on W32 systems) by means of the Registry entry
75              HKCU\Software\GNU\GnuPG:HomeDir.
76
77
78
79
80       -v
81
82       --verbose
83              Outputs additional information while running.  You can  increase
84              the  verbosity by giving several verbose commands to gpgsm, such
85              as '-vv'.
86
87
88       --debug-level level
89              Select the debug level for investigating problems.  level may be
90              a numeric value or a keyword:
91
92
93              none   No  debugging at all.  A value of less than 1 may be used
94                     instead of the keyword.
95
96              basic  Some basic debug messages.  A value between 1 and  2  may
97                     be used instead of the keyword.
98
99              advanced
100                     More verbose debug messages.  A value between 3 and 5 may
101                     be used instead of the keyword.
102
103              expert Even more detailed messages.  A value between 6 and 8 may
104                     be used instead of the keyword.
105
106              guru   All  of  the  debug messages you can get. A value greater
107                     than 8 may be used instead of the keyword.  The  creation
108                     of  hash  tracing files is only enabled if the keyword is
109                     used.
110
111       How these messages are mapped to the  actual  debugging  flags  is  not
112       specified  and may change with newer releases of this program. They are
113       however carefully selected to best aid in debugging.
114
115              All debugging options are subject to change and thus should  not
116              be  used by any application program.  As the name says, they are
117              only used as helpers to debug problems.
118
119
120
121       --debug flags
122              This option is only useful for debugging and the  behaviour  may
123              change  at  any  time without notice.  FLAGS are bit encoded and
124              may be given in usual C-Syntax. The currently defined bits are:
125
126
127              0 (1)  command I/O
128
129              1 (2)  values of big number integers
130
131              2 (4)  low level crypto operations
132
133              5 (32) memory allocation
134
135              6 (64) caching
136
137              7 (128)
138                     show memory statistics.
139
140              9 (512)
141                     write hashed data to files named dbgmd-000*
142
143              10 (1024)
144                     trace Assuan protocol
145
146              11 (2048)
147                     trace APDU I/O to the card.  This  may  reveal  sensitive
148                     data.
149
150
151       --debug-all
152              Same as --debug=0xffffffff
153
154
155       --debug-wait n
156              When  running in server mode, wait n seconds before entering the
157              actual processing loop and print the pid.  This  gives  time  to
158              attach a debugger.
159
160
161       --debug-ccid-driver
162              Enable  debug  output  from  the included CCID driver for smart‐
163              cards.  Using this option twice will also enable some tracing of
164              the  T=1  protocol.   Note that this option may reveal sensitive
165              data.
166
167
168       --debug-disable-ticker
169              This option disables all ticker functions like checking for card
170              insertions.
171
172
173       --debug-allow-core-dump
174              For  security  reasons  we  won't  create  a  core dump when the
175              process aborts.  For debugging purposes it is  sometimes  better
176              to  allow  core  dump.  This options enables it and also changes
177              the working directory to ‘/tmp’ when running in --server mode.
178
179
180       --debug-log-tid
181              This option appends a thread ID to the PID in the log output.
182
183
184
185       --no-detach
186              Don't detach the process from the console.  This is mainly  use‐
187              ful for debugging.
188
189
190       --log-file file
191              Append all logging output to file.  This is very helpful in see‐
192              ing what the agent actually does.
193
194
195
196       --pcsc-driver library
197              Use library to access the smartcard reader.  The current default
198              is  ‘libpcsclite.so’.   Instead  of  using this option you might
199              also want to install a symbolic link to the  default  file  name
200              (e.g. from ‘libpcsclite.so.1’).
201
202
203       --ctapi-driver library
204              Use library to access the smartcard reader.  The current default
205              is ‘libtowitoko.so’.  Note that the use  of  this  interface  is
206              deprecated; it may be removed in future releases.
207
208
209       --disable-ccid
210              Disable the integrated support for CCID compliant readers.  This
211              allows to fall back to one of the  other  drivers  even  if  the
212              internal  CCID  driver  can  handle the reader.  Note, that CCID
213              support is only available if libusb was available at build time.
214
215
216       --reader-port number_or_string
217              This option may be used to specify the port of the  card  termi‐
218              nal.   A value of 0 refers to the first serial device; add 32768
219              to access USB devices.  The default is 32768 (first USB device).
220              PC/SC  or CCID readers might need a string here; run the program
221              in verbose mode to get a list of available readers.  The default
222              is then the first reader found.
223
224              To  get  a  list of available CCID readers you may use this com‐
225              mand:
226         echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}'
227
228
229
230       --card-timeout n
231              If n is not 0 and no client is actively using the card, the card
232              will  be  powered  down after n seconds.  Powering down the card
233              avoids a potential risk of damaging a card when used  with  cer‐
234              tain  cheap readers.  This also allows non Scdaemon aware appli‐
235              cations to access the card.  The disadvantage of  using  a  card
236              timeout  is  that  accessing  the card takes longer and that the
237              user needs to enter the PIN again after the next power up.
238
239              Note that with the current version of Scdaemon the card is  pow‐
240              ered  down immediately at the next timer tick for any value of n
241              other than 0.
242
243
244
245       --disable-keypad
246              Even if a card reader features a keypad, do not try to use it.
247
248
249
250       --deny-admin
251              This option disables the use of admin class  commands  for  card
252              applications  where  this is supported.  Currently we support it
253              for the OpenPGP card. This commands is useful to  inhibit  acci‐
254              dental access to admin class command which could ultimately lock
255              the card through wrong PIN numbers.  Note  that  GnuPG  versions
256              older  than  2.0.11  featured an --allow-admin command which was
257              required to use such admin commands.  This option  has  no  more
258              effect today because the default is now to allow admin commands.
259
260
261       --disable-application name
262              This option disables the use of the card application named name.
263              This is mainly useful for debugging or  if  a  application  with
264              lower priority should be used by default.
265
266
267              All the long options may also be given in the configuration file
268              after stripping off the two leading dashes.
269
270
271

CARD APPLICATIONS

273       scdaemon supports the card applications as described below.
274
275
276
277
278   The OpenPGP card application ``openpgp''
279
280
281       This application is currently only used by gpg but may in  future  also
282       be  useful  with  gpgsm.   Version  1 and version 2 of the card is sup‐
283       ported.
284
285       The   specifications    for    these    cards    are    available    at
286       (http://g10code.com/docs/openpgp-card-1.0.pdf)                      and
287       (http://g10code.com/docs/openpgp-card-2.0.pdf).
288
289
290
291   The Telesec NetKey card ``nks''
292
293
294       This is the main application of the Telesec cards as available in  Ger‐
295       many.  It is a superset of the German DINSIG card.  The card is used by
296       gpgsm.
297
298
299
300   The DINSIG card application ``dinsig''
301
302
303       This is an application as described in the German draft standard DIN  V
304       66291-1.  It is intended to be used by cards supporting the German sig‐
305       nature law and its bylaws (SigG and SigV).
306
307
308
309   The PKCS#15 card application ``p15''
310
311
312       This is common framework for smart card applications.  It  is  used  by
313       gpgsm.
314
315
316
317   The Geldkarte card application ``geldkarte''
318
319
320       This  is  a simple application to display information of a German Geld‐
321       karte.  The Geldkarte is a small amount debit  card  application  which
322       comes with almost all German banking cards.
323
324
325
326

EXAMPLES

328         $ scdaemon --server -v
329
330
331
332

FILES

334       There  are  a  few  configuration  files  to control certain aspects of
335       scdaemons's operation. Unless noted, they are expected in  the  current
336       home directory (see: [option --homedir]).
337
338
339
340       scdaemon.conf
341              This  is  the  standard  configuration  file read by scdaemon on
342              startup.  It may contain any valid long option; the leading  two
343              dashes may not be entered and the option may not be abbreviated.
344              This default name may be  changed  on  the  command  line  (see:
345              [option --options]).
346
347
348       scd-event
349              If  this  file  is  present and executable, it will be called on
350              veyer card reader's status changed. An example of this script is
351              provided with the distribution
352
353
354       reader_n.status
355              This  file  is  created by sdaemon to let other applications now
356              about reader status changes.  Its use is now deprecated in favor
357              of ‘scd-event’.
358
359
360
361
362