1SCDAEMON(1) GNU Privacy Guard SCDAEMON(1)
2
6 scdaemon - Smartcard daemon for the GnuPG system
7
9 scdaemon [--homedir dir] [--options file] [options] --server
10 scdaemon [--homedir dir] [--options file] [options] --daemon [com‐
11 mand_line]
12
16 The scdaemon is a daemon to manage smartcards. It is usually invoked
17 by gpg-agent and in general not used directly.
18
23 Commands are not distinguished from options except for the fact that
24 only one command is allowed.
25 --version
28 Print the program version and licensing information. Not that
29 you can abbreviate this command.
30 --help, -h
33 Print a usage message summarizing the most useful command-line
34 options. Not that you can abbreviate this command.
35 --dump-options
38 Print a list of all available options and commands. Not that
39 you can abbreviate this command.
40 --server
43 Run in server mode and wait for commands on the stdin. This is
44 default mode is to create a socket and listen for commands
45 there.
46 --multi-server
49 Run in server mode and wait for commands on the stdin as well as
50 on an additional Unix Domain socket. The server command GETINFO
51 may be used to get the name of that extra socket.
52 --daemon
55 Run the program in the background. This option is required to
56 prevent it from being accidentally running in the background.
57
62 --options file
63 Reads configuration from file instead of from the default per-
64 user configuration file. The default configuration file is
65 named ‘scdaemon.conf’ and expected in the ‘.gnupg’ directory
66 directly below the home directory of the user.
67 --homedir dir
70 Set the name of the home directory to dir. If this option is not
71 used, the home directory defaults to ‘~/.gnupg’. It is only
72 recognized when given on the command line. It also overrides
73 any home directory stated through the environment variable
74 ‘GNUPGHOME’ or (on W32 systems) by means of the Registry entry
75 HKCU\Software\GNU\GnuPG:HomeDir.
76 -v
81 --verbose
83 Outputs additional information while running. You can increase
84 the verbosity by giving several verbose commands to gpgsm, such
85 as '-vv'.
86 --debug-level level
89 Select the debug level for investigating problems. level may be
90 a numeric value or a keyword:
91 none No debugging at all. A value of less than 1 may be used
94 instead of the keyword.
95 basic Some basic debug messages. A value between 1 and 2 may
97 be used instead of the keyword.
98 advanced
100 More verbose debug messages. A value between 3 and 5 may
101 be used instead of the keyword.
102 expert Even more detailed messages. A value between 6 and 8 may
104 be used instead of the keyword.
105 guru All of the debug messages you can get. A value greater
107 than 8 may be used instead of the keyword. The creation
108 of hash tracing files is only enabled if the keyword is
109 used.
110 How these messages are mapped to the actual debugging flags is not
112 specified and may change with newer releases of this program. They are
113 however carefully selected to best aid in debugging.
114 All debugging options are subject to change and thus should not
116 be used by any application program. As the name says, they are
117 only used as helpers to debug problems.
118 --debug flags
122 This option is only useful for debugging and the behaviour may
123 change at any time without notice. FLAGS are bit encoded and
124 may be given in usual C-Syntax. The currently defined bits are:
125 0 (1) command I/O
128 1 (2) values of big number integers
130 2 (4) low level crypto operations
132 5 (32) memory allocation
134 6 (64) caching
136 7 (128)
138 show memory statistics.
139 9 (512)
141 write hashed data to files named dbgmd-000*
142 10 (1024)
144 trace Assuan protocol. See also option --debug-assuan-
145 log-cats.
146 11 (2048)
148 trace APDU I/O to the card. This may reveal sensitive
149 data.
150 12 (4096)
152 trace some card reader related function calls.
153 --debug-all
156 Same as --debug=0xffffffff
157 --debug-wait n
160 When running in server mode, wait n seconds before entering the
161 actual processing loop and print the pid. This gives time to
162 attach a debugger.
163 --debug-ccid-driver
166 Enable debug output from the included CCID driver for smart‐
167 cards. Using this option twice will also enable some tracing of
168 the T=1 protocol. Note that this option may reveal sensitive
169 data.
170 --debug-disable-ticker
173 This option disables all ticker functions like checking for card
174 insertions.
175 --debug-allow-core-dump
178 For security reasons we won't create a core dump when the
179 process aborts. For debugging purposes it is sometimes better
180 to allow core dump. This options enables it and also changes
181 the working directory to ‘/tmp’ when running in --server mode.
182 --debug-log-tid
185 This option appends a thread ID to the PID in the log output.
186 --debug-assuan-log-cats cats
189 Changes the active Libassuan logging categories to cats. The
190 value for cats is an unsigned integer given in usual C-Syntax.
191 A value of of 0 switches to a default category. If this option
192 is not used the categories are taken from the environment vari‐
193 able 'ASSUAN_DEBUG'. Note that this option has only an effect
194 if the Assuan debug flag has also been with the option --debug.
195 For a list of categories see the Libassuan manual.
196 --no-detach
199 Don't detach the process from the console. This is mainly use‐
200 ful for debugging.
201 --log-file file
204 Append all logging output to file. This is very helpful in see‐
205 ing what the agent actually does.
206 --pcsc-driver library
210 Use library to access the smartcard reader. The current default
211 is ‘libpcsclite.so’. Instead of using this option you might
212 also want to install a symbolic link to the default file name
213 (e.g. from ‘libpcsclite.so.1’).
214 --ctapi-driver library
217 Use library to access the smartcard reader. The current default
218 is ‘libtowitoko.so’. Note that the use of this interface is
219 deprecated; it may be removed in future releases.
220 --disable-ccid
223 Disable the integrated support for CCID compliant readers. This
224 allows to fall back to one of the other drivers even if the
225 internal CCID driver can handle the reader. Note, that CCID
226 support is only available if libusb was available at build time.
227 --reader-port number_or_string
230 This option may be used to specify the port of the card termi‐
231 nal. A value of 0 refers to the first serial device; add 32768
232 to access USB devices. The default is 32768 (first USB device).
233 PC/SC or CCID readers might need a string here; run the program
234 in verbose mode to get a list of available readers. The default
235 is then the first reader found.
236 To get a list of available CCID readers you may use this com‐
238 mand:
239 echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}'
240 --card-timeout n
244 If n is not 0 and no client is actively using the card, the card
245 will be powered down after n seconds. Powering down the card
246 avoids a potential risk of damaging a card when used with cer‐
247 tain cheap readers. This also allows non Scdaemon aware appli‐
248 cations to access the card. The disadvantage of using a card
249 timeout is that accessing the card takes longer and that the
250 user needs to enter the PIN again after the next power up.
251 Note that with the current version of Scdaemon the card is pow‐
253 ered down immediately at the next timer tick for any value of n
254 other than 0.
255 --enable-pinpad-varlen
258 Please specify this option when the card reader supports vari‐
259 able length input for pinpad (default is no). For known readers
260 (listed in ccid-driver.c and apdu.c), this option is not needed.
261 Note that if your card reader doesn't supports variable length
262 input but you want to use it, you need to specify your pinpad
263 request on your card.
264 --disable-pinpad
268 Even if a card reader features a pinpad, do not try to use it.
269 --deny-admin
273 This option disables the use of admin class commands for card
274 applications where this is supported. Currently we support it
275 for the OpenPGP card. This commands is useful to inhibit acci‐
276 dental access to admin class command which could ultimately lock
277 the card through wrong PIN numbers. Note that GnuPG versions
278 older than 2.0.11 featured an --allow-admin command which was
279 required to use such admin commands. This option has no more
280 effect today because the default is now to allow admin commands.
281 --disable-application name
284 This option disables the use of the card application named name.
285 This is mainly useful for debugging or if a application with
286 lower priority should be used by default.
287 All the long options may also be given in the configuration file
290 after stripping off the two leading dashes.
291
295 scdaemon supports the card applications as described below.
296 The OpenPGP card application ``openpgp''
301 This application is currently only used by gpg but may in future also
304 be useful with gpgsm. Version 1 and version 2 of the card is sup‐
305 ported.
306 The specifications for these cards are available at
308 (http://g10code.com/docs/openpgp-card-1.0.pdf) and
309 (http://g10code.com/docs/openpgp-card-2.0.pdf).
310 The Telesec NetKey card ``nks''
314 This is the main application of the Telesec cards as available in Ger‐
317 many. It is a superset of the German DINSIG card. The card is used by
318 gpgsm.
319 The DINSIG card application ``dinsig''
323 This is an application as described in the German draft standard DIN V
326 66291-1. It is intended to be used by cards supporting the German sig‐
327 nature law and its bylaws (SigG and SigV).
328 The PKCS#15 card application ``p15''
332 This is common framework for smart card applications. It is used by
335 gpgsm.
336 The Geldkarte card application ``geldkarte''
340 This is a simple application to display information of a German Geld‐
343 karte. The Geldkarte is a small amount debit card application which
344 comes with almost all German banking cards.
345 The Undefined card application ``undefined''
349 This is a stub application to allow the use of the APDU command even if
352 no supported application is found on the card. This application is not
353 used automatically but must be explicitly requested using the SERIALNO
354 command.
355
360 $ scdaemon --server -v
361
366 There are a few configuration files to control certain aspects of
367 scdaemons's operation. Unless noted, they are expected in the current
368 home directory (see: [option --homedir]).
369 scdaemon.conf
373 This is the standard configuration file read by scdaemon on
374 startup. It may contain any valid long option; the leading two
375 dashes may not be entered and the option may not be abbreviated.
376 This default name may be changed on the command line (see:
377 [option --options]).
378 scd-event
381 If this file is present and executable, it will be called on
382 veyer card reader's status changed. An example of this script is
383 provided with the distribution
384 reader_n.status
387 This file is created by sdaemon to let other applications now
388 about reader status changes. Its use is now deprecated in favor
389 of ‘scd-event’.
390
396 gpg-agent(1), gpgsm(1), gpg2(1)
397 The full documentation for this tool is maintained as a Texinfo manual.
399 If GnuPG and the info program are properly installed at your site, the
400 command
401 info gnupg
403 should give you access to the complete manual including a menu struc‐
405 ture and an index.
406GnuPG 2.0.22 2018-07-13 SCDAEMON(1)