<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello,</p>
<p>does anybody know if this behaviour (user-PIN can only be set, if
a key is already on card) is a bug or just a necessity of Gnuk? Is
there any intention to change anything about it? Is there a way to
help here?</p>
<p>Kind regards<br>
Alex<br>
</p>
<br>
<div class="moz-cite-prefix">On 09/28/2017 08:58 PM, Alexander
Paetzelt | Nitrokey wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c7c29d8b-208f-7694-7bfc-ee8a939454b0@nitrokey.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<pre>Hi,
I had recently the very same problems. I consider this a bug, isn't it? Is there any intention to fix it?
As far as I can see, the headless admin mode can't be disabled other than resetting the device. (<a class="moz-txt-link-freetext" href="http://www.fsij.org/doc-gnuk/gnuk-passphrase-setting.html#set-up-pw1-pw3-and-reset-code" moz-do-not-send="true">http://www.fsij.org/doc-gnuk/gnuk-passphrase-setting.html#set-up-pw1-pw3-and-reset-code</a>)
Note that the reset PIN must have >=8 characters, but gpg will say "Bad PIN" instead "Conditions of use not satisfied" if trying a PIN <8 characters. Maybe this went wrong for you?
Kind regards
Alex
On 2017-09-26, intrigeri wrote:
><i> Vagrant Cascadian:
</i>>><i> gpg/card> passwd
</i>>><i> gpg: OpenPGP card no. D276000124010200FFFE870238330000 detected
</i>>><i> Error changing the PIN: Conditions of use not satisfied
</i>><i>
</i>><i> I had exactly the same problem a month ago, and IIRC (not sure) I had
</i>><i> to upload an encryption key to the device before I could change
</i>><i> the PIN.
</i>
Thanks, that helped! I generated a dummy key I don't care about, and
then was able to change the pin, and set a reset pin as well.
Then I thought I would start to import the keys I actually want.... but
the pin doesn't actually work; any attempt to use it decrements the pin
retry counter.
Fortunately, I set a reset pin, and I can unblock using the reset pin
once the retry counter limit is blocked...
Does setting a reset pin disable adminless mode? Which pin does the pin
reset set (admin or ... regular/user)? Are there character restrictions
on pins, but it doesn't properly check them before changing the pin?
Seems so close, yet so far!
live well,
vagrant</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnuk-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnuk-users@lists.alioth.debian.org">gnuk-users@lists.alioth.debian.org</a>
<a class="moz-txt-link-freetext" href="https://lists.alioth.debian.org/mailman/listinfo/gnuk-users">https://lists.alioth.debian.org/mailman/listinfo/gnuk-users</a>
</pre>
</blockquote>
<br>
</body>
</html>