Just comment it out. There is nothing in cron.hourly anyway and in that case your battery doesn’t need the hourly wake-up in order to get an error.
Some vendors like to desynchronize the cron jobs across the customer base rather than having the entire customer base, or some large section of it, doing the same thing at the same time. (This applies not only to hourly, but most importantly to hourly, but also to daily, weekly and monthly.) Maybe Purism doesn’t have the scale to have to worry about that at this time.
This is default out-of-the-box behaviour. You have lots of cron jobs.
Make sure that the password is not empty in that case. I think it will be secure out-of-the-box but people, particularly Linux users, do like to tinker.
Good to know and thanks for the link, I did have a look there, not sure how I missed it, it even has “Expired root account” in the issue title.
I did check that and it does have a password on it.
Maybe I’m missing something very obvious and simple, the issue I am attempting to work around is that the smartcard appears to be caching the PIN, or some such similar with the same affect. As far as I can tell it is not a simple case of gpg-agent caching as is common with passphrases.
When you first hit the smartcard you are prompted for your PIN. However, for the remainder of the login session all subsequent key requests go straight through without any prompts for the PIN, there seems to be no easy way of clearing the PIN or disabling that behaviour. So, if someone gets a hold of your phone they will be able to sign, encrypt, decrypt and authentic as you unchallenged for as long as they don’t switch off or logout.
In most standard laptop/desktop scenarios using smartcards or USB tokens you can simply remove/reinsert the card/token as they are truly and easily removable, it’s mildly annoying to have to do so but easily done. Although the card as fitted in the Librem 5 is removable, the fact that you have to remove the back then the battery to get to it means removing/reinserting isn’t really an option, nor is logging in/out or rebooting practical.
The best I have come up with so far is to setup a cron job to check if the card has been used and if so restart the pcscd service. To restart the pcscd service requires root privileges so seems that running the cron job as root makes some sense? Prior to the phone, I’ve had very little exposure to sudo, it doesn’t seem like the a good solution to use sudo in an automated script, even though it’s currently password less on the phone, that could change?
If there is a better or easier way to do this, let me know. This is what I have so far…
This gets called from a cron job and basically just checks if the card is listed and resets pcscd if it is. Resetting pcscd seems to provide the same result as physically removing/reinserting the card would have.
Although the phone is single user at the moment, this works for me good enough that I suspect I’ll forget all about it and without accounting for the possibility of multiple users now, the script would fail if/when multi-user support comes to the phone.
As far as I can see, the card only shows up in card_list when it has actually been used and it is the only way I could find to determine if the PIN is likely to be cached.