Pkcs11-tool: is a UDEV rule required for CentOS 8?

I’ve built a fresh install of CentOS 8.2.2004 (minimal server) and pkcs11-tool works perfectly fine if I execute it from root or sudo but not from a non-privileged account.

From root or sudo:

sudo pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token label        : UserPIN (TEST)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 2.5
  serial num         : DENK0999999
  pin min/max        : 6/15

If I try again from a non-privileged account, I get:

pkcs11-tool --list-slots
    Available slots:
    No slots.

Do I need a udev rule? I tried creating one to test, but it doesn’t seem to have any effect.

udevadm info --path /sys/bus/usb/devices/2-2.2
P: /devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-2/2-2.2
N: bus/usb/002/012
E: BUSNUM=002
E: DEVNAME=/dev/bus/usb/002/012
E: DEVNUM=012
E: DEVPATH=/devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-2/2-2.2
E: DEVTYPE=usb_device
E: DRIVER=usb
E: ID_BUS=usb
E: ID_MODEL=Nitrokey_HSM
E: ID_MODEL_ENC=Nitrokey\x20HSM
E: ID_MODEL_ID=4230
E: ID_REVISION=0101
E: ID_SERIAL=Nitrokey_Nitrokey_HSM_010000000000000000000000
E: ID_SERIAL_SHORT=010000000000000000000000
E: ID_USB_INTERFACES=:0b0000:
E: ID_VENDOR=Nitrokey
E: ID_VENDOR_ENC=Nitrokey
E: ID_VENDOR_FROM_DATABASE=Clay Logic
E: ID_VENDOR_ID=20a0
E: MAJOR=189
E: MINOR=139
E: PRODUCT=20a0/4230/101
E: SUBSYSTEM=usb
E: TYPE=0/0/0
E: USEC_INITIALIZED=1399088752

Based on that I created /etc/udev/rules.d/10-nitrokey.rules

ACTION="add", SUBSYSTEM=="usb", ENV{ID_MODEL_ID}=="4230", GROUP="wheel"

I reloaded the rules (and the system) but it still doesn’t work.

Can you check the permissions of the pcscd socket? pcscd is usually magically started by systemd magic

Hi!

Our Udev rules are here:

After copying them to the proper directory the Udev service should be refreshed:

sudo udevadm control --reload-rules
sudo udevadm trigger

Some common Udev rules are provided with GnuPG package as well, and it usually suffices to have it on newer OSes for the smart card communication.

Can you check the permissions of the pcscd socket?

Thank you, this led me to looking at the messages from the pcscd service and I saw it was generating some errors:

00000000 auth.c:137:IsClientAuthorized() Process 2441 (user: 1000) is NOT authorized for action: access_pcsc
00000474 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

It looks like OpenSC for CentOS 8 comes with a POLKIT rule that only allows admins to access the service and the hsm. I was able to track down the rule and modify it so that it allows all users to access it.

/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE policyconfig PUBLIC
     "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
     "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
    <policyconfig>
      <vendor>The PCSC-lite Project</vendor>
      <vendor_url>http://pcsclite.alioth.debian.org/</vendor_url>
    <!--  <icon_name>smart-card</icon_name> -->

      <action id="org.debian.pcsc-lite.access_pcsc">
        <description>Access to the PC/SC daemon</description>
        <message>Authentication is required to access the PC/SC daemon</message>
        <defaults>
          <allow_any>yes</allow_any>
          <allow_inactive>auth_admin</allow_inactive>
          <allow_active>yes</allow_active>
        </defaults>
      </action>

      <action id="org.debian.pcsc-lite.access_card">
        <description>Access to the smart card</description>
        <message>Authentication is required to access the smart card</message>
        <defaults>
          <allow_any>yes</allow_any>
          <allow_inactive>auth_admin</allow_inactive>
          <allow_active>yes</allow_active>
        </defaults>
      </action>

    </policyconfig>

Changing the allow_any to ‘yes’ for both sections resolved the issue.

Our Udev rules are here:

Thank you for the rules, those are much more complete than the ones I was generating!

2 Likes

Thanks! I found this documentation:

Instead of changing the original policy XML just add a custom policy as described in the README.polkit file.

I have added by own custom rule in /usr/share/polkit-1/rules.d/01-pcscd.rules and it worked right away.

Please make sure the rule is modified to match your user and the card reader (or remove the card reader check altogether).

1 Like

Just FYI, this works for the latest Fedora (37) as well.

1 Like