I’ve built a fresh install of CentOS 8.2.2004 (minimal server) and pkcs11-tool works perfectly fine if I execute it from root or sudo but not from a non-privileged account.
From root or sudo:
sudo pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
token label : UserPIN (TEST)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 2.5
serial num : DENK0999999
pin min/max : 6/15
If I try again from a non-privileged account, I get:
pkcs11-tool --list-slots
Available slots:
No slots.
Do I need a udev rule? I tried creating one to test, but it doesn’t seem to have any effect.
udevadm info --path /sys/bus/usb/devices/2-2.2
P: /devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-2/2-2.2
N: bus/usb/002/012
E: BUSNUM=002
E: DEVNAME=/dev/bus/usb/002/012
E: DEVNUM=012
E: DEVPATH=/devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-2/2-2.2
E: DEVTYPE=usb_device
E: DRIVER=usb
E: ID_BUS=usb
E: ID_MODEL=Nitrokey_HSM
E: ID_MODEL_ENC=Nitrokey\x20HSM
E: ID_MODEL_ID=4230
E: ID_REVISION=0101
E: ID_SERIAL=Nitrokey_Nitrokey_HSM_010000000000000000000000
E: ID_SERIAL_SHORT=010000000000000000000000
E: ID_USB_INTERFACES=:0b0000:
E: ID_VENDOR=Nitrokey
E: ID_VENDOR_ENC=Nitrokey
E: ID_VENDOR_FROM_DATABASE=Clay Logic
E: ID_VENDOR_ID=20a0
E: MAJOR=189
E: MINOR=139
E: PRODUCT=20a0/4230/101
E: SUBSYSTEM=usb
E: TYPE=0/0/0
E: USEC_INITIALIZED=1399088752
Based on that I created /etc/udev/rules.d/10-nitrokey.rules
ACTION="add", SUBSYSTEM=="usb", ENV{ID_MODEL_ID}=="4230", GROUP="wheel"
I reloaded the rules (and the system) but it still doesn’t work.
saper
November 4, 2020, 5:37pm
2
Can you check the permissions of the pcscd socket? pcscd is usually magically started by systemd magic
Hi!
Our Udev rules are here:
After copying them to the proper directory the Udev service should be refreshed:
sudo udevadm control --reload-rules
sudo udevadm trigger
Some common Udev rules are provided with GnuPG package as well, and it usually suffices to have it on newer OSes for the smart card communication.
Can you check the permissions of the pcscd socket?
Thank you, this led me to looking at the messages from the pcscd service and I saw it was generating some errors:
00000000 auth.c:137:IsClientAuthorized() Process 2441 (user: 1000) is NOT authorized for action: access_pcsc
00000474 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
It looks like OpenSC for CentOS 8 comes with a POLKIT rule that only allows admins to access the service and the hsm. I was able to track down the rule and modify it so that it allows all users to access it.
/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
<vendor>The PCSC-lite Project</vendor>
<vendor_url>http://pcsclite.alioth.debian.org/</vendor_url>
<!-- <icon_name>smart-card</icon_name> -->
<action id="org.debian.pcsc-lite.access_pcsc">
<description>Access to the PC/SC daemon</description>
<message>Authentication is required to access the PC/SC daemon</message>
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
<action id="org.debian.pcsc-lite.access_card">
<description>Access to the smart card</description>
<message>Authentication is required to access the smart card</message>
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
</policyconfig>
Changing the allow_any to ‘yes’ for both sections resolved the issue.
Our Udev rules are here:
Thank you for the rules, those are much more complete than the ones I was generating!
2 Likes
saper
November 15, 2020, 11:54pm
5
Thanks! I found this documentation:
When pcsc-lite is compiled using the --enable-polkit option then
polkit will be used to control access to the pcsc-lite daemon.
That allows more fine grained access control to smart cards that
is tied to the system processes rather than solely depending on
the smart card controls (e.g., only console users can access the
card and so on).
Polkit is documented at:
http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
A default polkit policy is shipped with pcsc-lite in
org.debian.pcsc-lite.policy. The policy file allows restricting access
to the daemon as well as access to smart cards.
Polkit allows for additional rules, e.g., restricting access to
particular smart cards. The rules are javascript files placed
in /usr/share/polkit-1/rules.d/. To make specific smart card
reader accessible by the web server (run as www-data user) you
may use the following rules:
show original
Instead of changing the original policy XML just add a custom policy as described in the README.polkit file.
I have added by own custom rule in /usr/share/polkit-1/rules.d/01-pcscd.rules and it worked right away.
Please make sure the rule is modified to match your user and the card reader (or remove the card reader check altogether).
1 Like
Just FYI, this works for the latest Fedora (37) as well.
1 Like
