Unpriviledged service account

originaltrini0 · July 23, 2024, 3:58pm

Hello:

I am setting up step-ca and a Nitrokey HSM 2.
As a root user, I can start the CA, which finds the private keys on the HSM and operates normally.
It fails if I attempt to use an unprivileged service account in a systemd unit service.

I believe this is because the service account does not have enough rights.
i.e. It only sees the local system and not the hardware token:

# sudo -H -u step bash -c 'p11tool --list-tokens'
Token 0:
        URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
        Label: System Trust
        Type: Trust module
        Flags: uPIN uninitialized
        Manufacturer: PKCS#11 Kit
        Model: p11-kit-trust
        Serial: 1
        Module: p11-kit-trust.so

I’m not sure if granting sudo is the right call.
Does anyone have any suggestions on how I should proceed?

Thanks

sc-hsm · July 23, 2024, 6:45pm

An unprivileged user gets access to the token via a socket provided by pcscd. Maybe your distributions has special group (e.g. pcscd) that you need to add to get access to that socket.

You can try to run the pcscd in debug mode as root with

/usr/sbin/pcscd -a -d -f

and look if the client connects.

originaltrini0 · July 23, 2024, 7:35pm

Hi, thanks for getting back to me.

I’m using Ubuntu 24.04, and the group pcscd doesn’t exist. I’ll try to find more information here to verify if another group is in use that I can use.

As for the debug output, here is what I have:

47974690 winscard_msg_srv.c:256:ProcessEventsServer() Common channel packet arrival
00000079 winscard_msg_srv.c:267:ProcessEventsServer() ProcessCommonChannelRequest detects: 13
00000016 pcscdaemon.c:132:SVCServiceRunLoop() A new context thread creation is requested: 13
00014180 auth.c:143:IsClientAuthorized() Process 18482 (user: 999) is NOT authorized for action: access_pcsc
00000380 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client
00000111 winscard_svc.c:1096:MSGCleanupClient() Thread is stopping: dwClientID=13, threadContext @0xaaab02363e70
00000018 winscard_svc.c:1104:MSGCleanupClient() Freeing SCONTEXT @0xaaab02363e70

~~Also, sssd might potentially be needed. I’ll have to research this if it helps with authentication…~~

originaltrini0 · July 24, 2024, 3:29am

I figured out how to grant my unprivileged user rights by adding a rules file for polkit in /etc/polkit-1/rules.d/[your-filename].rules. Here I am granting my unprivileged account “step” to pcsc and the HSM

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "step") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'Nitrokey Nitrokey HSM (DENK03018290000         ) 00 00' &&
        subject.user == "step") {
            return polkit.Result.YES;    }
});

More about this can be read at:

sc-hsm · July 24, 2024, 7:06am

Isn’t there a reasonable default policy in Ubuntu ?

If access to Smartcards is denied by default to all non-root users, then this will become a major support issue. I don’t see users programming polkit rules to make this work.

sc-hsm · July 24, 2024, 7:44am

Apparently polkit is now enabled by default.

Are you accessing the machine via ssh or are you using local access ?

originaltrini0 · July 24, 2024, 11:02am

I am using my own account to SSH to the machine. step-ca and the HSM are used by a local system user (step).
It is my understanding that if a user has local (keyboard) access to the machine, it will just work. I have not tested this.
It is also my understanding that groups can be used in a rule, so administration may not be a huge undertaking.

I’ll post a question with Ubuntu to get their take in case I have overlooked anything.