Need a way to disable smartcard on server

kbass · 16 February 2023 16:10

I use thinlinc to connect to a headless server in the same physical room. I recently got a smartcard and was trying to use it LOCALLY. For a moment I had forgotten I was using Thinlinc. I spent hours and hours trying to figure out why I could read the smartcard ceritificates as root user, but not as my normal user. I was looking at permissions and polkit, etc. I finally realized there was some PCSCTUN_SERVER environment variable set that was interfering. I couldn’t find anything in the p11 or opensc or pcsc documentation about this environment variable. It turns out it must be ThinLinc related.

Is there an option to disable the smart card direction on the server? The admin guide says:

‘Enabling Smart Card Redirection
Smart card redirection is always activated on the server so there is no administration required to enable it.’

martin · 17 February 2023 07:57

Hello @kbass

I’m not sure if I understand what problem you’re facing, and why disabling smart card redirection would solve it?

To disable it, you can uncheck ‘Smart Card Readers’ in ThinLinc Client under ‘Local Devices’.

Regards,
Martin

kbass · 17 February 2023 13:54

Hi @martin - To summarize my original post. I am trying to use a smart card that is connected to the SERVER while I am logged in via the thinlinc client. The thinlinc server installation interferes with using that when logged in by thinlinc client. It has nothing to do with the client side setting.

martin · 17 February 2023 15:10

That’s not a use-case I’ve heard of before, so not sure what’s going on really. But it sounds as a permission problem. Since you’re logged in remotely, your user will probably not have sufficient privileges to access local attached hardware. Polkit will most likely refuse some access. Have you tried enabled debug logging in Polkit and see what it says?

To disable smart card redirection on server-side, it should be sufficient to remove the symlink

/opt/thinlinc/etc/xstartup.d/50-tl-wait-smartcard

and then restart your session.

Regards,
Martin

martin · 17 February 2023 16:07

I just gave it a go, and I believe what you’ll need to do are:

echo "unset LD_LIBRARY_PATH" >> ~/.bash_profile

Then create the polkit allow rules:

# cat >> /etc/polkit-1/rules.d/00-allow-smartcard.rules<<EOF
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'YOU_READER_NAME' &&
        subject.user == "YOUR_USER") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "YOUR_USER") {
            return polkit.Result.YES;
    }
});
EOF

Replace YOUR_USER and YOU_READER_NAME. You can find your card reader name with

opensc-tool -l

Then restart the services
systemctl restart pcscd.service pcscd.socket polkit.service

Restart your ThinLinc session after this and try accessing your card reader.

This was tested on an RHEL8 system.

Kind regards,
Martin

kbass · 17 February 2023 16:13

I had already made those polkit changes (and also added polkit logging) when I realized something was sitting between the smartcard and my user account. The polkit rules were never even being hit. That is when I realized there was PCSCTUN_SERVER environment variable that was unexpected. I believe thinlinc server is adding that.

I am not sure about using unset LD_LIBRARY_PATH - I am sure I have other libraries that need to be loaded for other purposes. Is there a specific library path I need to be removing related to thinlinc and the smartcard? Maybe just figuring out how the disable the setting of the PCSCTUN_SERVER would be enough.

martin · 17 February 2023 17:11

Sorry, I meant to add to check for any local LD_LiBRARY_PATH first. On my test system there was only path to /opt/thinlinc… added to it. It should be sufficient to remove /opt/thinlinc from LD_LIBRARAY_PATH

kbass · 18 February 2023 16:19

Thanks for mentioning the LD_LIBRARY_PATH. Rather than modify that and potentially disable other features (pulse, etc), I ended up doing the following commands:

cd /opt/thinlinc
rm lib64/libpcsclite.so lib64/libpcsclite.so.1 lib64/libpcsctun.so lib/libpcsctun.so lib/libpcsclite.so lib/libpcsclite.so.1

Once I made that change, the polkit entries I had previously made were triggered and I could access the Smartcard.

Topic		Replies	Views
"You are not authorized to connect to this server" Error when Inserting Smart Card ThinLinc tlserver	1	552	22 June 2023
How to set up authentication in ThinLinc with PKCS #15 smart cards Knowledge Base linux , thinlinc , authentication , smartcard , tutorial	0	828	26 July 2022
Challenges with Smart Card Setup on New ThinLinc Install ThinLinc linux , thinlinc , tlclient	15	857	3 July 2023
Using Publickey and disabling password access ThinLinc tlserver	2	415	13 February 2023
Linux Remote Desktop Authentication - Is ThinLinc compatible with Yubikey? ThinLinc thinlinc , tlserver , authentication , yubikey , smartcard	1	1276	6 December 2021

Need a way to disable smartcard on server

Related Topics