Need a way to disable smartcard on server

I use thinlinc to connect to a headless server in the same physical room. I recently got a smartcard and was trying to use it LOCALLY. For a moment I had forgotten I was using Thinlinc. I spent hours and hours trying to figure out why I could read the smartcard ceritificates as root user, but not as my normal user. I was looking at permissions and polkit, etc. I finally realized there was some PCSCTUN_SERVER environment variable set that was interfering. I couldn’t find anything in the p11 or opensc or pcsc documentation about this environment variable. It turns out it must be ThinLinc related.

Is there an option to disable the smart card direction on the server? The admin guide says:

‘Enabling Smart Card Redirection
Smart card redirection is always activated on the server so there is no administration required to enable it.’

Hello @kbass

I’m not sure if I understand what problem you’re facing, and why disabling smart card redirection would solve it?

To disable it, you can uncheck ‘Smart Card Readers’ in ThinLinc Client under ‘Local Devices’.


Hi @martin - To summarize my original post. I am trying to use a smart card that is connected to the SERVER while I am logged in via the thinlinc client. The thinlinc server installation interferes with using that when logged in by thinlinc client. It has nothing to do with the client side setting.

That’s not a use-case I’ve heard of before, so not sure what’s going on really. But it sounds as a permission problem. Since you’re logged in remotely, your user will probably not have sufficient privileges to access local attached hardware. Polkit will most likely refuse some access. Have you tried enabled debug logging in Polkit and see what it says?

To disable smart card redirection on server-side, it should be sufficient to remove the symlink


and then restart your session.


I just gave it a go, and I believe what you’ll need to do are:

echo "unset LD_LIBRARY_PATH" >> ~/.bash_profile

Then create the polkit allow rules:

# cat >> /etc/polkit-1/rules.d/00-allow-smartcard.rules<<EOF
polkit.addRule(function(action, subject) {
    if ( == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'YOU_READER_NAME' &&
        subject.user == "YOUR_USER") {
            return polkit.Result.YES;

polkit.addRule(function(action, subject) {
    if ( == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "YOUR_USER") {
            return polkit.Result.YES;

Replace YOUR_USER and YOU_READER_NAME. You can find your card reader name with

opensc-tool -l

Then restart the services
systemctl restart pcscd.service pcscd.socket polkit.service

Restart your ThinLinc session after this and try accessing your card reader.

This was tested on an RHEL8 system.

Kind regards,

1 Like

I had already made those polkit changes (and also added polkit logging) when I realized something was sitting between the smartcard and my user account. The polkit rules were never even being hit. That is when I realized there was PCSCTUN_SERVER environment variable that was unexpected. I believe thinlinc server is adding that.

I am not sure about using unset LD_LIBRARY_PATH - I am sure I have other libraries that need to be loaded for other purposes. Is there a specific library path I need to be removing related to thinlinc and the smartcard? Maybe just figuring out how the disable the setting of the PCSCTUN_SERVER would be enough.

Sorry, I meant to add to check for any local LD_LiBRARY_PATH first. On my test system there was only path to /opt/thinlinc… added to it. It should be sufficient to remove /opt/thinlinc from LD_LIBRARAY_PATH

Thanks for mentioning the LD_LIBRARY_PATH. Rather than modify that and potentially disable other features (pulse, etc), I ended up doing the following commands:

cd /opt/thinlinc
rm lib64/ lib64/ lib64/ lib/ lib/ lib/ 

Once I made that change, the polkit entries I had previously made were triggered and I could access the Smartcard.