Hello,
Le 24/01/2024 à 22:07, Ludovic Rousseau a écrit :
Le 24/01/2024 à 19:43, Ludovic Rousseau a écrit :
Le 24/01/2024 à 18:09, Laurent Bigonville a écrit :
Package: pcscd
Version: 2.0.1-1
Severity: normal
X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org
Hello,
When looking at the logs of pcscd, I see the following messages:
jan 22 09:47:37 edoras pcscd[1663]: 00000000 auth.c:125:IsClientAuthorized()
Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed:
Process not found
jan 22 09:47:37 edoras pcscd[1663]: 00000031 auth.c:143:IsClientAuthorized()
Process 1565 (user: 115) is NOT authorized for action: access_pcsc
It seems that GDM is not allowed to talk to pcscd.
GDM has the functionality to detect whether there is a smartcard in the
reader and then use the gdm-smartcard PAM service instead of the
gdm-password one to perform login.
I guess that GDM should be whitelisted to allow it to use pcscd?
Exact.
Good point.
You can add polkit config file until I fix the issue.
https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/
The fix is quite easy.
Create a new file /etc/polkit-1/rules.d/03-polkit-pcscd.rules containing:
polkit.addRule(function(action, subject) {
if ((action.id == "org.debian.pcsc-lite.access_pcsc"
|| action.id == "org.debian.pcsc-lite.access_card")
&& subject.user == "Debian-gdm") {
return polkit.Result.YES;
}
});
What I don't know is if this new file should be provided by the pcscd package
or by the gdm3 package.
I would say gdm3 but I am not sure.
I started a discussion on the pcsclite-muscle list at
https://lists.infradead.org/pipermail/pcsclite-muscle/2024-January/001457.html
The problem is also present on Fedora 39.
It is surprising because Fedora has enabled polkit in pcsc-lite since a long
time (2014?)
I opened a ticket at gdm upstream
https://gitlab.gnome.org/GNOME/gdm/-/issues/904
I think the fix should be provided by gdm itself.
So I reassign this ticket to the Debian gdm package.
Bye
--
Dr. Ludovic Rousseau
