Process /usr/libexec/gsd-smartcard has not access to PC/SC interface at login
pccs-lite uses polkit to restrict who has access to the smart card API. See https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/
The default policy is to give access to root, or to the logged user. gsd-smartcard is run as user "gdm" during login and so do NOT have access to the smart card API.
You can see the error from a remote shell to the computer using:
journalctl -u pcscd -f
For example with Fedora 39 I get:
févr. 02 17:52:18 fedora pcscd[4289]: 44464196 auth.c:143:IsClientAuthorized() Process 6306 (user: 42) is NOT authorized for action: access_card
févr. 02 17:52:18 fedora pcscd[4289]: 00000289 winscard_svc.c:518:ContextThread() Rejected unauthorized client for 'Alcor Micro AU9540 00 00'
févr. 02 17:52:18 fedora pcscd[4289]: 00024422 auth.c:143:IsClientAuthorized() Process 6306 (user: 42) is NOT authorized for action: access_card
févr. 02 17:52:18 fedora pcscd[4289]: 00000157 winscard_svc.c:518:ContextThread() Rejected unauthorized client for 'Alcor Micro AU9540 00 00'
or
févr. 02 18:27:00 fedora pcscd[4289]: 99999999 auth.c:143:IsClientAuthorized() Process 8353 (user: 42) is NOT authorized for action: access_pcsc
févr. 02 18:27:00 fedora pcscd[4289]: 00000152 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client
User 42 is gdm:
$ grep 42 /etc/passwd
gdm:x:42:42:GNOME Display Manager:/var/lib/gdm:/usr/sbin/nologin
and process 8353 was gsd-smartcard
run as user gdm
:
gdm 8353 /usr/libexec/gsd-smartcard
The solution is for gdm to install a polkit rule file to give access to use gdm
.
It can be something like a file /usr/share/polkit-1/rules.d/org.gnome.gdm.gsd-smartcard.rules
:
polkit.addRule(function(action, subject) {
if ((action.id == "org.debian.pcsc-lite.access_pcsc"
|| action.id == "org.debian.pcsc-lite.access_card")
&& subject.user == "gdm") {
return polkit.Result.YES;
}
});
One difficulty is that the user is not always gdm
. For exemple Debian uses the user Debian-gdm
instead.
So the polkit .rules
file should be dynamically generated to adapt to the configured user name.
This issue was reported on the Debian package pcsc-lite bug #1061444.
Instead of adding the polkit file in pcsc-lite I think the correct solution is for gdm to bring its own polkit rule file. pcsc-lite do not need to (and should not) know all the other applications/users that should have access to the smart card interface in "non-standard" situations.