Hi, I'm trying to setup a ledger nano to work through pcscd and make it accessible to gnupg. I configured the following udev rules: # cat /etc/udev/rules.d/20-ledger.rules SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001", MODE="0660", OWNER="pcscd", GROUP="pcscd" And I started pcscd. After plugging the device and entering the pin, I see it in dmesg: [ 244.219202] usb 1-3: USB disconnect, device number 11 [ 244.471026] usb 1-3: new full-speed USB device number 12 using xhci_hcd [ 244.603628] usb 1-3: config 1 has an invalid interface number: 2 but max is 1 [ 244.603629] usb 1-3: config 1 has no interface number 1 [ 244.607674] usb 1-3: New USB device found, idVendor=2c97, idProduct=0001 [ 244.607675] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 244.607676] usb 1-3: Product: Nano S [ 244.607677] usb 1-3: Manufacturer: Ledger [ 244.607678] usb 1-3: SerialNumber: 0001 [ 244.616270] hid-generic 0003:2C97:0001.0009: hiddev1,hidraw4: USB HID v1.11 Device [Ledger Nano S] on usb-0000:00:14.0-3/input0 and devices comes to the right group: # find /dev -group pcscd /dev/hidraw4 /dev/usb/hiddev1 As root, I can see the reader: # gpg --card-status Reader ...........: Ledger Token [Nano S] (0001) 00 00 Application ID ...: D2760001240103032C97CBEE2B090000 Version ..........: 3.3 Manufacturer .....: unknown Serial number ....: CBEE2B09 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 12 12 12 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] Though if I get into my user that belongs to pcscd group, it can't: $ groups wheel audio video qemu kvm usb users plugdev portage docker jenkins libvirt lxd pcscd pekkari lxc prey weston-launch $ gpg --card-status gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device From messages I read the following: Jul 19 03:30:13 bee pcscd[15050]: /var/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 31832 (user: 1000) is NOT authorized for action: access_pcsc Jul 19 03:30:13 bee pcscd[15050]: /var/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client And user id is 1000. Is this a wrong default in polkit? Any known mitigation? Thanks! José.
Seems like adding the files: # cat /etc/polkit-1/rules.d/20-pcscd.rules polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && subject.isInGroup("pcscd") { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.isInGroup("pcscd") { return polkit.Result.YES; } }); And: # cat /etc/polkit-1/localauthority/50-local.d/40-pcscd.pkla [pcscd access] Identity=unix-group:pcscd Action=org.debian.pcsc-lite.access_pcsc ResultAny=no ResultInactive=no ResultActive=yes Doesn't help so I'm not sure what am I doing wrong here, it simply denies access to the group.
Grrrr... Turns out to be a parenthesis missmatch in the rules file, this is the corrected one: # cat /etc/polkit-1/rules.d/20-pcscd.rules polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && subject.isInGroup("pcscd")) { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.isInGroup("pcscd")) { return polkit.Result.YES; } }); The if's wasn't closed as it should. Now: $ gpg --card-status Reader ...........: Ledger Token [Nano S] (0001) 00 00 Application ID ...: D2760001240103032C97CBEE2B090000 Version ..........: 3.3 Manufacturer .....: unknown Serial number ....: CBEE2B09 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 12 12 12 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] Thanks! José
