Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use existing pcsc library instead of building replacement #471

Open
hdeadman opened this issue Nov 1, 2016 · 12 comments
Open

use existing pcsc library instead of building replacement #471

hdeadman opened this issue Nov 1, 2016 · 12 comments

Comments

@hdeadman
Copy link

hdeadman commented Nov 1, 2016

Update: From what I understand, based on comments below, xrdp builds it's own libpcsclite.so but the real library supports letting an environment variable (PCSCLITE_CSOCK_NAME) point back at xrdp which presents itself as a smart card (shared from the client). This issue was originally asking for some documentation but it seems to have some useful information so I am re-naming it.

Original:
I see references (when googling) to people using smart cards with xrdp but they are all a few years old. I haven't found any instructions on how to get it working. I am running latest released xrdp (from EPEL package) on Red Hat 7 and I am able to connect from mstsc over TLS. Here are some questions I have, if answered I could add something to the wiki.

Is the smart card support in xrdp supposed to be for letting you login to xrdp or is it meant to allow you to use your smartcard in an application on the remote machine like using firefox to browse to a site requiring smart card authentication? Or are both possible?

Do I need to enable a channel in xrdp.ini for smartcard support? Are any other configuration changes required in xrdp.ini?

Is the XRDP PCSC fork still required? It's pretty out of date and the PCSC project seems active, has @LudovicRousseau ever been approached about making any changes necessary to support RDP? I see a reference in his code that talks about RDP:
CCID

Would the smart card in the remote desktop session show up as a USB device?

@LudovicRousseau
Copy link

I think I have never been approached to add support of XRDP in pcsc-lite.

The code forked in https://github.com/neutrinolabs/pcsc/commits/master is quite old. For example it uses a shared memory to communicate between pcscd and libpcsclite. This is no more used since pcsc-lite 1.6.0 released in 2010.
It looks like the fork uses pcsc-lite 1.5.5 released in 2009.

@jsorg71
Copy link
Contributor

jsorg71 commented Nov 2, 2016

Hi @LudovicRousseau, that was me. Yes, pcsc fork under NeutrinoLabs is old and I'll delete it.
There is smartcard support in xrdp under the devel branch. One hack that you need to do to use it is to overwrite libpcsclite.so on the system.
It would be great if we could integrate what we've done in xrdp into libpcsclite. I think all we need to do is change libpcsclite.so so if see's an environment variable, use that to know what unix domin socket to connect to. xrdp will act like pcscd.

@hdeadman
Copy link
Author

hdeadman commented Nov 2, 2016

I cloned X11RDP-RH-Matic and built the devel branch on RedHat 7 with this command:

./X11RDP-RH-Matic.sh --branch devel --with-xorgxrdp --nox11rdp

I modified /etc/xrdp/startwm.sh to contain the line:
xfce4-session
prior to the line "pre_start".

I am now running the devel branch but I didn't see any libpcsclite.so get built.

I ran make in.~rpmbuild/BUILD/neutrinolabs-xrdp-f949201/sesman/chansrv/pcsc/Makefile and now I have libpcsclite.so. Should the symlink in /usr/lib64/libpcsclite.so.1 point at that? It's three years old and half the size of the version that ships with pcsclite 1.8.8.

What are the next steps for me to see if my smart card is visible in the xrdp session (now that I am running latest devel branch)? Any changes to anything under /etc/xrdp? I don't see any references to smart cards or pcsc in there.

Thanks.

@jsorg71
Copy link
Contributor

jsorg71 commented Nov 5, 2016

@LudovicRousseau
I was just lookign at winscard_msg.c function getSocketName(). It looks like it already is using the environment variable PCSCLITE_CSOCK_NAME so I think we're good.
It looks like it was added 2010-11-04 with sha1 5fbc9db. I don't know how I missed it.

@LudovicRousseau
Copy link

I knew I added something like that.
It is LudovicRousseau/PCSC@5fbc9db

@hdeadman hdeadman changed the title smartcard support question use existing pcsc library instead of building replacement Nov 21, 2016
@johnarnold
Copy link

@jsorg71 is PCSC support working?

@jsorg71
Copy link
Contributor

jsorg71 commented Oct 25, 2017

The current pcsc support in xrdp requires you to replace an .so file and it does not work great.
I have new code that does not require any change to pcsclite and works much better. I have to clean it up and merge it in.

@jsribeiro
Copy link

jsribeiro commented Nov 3, 2017

I have to clean it up and merge it in.

@jsorg71 Do you have any ETA for that? In broad terms, of course.

I've been testing smartcard support on xrdp (with the replacement libpcsclite.so) and, although it works quite well when using Microsoft's RDC client, it starts breaking up when using FreeRDP-based clients.

Would love to see these updates on xrdp's smartcard functionality and would gladly test it extensively.

@johnarnold
Copy link

@jsorg71 Same, this is a priority for me. All of our services require 2FA now for users.

@mvalente
Copy link

@jsorg71 Same.

Currently using xrdp 0.9 with proprietary pcsclite and although pcsc_scan detects a card (shared from windows machine through rdp) I cant get the card to work, I get this on loop:

Waiting for the first reader...found one
Scanning present readers...
SCardListReaders:
SCardListReaders: mszGroups (null)
SCardListReaders: *pcchReaders 1
send_message:
0000 06 00 00 00 00 00 00 00 00 00 00 00 ............
get_message:
get_message: loop
SCardListReaders: mszReaders (nil) pcchReaders 0x7fff5e9d6858 num_readers 0
SCardListReaders: status 0x00000000
SCardListReaders:
SCardListReaders: mszGroups (null)
SCardListReaders: *pcchReaders 0
send_message:
0000 06 00 00 00 00 00 00 00 00 00 00 00 ............
get_message:
get_message: loop
SCardListReaders: mszReaders 0x5605a218f670 pcchReaders 0x7fff5e9d6858 num_readers 0
SCardListReaders: status 0x00000000

@jsorg71
Copy link
Contributor

jsorg71 commented Dec 6, 2017

I added #963 for this.

@choman
Copy link

choman commented Feb 27, 2018

I know everyone is busy working this. I'm curious and I'm sure others are too. Can we get a small status update. No worries if not, just really excited to try out native pcsc-lite support. Also I'd like to try it out. is it too soon? what branch is this being work in?

Thanks again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants