Reading smart card reader in openSUSE Aeon

Dear all,

I’ve been using openSUSE Aeon lately and so far has been working great. I’m having an issue though. I use a smart card reader that plugs in via USB to my laptop and allows me to read my home country’s ID card and allows me to access personal data and authenticate on government sites.

A software for reading the ID card is available through a flatpak that used to work well on Fedora. In MicroOS (Aeon specifically) the application starts up but gives an error that the card reader wasn’t detected. I run the flatpak using flatpak run pt.gov.autenticacao and got the following prints when trying to access the card:

qrc:/contentPages/card/PageCardIdentify.qml:35:5: QML Connections: Implicitly defined onFoo properties in Connections are deprecated. Use this syntax instead: function onFoo(<arguments>) { ... }
libpng warning: iCCP: known incorrect sRGB profile

Nothing of this looks useful to sort this out. In any case, why would a flatpak app that requires a USB connection fail to a device fails to find it? I stress that in Fedora I was able to run the app in flatpak and read the card. I can easily read USB flash drives in the host machine sure to access media through USB.

Sorry if there isn’t much useful info here, but any hints to the problem would be appreciated :slight_smile:

Usually you’ll have pcscd service running on the host. In case it’s not available you should install package pcsc-lite.

Have you checked to make sure there isn’t an SELinux issue when it’s trying to read the card?

What is the output of:

sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent

After attempting to read your card.

Thank you for your replies

@sfalken actually I suspected if this wasn’t the case but never dealt with SELinux before. I’ve run the flatpak app and running the command you suggest returned no matches.

@awerlang I have installed pcsc-lite via transactional-updates and then run systemctl start pcscd.service which returned:

● pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
     Active: active (running) since Tue 2023-07-18 08:45:33 BST; 27s ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
   Main PID: 2778 (pcscd)
      Tasks: 5 (limit: 4915)
        CPU: 51ms
     CGroup: /system.slice/pcscd.service
             └─2778 /usr/sbin/pcscd --foreground

Now with the service running tried running my flatpak app but I still got a card reader not found error :frowning:

I can’t say for certain, as I don’t believe there’s anything on the Aeon end that would change the flatpak permissions, but if you check flatseal, look to see if pt.gov.autenticacao has the permissions Smart Card Access and probably Device Access ?

Make sure you start the flatpak app after the pcsc service is started.

I’d try next verifying the connection on the host side.

  • Firefox installed as rpm: verify if it’s listed under settings → security devices
  • Firefox as a flatpak: verify if another flatpak app has access
  • Running pcsc_scan from the pcsc-tools package

Oh, you know what, I didn’t think about it, but I regularly use a Yubikey with Aeon/Kalpa (I understand, not actually a smartcard, but it is similar) and it has a glitch.

  1. Login to website that then asks for my security key
  2. get the popup that asks for the security key
  3. plug in my yubikey, and touch the little button
  4. nothing happens, and the authentication fails.

Now, my workaround at the moment:

Plug my Yubikey in, before I get the popup in firefox, and it works fine.

or

Cancel the popup, plug my yubikey in, and then hit the “try again” button, or link, and it works fine.

I haven’t found a site that this hasn’t worked with yet.

I haven’t a clue if the same thing might be happening with your smart card, but might be worth trying?

Thanks a lot for your answers.

@sfalken I followed your suggestion and used flatseal to check the permissions and it seems it allows pcsc cards in there. Also couldn’t make it work by plugging in the device before running the app.

Probably the issue is on the host side really. I’ve run pcsc_scan as @awerlang suggested and the prompt kept waiting for the reader to be connected.

So I compared systemd service files between fedora and openSUSE and this is what I found. On Fedora:

~> cat /usr/lib/systemd/system/pcscd.service 
[Unit]
Description=PC/SC Smart Card Daemon
Requires=pcscd.socket
Documentation=man:pcscd(8)

[Service]
ExecStart=/usr/sbin/pcscd --foreground --auto-exit $PCSCD_ARGS
ExecReload=/usr/sbin/pcscd --hotplug
EnvironmentFile=-/etc/default/pcscd

[Install]
Also=pcscd.socket

On openSUSE

Successfully installed edited file '/etc/systemd/system/pcscd.service.d/override.conf'.
rodolfo@tuxedo:~> cat /usr/lib/systemd/system/pcscd.service 
[Unit]
Description=PC/SC Smart Card Daemon
Requires=pcscd.socket
Documentation=man:pcscd(8)

[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions 
Environment="PCSCD_OPTIONS="
EnvironmentFile=-/etc/sysconfig/pcscd
ExecStart=/usr/sbin/pcscd --foreground $PCSCD_OPTIONS
ExecReload=/usr/sbin/pcscd --hotplug

[Install]
Also=pcscd.socket

So apparently openSUSE adds up a few more hardening flags which I’m not sure I understand entirely. I’ve then tried to override the pcscd.service file by running systemctl edit pcscd.service, and then setting all of these extra flags that Fedora doesn’t have to false. The override file /etc/systemd/system/pcscd.service.d/override.conf looks like this:

~> cat /etc/systemd/system/pcscd.service.d/override.conf 
[Service]
ProtectSystem=false
ProtectHome=false
ProtectHostname=false
ProtectKernelTunables=false
ProtectKernelModules=false
ProtectKernelLogs=false
ProtectControlGroups=false
RestrictRealtime=false

Sadly I still can’t use the card reader. But maybe:

  1. I’m doing something wrong. Any help is welcome :slight_smile:
  2. Changing this is pointless
  3. I shouldn’t be doing this anyway

You can try Tumbleweed, perhaps even on a live image.

Does it works there? They raise a bug against MicroOS.

Sure I can try that. Will update the thread.