smart card under linux

Wed Oct 22 15:43:15 CEST 2014

Thank you for all this, Peter.  It will take me a little while to digest and
check out.

Philip

On 22/10/14 11:19, Peter Lebbing wrote:
> On 21/10/14 00:36, Philip Jackson wrote:
>> I've followed, I believe, all the instructions in the gnupg.com smartcard howto.
>>  In para 2.3.1 CCID : I've tried both the instructions under 'with udev
>> (preferred installation)' and further down 'with hotplug (deprecated in modern
>> systems)'
> 
> These steps were superfluous for me for Debian jessie/testing because the
> necessary udev rules are included in the gnupg package already. However, I use
> an SPR532 here. The SCM3512 is not mentioned in the rules file, so you might
> need to add an entry.
> 
> Here's how it looks for me:
> 
> ----------------------8<------------------->8----------------------
> $ lsusb
> [...]
> Bus 005 Device 005: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard
> Reader
> [...]
> 
> $ cd /dev/bus/usb/005
> $ ls -l
> total 0
> crw-rw-r--  1 root root 189, 512 Oct 22  2014 001
> crw-rw-r--  1 root root 189, 513 Oct 22  2014 002
> crw-rw-r--  1 root root 189, 514 Oct 22  2014 003
> crw-rw-r--  1 root root 189, 515 Oct 22  2014 004
> crw-rw-r--+ 1 root root 189, 516 Oct 22 10:53 005
> ----------------------8<------------------->8----------------------
> 
> Notice the +. There's an ACL active here.
> 
> ----------------------8<------------------->8----------------------
> $ getfacl 005
> # file: 005
> # owner: root
> # group: root
> user::rw-
> user:peter:rw-
> group::rw-
> mask::rw-
> other::r--
> ----------------------8<------------------->8----------------------
> 
> Ah, I have write access! You will definitely need write access, although maybe
> not for this specific character device. An USB device might create several
> "nodes" in /dev, I'm not sure which one you need write access to.
> 
> And here is the file that gives me the access:
> 
> ----------------------8<------------------->8----------------------
> $ cat /lib/udev/rules.d/60-gnupg.rules
> # do not edit this file, it will be overwritten on update
> 
> SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
> ACTION!="add", GOTO="gnupg_rules_end"
> 
> # USB SmartCard Readers
> [...]
> ## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532)
> [...]
> ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1",
> ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
> [...]
> ----------------------8<------------------->8----------------------
> 
> The ID_SMARTCARD_READER environment variable is used in
> /lib/udev/rules.d/70-uaccess.rules and /lib/udev/rules.d/99-systemd.rules.
> Somewhere there the write access is actually set up. These files are from the
> systemd package. Note that I actually use sysvinit as init system, not systemd,
> but this is still where it is set up for Debian. It allows access to smartcard
> readers for people who are logged in to a "head" of the system (I presume).
> 
> So let's suppose your device is not 04e6:e003 but 04e6:1234. If I were to have
> that device, I would need to add the following file:
> 
> ----------------------8<------------------->8----------------------
> $ cat >/etc/udev/rules.d/60-gnupg-extra.rules <<EOF
> SUBSYSTEM!="usb", GOTO="gnupg_extra_rules_end"
> ACTION!="add", GOTO="gnupg_extra_rules_end"
> 
> # The venerable SCM 1234 reader (it can count!)
> ATTR{idVendor}=="04e6", ATTR{idProduct}=="1234", ENV{ID_SMARTCARD_READER}="1",
> ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
> 
> LABEL="gnupg_extra_rules_end"
> EOF
> ----------------------8<------------------->8----------------------
> 
> That last line is not part of the file, it signals end-of-file to the cat
> command. Also, there's a long line that's split but shouldn't be.
> 
> And that would be all I need to add to udev! And it would work for anyone
> logging into X on your monitor and keyboard (the "head").
> 
> TL;DR: Make sure your user has write access to the USB device. Also, differences
> in Linux distributions mean the HOWTO might not be the optimal way to do it, or
> even that you might not need to do anything at all.
> 
> HTH,
> 
> Peter.
> 