[How-to] Use multiple smartcards simultaneously
Thomas Jarosch
thomas.jarosch at intra2net.com
Fri Feb 23 15:51:25 CET 2018
Hello,
here's a quick howto for using multiple smartcards
at the same time on Fedora 26 with gnupg 2.2.4.
To access multiple card readers simultaneously,
the internal CCID driver of gnupg must be used.
Steps:
1. Allow normal users to access the card readers:
Create a "hwdb" file in /etc/udev/hwdb.d/99-smartcard-reader.hwdb
This file contains a list of USB IDs of the card readers.
########
usb:v04E6pE003*
usb:v046Ap003E*
usb:v0C4Bp0504*
ID_SMARTCARD_READER=1
########
Adapt the USB device IDs to your card reader, some IDs are found here:
https://wiki.gnupg.org/CardReader/PinpadInput
The 'ID_SMARTCARD_READER' tag will trigger an udev rule
in /usr/lib/udev/rules.d/70-uaccess.rules that adds the "uaccess" tag for the reader.
This allows to access the card reader as normal user while you are logged in.
2. Update systemd's hwdb:
systemd-hwdb update
This re-generates the file /etc/udev/hwdb.bin
3. Prevent pcscd from starting
pcscd can prevent gnupg from accessing the card reader using
the internal CCID driver.
Therefore you can mask (=disable) pcscd via systemd:
systemctl mask --now pcscd.socket
systemctl daemon-reload
4. Log out and log in again. All smartcards should now
be listed when running "gnupg2 --card-status all"
You can modify individual smartcards by using
"gnupg2 --card-edit SERIALNO"
*** Debug tips'n'tricks ***
- Use "udevadm monitor --environment" to see how
udev detects a card reader when plugged in.
Example output:
UDEV [10155.134146] add /devices/pci0000:00/0000:00:01.1/0000:01:00.0/usb1/1-3 (usb)
ACTION=add
BUSNUM=001
DEVNAME=/dev/bus/usb/001/015
DEVNUM=015
DEVPATH=/devices/pci0000:00/0000:00:01.1/0000:01:00.0/usb1/1-3
DEVTYPE=usb_device
DRIVER=usb
ID_BUS=usb
ID_FOR_SEAT=usb-pci-0000_01_00_0-usb-0_3
ID_MODEL=SPRx32_USB_Smart_Card_Reader
ID_MODEL_ENC=SPRx32\x20USB\x20Smart\x20Card\x20Reader
ID_MODEL_FROM_DATABASE=SPR532 PinPad SmartCard Reader
ID_MODEL_ID=e003
ID_PATH=pci-0000:01:00.0-usb-0:3
ID_PATH_TAG=pci-0000_01_00_0-usb-0_3
ID_REVISION=0601
ID_SERIAL=SCM_Microsystems_Inc._SPRx32_USB_Smart_Card_Reader_xxxxx
ID_SERIAL_SHORT=xxxxx
ID_SMARTCARD_READER=1
ID_USB_INTERFACES=:ff0000:
ID_VENDOR=SCM_Microsystems_Inc.
ID_VENDOR_ENC=SCM\x20Microsystems\x20Inc.
ID_VENDOR_FROM_DATABASE=SCM Microsystems, Inc.
ID_VENDOR_ID=04e6
MAJOR=189
MINOR=14
PRODUCT=4e6/e003/601
SEQNUM=4699
SUBSYSTEM=usb
SYSTEMD_WANTS=smartcard.target
TAGS=:seat:systemd:uaccess:
TYPE=0/0/0
USEC_INITIALIZED=10155130754
Notice the "uaccess" tag in the output.
It also contains the USB device path in DEVNAME=,
in this case /dev/bus/usb/001/015.
- Inspect the user ACL on the USB device file via "getfacl"
getfacl /dev/bus/usb/001/015
# getfacl /dev/bus/usb/001/015
# file: dev/bus/usb/001/015
# owner: root
# group: root
user::rw-
user:alice:rw-
group::rw-
mask::rw-
other::r--
-> there's an extra read/write ACL for username "alice" in there.
- enable scdaemon debug output in ~/.gnupg/scdaemon.conf
When inspecting the log file, make sure there are no messages like
"ccid open error: skip"
If that's the case, try masking pcscd like above.
Otherwise gnupg will fall back to pcscd mode which currently
does not support multiple smartcards. See also:
https://dev.gnupg.org/T1621#110805
Hopefully this short guide is useful to someone else
when setting up multiple card readers.
In fact it can even be helpful when using just one card reader,
since setting up the device permissions using udev's uaccess
system is tricky and sparely documented:
https://github.com/systemd/systemd/issues/4288
Cheers,
Thomas
More information about the Gnupg-users
mailing list