Accessing forwarded smart card as root user

Forum / NoMachine for Linux / Accessing forwarded smart card as root user

Tagged: 

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #44594
    takbal
    Participant

    I am running the free versions on Windows 10 client and Ubuntu 22.04 LTS server, version 8.5.3 on both sides.

    I was able to successfully forward my Yubikey 5 NFC, using devices => smart card readers:

    % pkcs11-tool --module /usr/NX/lib/libpkcs11.so -L
    Available slots:
    Slot 0 (0x1): Yubico YubiKey OTP+FIDO+CCID 0
    token label : PIV_II (PIV Card Holder pin)
    token manufacturer : piv_II
    token model : PKCS#15 emulated
    token flags : login required, rng, token initialized, PIN initialized
    hardware version : 0.0
    firmware version : 0.0
    serial num : abcdefghijkl
    pin min/max : 4/8
    

    However if I do the same as root, the same fails:

    # pkcs11-tool --module /usr/NX/lib/libpkcs11.so -L
    
    Main C_Initialize(NULL) rv:CKR_FUNCTION_FAILED
    
    error: PKCS11 function C_Initialize failed: rv = CKR_FUNCTION_FAILED (0x6)
    
    Aborting.

    This is an issue when trying to use the smart card with the standard pam_pkcs11 module for authentication, as the module runs as root in the pam architecture, and cannot see the card. I could find no way to force start the pam module with a non-root uid either.

    I do not want to forward the card as a USB device, as it makes it unavailable on the client.

    #44678
    Guro
    Contributor

    Hello

    The smart device is accessible by the user who forwarded it. Sharing the smart card among users is not supported (but planned) because personal information for smart card sharing are stored in the user’s home on server side, which is not accessible to a different user even if that other user is root.

    Thanks

Viewing 2 posts - 1 through 2 (of 2 total)

This topic was marked as solved, you can't post.