Export this smart card reader at session startup does not work

Forum / NoMachine for Linux / Export this smart card reader at session startup does not work

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • April 17, 2024 at 00:03 #47801
    opoplawski
    Participant

    I can connect my smart card reader to the remote desktop and that works fine. However, there is a checkbox labeled “Export this smart card reader at session startup”, which I would assume would share the reader everytime I connect. However, this is not the case and I must manually share the reader each time.

    NoMachine Workstation 8.11.3
    Alma Linux 8.9

    April 22, 2024 at 09:31 #47894
    pfitas
    Participant

    Hi
    Is this smart card reader a usb device? Have you tried sharing it through usb devices tab? Does smard card reader work without issues when shared manualy?

    April 22, 2024 at 20:06 #47911
    opoplawski
    Participant

    This is a YubiKey – so yes a USB device. Generally manually sharing the smartcard reader works just fine, though a current test of reconnecting to an old session with a rebooted client fails. PKCS11 operations seem to hang. I see the following repeated in the strace of p11tool –list-token-urls:

    sendto(6, “NXCLIENT-4.0.0 cookie=AD2186647C3824FF8D0ACD921D66B992,command=set,target=local,option=smartcard,value=:1004:3319770 “, 117, 0, NULL, 0) = 117
    recvfrom(6, “NXAGENT-8.11.3 “, 10240, 0, NULL, NULL) = 15
    recvfrom(6, “error=0,value=retry “, 10225, 0, NULL, NULL) = 20

    The YK device is not listed in the “Connect a USB device” menu, probably because it is already in use by the client machine. Unless the USB device could be used simultaneously by both machines (which seems doubtful), this would no be helpful to us because both the client and the remote session would need access to the smart card.

    June 20, 2024 at 15:19 #48600
    Britgirl
    Keymaster

    We have a Trouble Report open in relation to forwarding smartcard which does not work correctly when the automount option is enabled. It’s caused by some changes introduced to the ssh-agent in an OpenSSH update which, in order to increase the security level, block the execution of PKCS#11 libraries not in the default path or in the verified path. Smartcard will be mounted correctly after user navigates manually to smartcard panel in the menu to add it there. Btw, general improvements to device forwarding are coming in the release of NoMachine 9, including the possibility to detect devices newly plugged in during the session.

    June 20, 2024 at 15:25 #48601
    opoplawski
    Participant

    Is the trouble report publicly visible?

    We do add a pkcs#11 module to help with forwarding:

    /usr/share/p11-kit/modules/nomachine.module:

    module: /usr/NX/lib/libpkcs11.so

    But that hasn’t had an effect on the auto-forwarding.  I guess we’ll see what version 9 brings.  Is there an ETA on that?

    June 20, 2024 at 17:28 #48605
    Britgirl
    Keymaster

    About the TR being public, not yet, we are going to publish it soon, when it’s ready I will paste the link here.

    June 21, 2024 at 11:51 #48610
    Britgirl
    Keymaster

    Please disregard my previous explanation about the bug related to smartcard forwarding. This was a misunderstanding on my part of what developers had been investigating and their findings. The Trouble Report for your issue is available at the following link:

    https://kb.nomachine.com/TR03S10149

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)

This topic was marked as solved, you can't post.