Solved Smart card (yubiko) stopped working

Not sure what happened, gpg smart card stopped working after the recent pkg upgrade (`latest`) run. I can see yubikeys detected just like before and they output pwd in the console when activated. But now thats pretty much all I can get. gpg status:

Code:
gpg: selecting card failed: Service is not running
gpg: OpenPGP card not available: Service is not running

pcscd debug:
Code:
00000004 [0x297c79412000] ../src/pcscdaemon.c:130:SVCServiceRunLoop() A new context thread creation is requested: 6
00002255 [0x297c79413c00] ../src/auth.c:148:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: get_kinfo_proc() failed for pid 90622: No such process
00000010 [0x297c79413c00] ../src/auth.c:168:IsClientAuthorized() Process 90622 (user: 1001) is NOT authorized for action: access_pcsc
00000088 [0x297c79413c00] ../src/winscard_svc.c:357:ContextThread() Rejected unauthorized PC/SC client
00000013 [0x297c79413c00] ../src/winscard_svc.c:1114:MSGCleanupClient() Thread is stopping: dwClientID=6, threadContext @0x297c794233c0
00000005 [0x297c79413c00] ../src/winscard_svc.c:1120:MSGCleanupClient() Freeing SCONTEXT @0x297c794233c0

No changes to devfs, thinking outdated config but feels too odd

FreeBSD 14.2-RELEASE releng/14.2-n269506-c8918d6c7412
 
Linux already had these problems a year ago - https://github.com/NixOS/nixpkgs/issues/290926

Not really. I saw this thread. This is clearly related to update 2.3.0 -> 2.3.1 as 2.3.0 works fine. Using 2.3.0 cached package and this is the quick fix for now. More details in bugzilla. No polkit rules / policy seems to be respected even if modified to allow everyone. Something else had to change. Hope that arrowd finds the cause and fix soon.. I did not report the problem yet to the upstream :-)
 
Maybe fixing this

Would help basu to work with polkit.

I can confirm, disabling polkit make the key work again.
So if you are on a single user system, where you plug and unplug your smartcard it should be fine.
 
What command do you use to start it?
sh:
#!/bin/sh

cd ~ || exit

if test -z "$DBUS_SESSION_BUS_ADDRESS"; then
    eval "$(dbus-launch --sh-syntax)"
fi

timer=2

while [ $timer -gt 0 ]; do
    printf "\rStarting \033[35;40;1mHyprland\033[m in %d" ${timer}
    sleep 1
    timer=$((timer - 1))
done

hpid=$(/bin/pgrep Hyprland)

if test -z "$hpid"; then
    export XDG_SESSION_TYPE=wayland
    export XDG_SESSION_DESKTOP=Hyprland
    export XDG_CURRENT_DESKTOP=Hyprland
    export QT_QPA_PLATFORM=wayland
    export QT_QPA_PLATFORMTHEME=qt5ct
    #export QT_SCALE_FACTOR=1
    #export QT_AUTO_SCREEN_SCALE_FACTOR=0
    export QT_WAYLAND_DISABLE_WINDOWDECORATION=1
    #export QT_WAYLAND_FORCE_DPI=96 #physical
    export ECORE_EVAS_ENGINE=wayland_egl
    #export ELM_ENGINE=wayland_egl
    export SDL_VIDEODRIVER=wayland
    export MOZ_ENABLE_WAYLAND=1
    export _JAVA_AWT_WM_NONREPARENTING=1
    export XCURSOR_SIZE=24

    exec Hyprland
else
    printf "\rHyprland is already running!\nPID %d\n" "${hpid}"
fi
 
You should put the "ck-launch-session" somewhere to have your graphical session registered with ConsoleKit. This will make it known to Polkit and authorization check should start working. I'm a bit unsure how well ConsoleKit works with Wayland, though.

An alternative is to build the port with polkit option disabled.
 
You should put the "ck-launch-session" somewhere to have your graphical session registered with ConsoleKit. This will make it known to Polkit and authorization check should start working. I'm a bit unsure how well ConsoleKit works with Wayland, though.

An alternative is to build the port with polkit option disabled.
Same with consolekit session https://github.com/charlesrocket/dotfiles/commit/1ecc09bbff73db13384c5fb36601eb8992b9983b

Code:
gpg: selecting card failed: Service is not running
gpg: OpenPGP card not available: Service is not running
 
Same with consolekit session https://github.com/charlesrocket/dotfiles/commit/1ecc09bbff73db13384c5fb36601eb8992b9983b

Code:
gpg: selecting card failed: Service is not running
gpg: OpenPGP card not available: Service is not running
Inside the graphics session, can you check what ConsoleKit thinks about its active state?

You can do that with qdbus-qt5 or qdbus6 for example:

1. Find out session path with `qdbus6 --system org.freedesktop.ConsoleKit`
2. `qdbus6 --system org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.ConsoleKit.Session.IsActive`
 
Inside the graphics session, can you check what ConsoleKit thinks about its active state?

You can do that with qdbus-qt5 or qdbus6 for example:

1. Find out session path with `qdbus6 --system org.freedesktop.ConsoleKit`
2. `qdbus6 --system org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.ConsoleKit.Session.IsActive`
Looks okay

`qdbus6 --system org.freedesktop.ConsoleKit`:
Code:
/
/org
/org/freedesktop
/org/freedesktop/ConsoleKit
/org/freedesktop/ConsoleKit/Session1
/org/freedesktop/ConsoleKit/Manager
/org/freedesktop/ConsoleKit/seat0

`qdbus6 --system org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.ConsoleKit.Session.IsActive`:
Code:
true
 
For me problem is here without Xorg running, but is also here with Xorg + Enlightenment WM.

Tatsuki Makino on bugzilla reported a quick fix for 2.3.1, provide --disable-polkit to pcscd, add to /etc/rc.conf:

pcscd_flags="--disable-polkit"

:-)
 
Looks okay

`qdbus6 --system org.freedesktop.ConsoleKit`:
Code:
/
/org
/org/freedesktop
/org/freedesktop/ConsoleKit
/org/freedesktop/ConsoleKit/Session1
/org/freedesktop/ConsoleKit/Manager
/org/freedesktop/ConsoleKit/seat0

`qdbus6 --system org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.ConsoleKit.Session.IsActive`:
Code:
true
Hmm, something's is off.

Can you run

pkcheck -a org.debian.pcsc-lite.access_pcsc -p <some PID of a process running in your graphics session>

? To get a list of process you can use `ps -ax`.
 
By the ways, pkexec does not work if the following security sysctl are enabled (not sure if both or one of them):
Code:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
 
Hmm, something's is off.

Can you run

pkcheck -a org.debian.pcsc-lite.access_pcsc -p <some PID of a process running in your graphics session>

? To get a list of process you can use `ps -ax`.
for any process:
Code:
Error checking for authorization org.debian.pcsc-lite.access_pcsc: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: get_kinfo_proc() failed for pid 62056: No such process

`security.bsd`:
Code:
security.bsd.stack_guard_page: 1
security.bsd.unprivileged_get_quota: 0
security.bsd.allow_read_dir: 0
security.bsd.hardlink_check_gid: 0
security.bsd.hardlink_check_uid: 0
security.bsd.unprivileged_chroot: 0
security.bsd.unprivileged_idprio: 0
security.bsd.allow_ptrace: 1
security.bsd.unprivileged_proc_debug: 0
security.bsd.conservative_signals: 1
security.bsd.see_jail_proc: 0
security.bsd.see_other_gids: 0
security.bsd.see_other_uids: 0
security.bsd.unprivileged_read_msgbuf: 0
security.bsd.unprivileged_mlock: 1
security.bsd.suser_enabled: 1
security.bsd.map_at_zero: 0
 
Like monwarez mentioned, polkit daemon stops working in presence of the security.bsd.see_other_uids=0 sysctl. Either switch these sysctls back to 1 or disable polkit support in the pcscd daemon.
 
Like monwarez mentioned, polkit daemon stops working in presence of the security.bsd.see_other_uids=0 sysctl. Either switch these sysctls back to 1 or disable polkit support in the pcscd daemon.
yep, with polkit disabled the card works again
 
Back
Top