6 Replies Latest reply on Jul 23, 2020 3:02 AM by mvogt1

    state of smartcard support on Linux (RHEL 7.6)

    mvogt1 Novice

      With Horizon release 7.8.0 the SmartCard support still does not work.

      Update : With Horizon release 7.9.0 the SmartCard support still does not work.

       

       

      A year+ ago I debugged this here:

       

      https://communities.vmware.com/message/2739746#2739746

       

      Horizon 7.8.0 now contains the binaries for rhel (pcsd 1.8.8), which should support

      the newer wire format of rhel:

       

       

      [VMware-horizonagent-linux-x86_64-7.8.0-12610615]$ ll scredir/

      total 26312

      -rwxr-xr-x. 1 201 201 9507192 Mar  4 19:07 libscrediragent_188.so

      -rwxr-xr-x. 1 201 201 9507184 Mar  4 19:07 libscrediragent.so

      -rwxr-xr-x. 1 201 201 3959144 Mar  4 19:07 pcscd

      -rwxr-xr-x. 1 201 201 3959168 Mar  4 19:07 pcscd_188

       

      The install_viewagent.sh binary

       

      - installs pcscd_188 in /usr/sbin/pcscd

      - install libscrediragent_188.so in /usr/lib/vmware/vchan_plugins

       

      When I reboot the machine, I can see in the pcsd log file:

       

      00000000 bora/apps/rde/scrediragent/pcscd/debuglog.c:252:DebugLogSetLevel() debug level=debug

      00000675 bora/apps/rde/scrediragent/pcscd/pcscdaemon.c:484:main() pcsc-lite daemon ready.

      00001063 bora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:500:IPCReaderThread() Entry IPCReaderThread.

      00004455 bora/apps/rde/scrediragent/pcscd/utils.c:276:getUserID() uid: 979 gid: 970

       

      00000511 bora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:196:IPCAcceptConnection() Entry IPCAcceptConnection in bora/apps/rde/scrediragent/pcscd/pcscd-ipc.c.

      02782719 bora/apps/rde/scrediragent/pcscd/winscard_msg_srv.c:232:ProcessEventsServer() Common channel packet arrival

      00000040 bora/apps/rde/scrediragent/pcscd/winscard_msg_srv.c:242:ProcessEventsServer() ProcessCommonChannelRequest detects: 6

      00000010 bora/apps/rde/scrediragent/pcscd/pcscdaemon.c:100:SVCServiceRunLoop() A new context thread creation is requested: 6

      00000148 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:405:ContextThread() Thread is started: dwClientID=6, threadContext @55E8C7A96590

      00000446 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:420:ContextThread() Received command: CMD_VERSION from client 6

      00000299 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:431:ContextThread() Client is protocol version 4:2

      00000017 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:440:ContextThread() CMD_VERSION rv=0x0 for client 6

      00000620 bora/apps/rde/scrediragent/pcscd/winscard_svc.c:420:ContextThread() Received command: ESTABLISH_CONTEXT from client 6

      00000306 bora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:290:IPCRequest() ipc socket is 0, wait for connection from plugin

       

       

       

      Then it blocks in a simply call, ESTABLISH_CONTEXT, for example, when starting:

       

      - pkcs11-tool -I

       

       

      And when I look into the log file of vmware-mks-<pid>.log:

       

       

      2019-07-08T09:57:21.232+02:00| main| I125: VVC: (DEBUG) Added plugin to list libscrediragent.so fileName=/usr/lib/vmware/vchan_plugins/libscrediragent.so

      2019-07-08T09:57:21.277+02:00| libscrediragent.so| I125: VTHREAD 140082588464896 "libscrediragent.so" tid 5873

      2019-07-08T09:57:21.278+02:00| main| I125: VVC: LoadVvcPlugin: Started plugin 1: libscrediragent.so, filename:"/usr/lib/vmware/vchan_plugins/libscrediragent.so"

      2019-07-08T09:57:21.278+02:00| main| I125: VVC: VVCLDR_LoadPlugins: Plugin entries found:1, loaded:1

      2019-07-08T09:57:21.278+02:00| main| I125: VVC: VVC loader initialised

       

      Result:

       

      The situation is the same: Windows and linux smartcard redirection does not work.

        • 1. Re: state of smartcard support on Linux (RHEL 7.6)
          mvogt1 Novice

          It does work partially (!).

          For me it looks like, that the "back channel" in the vmware pcscd does not working correctly and libpsclite in RHEL drops the result, or waits for more data, to come.

           

          For debugging I'm using the command:

           

          >pkcs11-tool -L

           

          The output should be (depending on the reader type):

           

          >Slot 0 (0x0): Gemalto PC Twin Reader 00 00

           

           

          When I strace the different components I can see, that the following works:

           

          But first, the setup:

           

          On the VDI host "v110" (the host to which I connect with vmware-view 4.10),

          I strace the pcscd from vmware.

           

          On the client "e120" (the host which starts vmware-wire and connects to

          "v110", I strace pcsd (from redhat) too.

           

          The sequence is:

           

          I connect from e120 with vmware-view and log into v110.

          There I open a terminal and start:

           

          >pkcs11-tool -L

           

          The strace on "v110" shows:

          7700  write(1, "\33[36m00001019\33[0m bora/apps/rde/scrediragent/pcscd/winscard_svc.c::420:ContextThread() Received command: CMD_GET_READERS_STATE from client 9\n", 140) = 140

          7700  write(1, "\33[36m00000201\33[0m \33[01;31mbora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:337:IPCRequest() has received the connection from plugin\33[0m\n", 132) = 132

          7700  select(8, NULL, [7], NULL, NULL)  = 1 (out [7])

           

          The important part is the CMD_GET_READERS_STATE, which is the command

          to list the readers. ("-L option")

          This is actually forwarded to "e120".

          There the pcscd log shows:

           

          [pid  7942] write(1, "\33[36m00010040\33[0m winscard_svc.c:317:ContextThread() Receive command: CMD_GET_READERS_STATE from client 12\n", 108) = 108

          [pid  7942] select(13, NULL, [12], NULL, NULL) = 1 (out [12])

          [pid  7942] sendto(12, "Gemalto PC Twin Reader 00 00.............

           

          And this is seen on the "v110" too:

           

          4536  read(7, "\277\16M*\0\0\0\0\0\0\0\0\0\0\0\0\36\0\0\0Gemalto PC Twin Reader 00

          00..."

          7700  write(1, "\33[36m00001391\33[0m \33[01;31mbora/apps/rde/scrediragent/pcscd/pcscd-ipc.c:337:IPCRequest() has received the connection from plugin\33[0m\n", 132) = 132

          7700  sendto(7, "\277\16M*\0\0\0\0\2\0\0\0\\\\?PnP?\\Notification\0%s:%d:%s() calloc failed.\0%s:%d:%s() return value 0x%x\n\0%s:%d:%s() rv = 0X%08X.\0\0\0\0\0\0\0\0\1\0

           

          The answer "PNP\\Notification" looks suspicious, mostly because it contains the "calloc failed". PNP Notification is a part ofthe PCSC Protocoll for Status change messages, but it may be ok.

           

          When I now strace the binary pkcs11-tool I see [1]:

           

          read(3,Gemalto PC Twin Reader 00 00...",5888)=2944

           

          Thus it ends in libpcsclite. But the binary does not "exit".

          Maybe this can be debugged with libpcscspy.so.

           

          As a result:

           

          pkcs11-tool -L issues a CMD_GET_READERS_STATE in libpcsclite [1], which forward it to the local pcscd on v110, which forward it to libscrediragent, which is part of the agent process and this

          paket is forwared to the vmware-view client on host "e120", which writes it into the local libpcsclite and this forwards it to the pcscd on e120. This daemon really knows whats going on, and

          its answer "Gemalto PC Twin Reader 00 00". This is passed the whole chain back, and end up in the pcscd on "v110".

           

          Then pcscd even writes it back into [1], but the binary does not exit and blocks forever.

           

          Edit: added missing colums (80+) from strace 

          • 2. Re: state of smartcard support on Linux (RHEL 7.6)
            mvogt1 Novice

            The solution is to replace /lib64/libpcsclite.so.1.0.0.

            It seems pcsd by vmware is build with different compiler options, than the libpcsclite on RHEL

            and libpcsclite expects maybe some padding.

             

            I downloaded pcsc-lite-1.8.8 an build it with:

             

            ./configure --enable-usbdropdir=/usr/lib64/pcsc/drivers/

             

            and then copied:

             

            cp src/.libs/libpcsclite.so.1.0.0 /lib64/

             

            This works here.

            • 3. Re: state of smartcard support on Linux (RHEL 7.6)
              mvogt1 Novice

              >The solution is to replace /lib64/libpcsclite.so.1.0.0.

               

              No. Yesterday it directly worked, after I replaced libpcsclite.

              It worked for linux and windows clients.

              Not only the  pkcs11-tool -L but the whole pkcs11 stack(including smartcard login,

              firefore, thunderbird, email decrypt,...)

               

              Today it does not work anymore.

               

              The behaviour is the same, the whole chain works, but today it blocks again in libpcsclite

               

              read(3,Gemalto PC Twin Reader 00 00...",5888)=2944

              • 4. Re: state of smartcard support on Linux (RHEL 7.6)
                mvogt1 Novice

                Okay, after I checked the setup I found an older link:

                 

                # ls -la /lib64/libpcsclite.so.1

                lrwxrwxrwx. 1 root root 24 Jul 11 14:20 /lib64/libpcsclite.so.1

                -> libpcsclite.so.1.0.0.org

                 

                This is the lib from RHEL, and does not worked.

                 

                After replacing it with my own build libpcsclite it works again.

                 

                (libpcsclite is build with API TRACE and a few printf)

                # pkcs11-tool -L

                < [7F5578E36740] SCardEstablishContext 0, (nil), (nil)

                > [7F5578E36740] SCardEstablishContext 1874136285

                < [7F5578E36740] SCardListReaders 1874136285

                reading waiting for: 2944

                > [7F5578E36740] SCardListReaders 32

                < [7F5578E36740] SCardListReaders 1874136285

                reading waiting for: 2944

                > [7F5578E36740] SCardListReaders 32

                < [7F5578E36740] SCardGetStatusChange 1874136285 0 1

                < [7F5578E36740] SCardGetStatusChange [0] Generic EMV Smartcard Reader 0 0 0

                reading waiting for: 2944

                > [7F5578E36740] SCardGetStatusChange [0] Generic EMV Smartcard Reader 0 0 B0012

                < [7F5578E36740] SCardConnect 1874136285 Generic EMV Smartcard Reader 0 3 3

                > [7F5578E36740] SCardConnect 0

                < [7F5578E36740] SCardGetStatusChange 1874136285 0 1

                < [7F5578E36740] SCardGetStatusChange [0] Generic EMV Smartcard Reader 0 B0012 B0012

                reading waiting for: 2944

                reading waiting for: 2944

                • 5. Re: state of smartcard support on Linux (RHEL 7.6)
                  trailhawk Lurker

                  mvoget1

                   

                  Thank you for the post - I have done the following

                   

                  yum install -y opensc pcsc-lite pcsc-lite-libs pcsc-lite-ccid nss-tools

                   

                   

                  yum install -y git flex autoconf automake libtool libudev-devel flex

                  git clone https://salsa.debian.org/rousseau/PCSC.git

                  cd PCSC

                  git checkout -b 1.8.8 pcsc-1.8.8

                  ./bootstrap

                  ./configure --enable-usbdropdir=/usr/lib64/pcsc/drivers/

                  make

                  make install

                   

                   

                  cp src/.libs/libpcsclite.so.1.0.0 /lib64/

                   

                   

                  ./install_viewagent.sh -m yes

                  However when I run pkcs11-tool -L I'm seeing Slot 0

                   

                  Any thoughts or am I missing something?

                  • 6. Re: state of smartcard support on Linux (RHEL 7.6)
                    mvogt1 Novice

                    This needs debugging. You should connect from a windows client to the VDI host,

                    and then start pcscd on the VDI VM not over the service, but by hand in a separate window with

                    pcscd -d -a -f

                    Then you can see what pcscd is printing, when you logon.

                    This should get you an idea, whats wrong.