NFC Smart card reader & Yubikey works fine for OTP usage, example with challenge-response auth for KeppassXC.\ Problem with FIDO2, example for Google login. I've tried in Windows and all works well :( Attach below info and log. Smartcard reader is a Elexlinco NC004 but system see it as GHI NC001.

[mynbk ~ ] > lsusb
[...]
Bus 003 Device 015: ID ae68:8001 GHI NC001
[...]

Pcsclite version:

[mynbk ~ ] > pacman -Ss | grep pcsclite
extra/pcsclite 2.3.1-1 [installato]
multilib/lib32-pcsclite 2.3.1-1 [installato]

/usr/sbin/pcscd --version output

[mynbk ~ ] > /usr/sbin/pcscd --version
pcsc-lite version 2.3.1
Copyright (C) 1999-2002 by David Corcoran .
Copyright (C) 2001-2024 by Ludovic Rousseau .
Copyright (C) 2003-2004 by Damien Sauveron .
Report bugs to .
Enabled features: USB serial filter_names libudev polkit systemd Linux x86_64 ipcdir=/run/pcscd usbdropdir=/usr/lib/pcsc/drivers serialconfdir=/etc/reader.conf.d
MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16

Operating system or GNU/Linux distribution name and version:

[mynbk ~ ] > cat /etc/os-release 
NAME="Manjaro Linux"
PRETTY_NAME="Manjaro Linux"
ID=manjaro
ID_LIKE=arch

Output of the command sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee -i log.txt\ https://pastebin.com/nGRX2pRd

Trying to copy an NFC tag. I did it some years ago without difficulties but did not manage to do it again. I think that the problem comes from this command:

-sh
nfc-mfclassic W a net-security.dmp

which is not writing on the tag. Here are more informations (NB: I put some * for the UID and for the key). * First I read the tag I want to copy:

-shellsession
    $ nfc-list -v

    nfc-list uses libnfc 1.8.0
    NFC device: ACS / ACR122U PICC Interface opened
    1 ISO14443A passive target(s) found:
    ISO/IEC 14443A (106 kbps) target:
        ATQA (SENS_RES): 00  04  
    * UID size: single
    * bit frame anticollision supported
          UID (NFCID1): * * * *  				
         SAK (SEL_RES): 08  
    * Not compliant with ISO/IEC 14443-4
    * Not compliant with ISO/IEC 18092
    
    Fingerprinting based on MIFARE type Identification Procedure:
     * MIFARE Classic 1K
     * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
     * SmartMX with MIFARE 1K emulation

* then I made a dump of the tag (the key is in the file extended-std.keys):

-shellsession
    $ mfoc -f extended-std.keys -O net-security.dmp

* then I copy the dump on a blank tag:

-shellsession
    $ nfc-mfclassic W a U**** net-security.dmp

    Attempting to use specific UID: 0x2e 0x9f 0xd7 0xa0
    NFC reader: ACS / ACR122U PICC Interface opened
    Found MIFARE Classic card:
    ISO/IEC 14443A (106 kbps) target:
        ATQA (SENS_RES): 00  04  
           UID (NFCID1): * * * *  
          SAK (SEL_RES): 08  
    RATS support: no
    Guessing size: seems to be a 1024-byte card
    Sent bits:     50  00  57  cd  
    Sent bits:     40 (7 bits)
    Received bits: a (4 bits)
    Sent bits:     43  
    Received bits: 0a  
    Card unlocked
    Writing 64 blocks |................................................................|
    Done, 64 of 64 blocks written.

All seems ok but the copy of the tag is not working. * Just to see, I made a dump of the copy of the tag.

-shellsession
    $ mfoc -f extended-std.keys -O net-security_copy.dmp
    
    The custom key 0x**** has been added to the default keys
    Found Mifare Classic 1k tag
    ISO/IEC 14443A (106 kbps) target:
        ATQA (SENS_RES): 00  04  
    * UID size: single
    * bit frame anticollision supported
           UID (NFCID1): * * * * 
          SAK (SEL_RES): 08  
    * Not compliant with ISO/IEC 14443-4
    * Not compliant with ISO/IEC 18092
    
    Fingerprinting based on MIFARE type Identification Procedure:
    * MIFARE Classic 1K
    * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
    * SmartMX with MIFARE 1K emulation
    Other possible matches based on ATQA & SAK values:
    
    Try to authenticate to all sectors with default keys...
    Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
    (swip)
    Sector 00 - Found   Key A: ****         Found   Key B: ****
    Sector 01 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 02 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 03 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 04 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 05 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 06 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 07 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 08 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 09 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 10 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 11 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 12 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 13 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 14 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
    Sector 15 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff

The key is ok only for the sector 0. The dump for the copy of the tag is different of the original tag. I think that during the copy, there is a problem but I don't know which. If someone has an idea....

I recently got a System-76 laptop running Ubuntu 22.04. I am trying to get a CAC reader to work following the absolutely lovely walkthrough posted by M-Pepper here: https://github.com/M-Pepper/linux-cac-walkthrough . I cannot get opensc to register in firefox, using pkcs11-register or manually. When I use the pkcs11-register command, it shows that it added OpenSC to ~/.pki/nssdb/pkcs11.txt, but when I go into firefox and check security devices (settings > Privacy & Security > Security Devices), there is no OpenSC; the only thing that shows up is NSS default devices and OS devices. When I try to add a security device manually through that same menu, I get an alert saying Unable to add module. I initially installed OpenSC from apt, but then I removed it and built from source so I'm running 0.25, on firefox 129.0. I alternatively tried a setup script from another source that used Cackey, but that also failed and I ultimately removed Cackey and its associated packages. I'm not sure where to go from here... please help!

As I understand it, a credit card chip or smart card works by sending challenges to the tiny computer on the card, at which point it completes the challenge and replies back with the data. Is it possible to use this to directly encrypt/decrypt data? Conventionally, you just use the card to store a key that is then transferred to the computer, but I think it would be fun to do all decryption/encryption on the tiny computer inside the card so that the host computer never sees the encryption key at all. The problem that I see is that the card itself may only be able to encrypt data which is then verified by the server of the credit card company, and would therefore be unable to decrypt data itself. If it is possible to send both encryption and decryption challenges to the card and get a response, it should be simple to write a program that uses the card to encrypt a folder or a drive (though I imagine it would be very slow) Tldr (or, to clarify): Is it possible to directly send challenges to a credit card or smart card in a smart card reader on linux and get the results back?

I use a RSA key on a smartcard with an OpenSSH client. The smartcard is read by a smartcard reader with a pinpad. The key is protected with a PIN. Is it possible to cache the PIN somehow? I don't really like the need to write the PIN using the card reader keyboard every time I use ssh... It's not only annoying but it also makes IMHO too many possibilities for other people's eyes. My setup is Debian/Devuan + OpenSC + the typical "PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" in .ssh/config. I tried to add to opensc.conf, framework pkcs15 following lines, but with no effect: use_pin_caching = true; pin_cache_counter = 64; pin_cache_ignore_user_consent = true; I use the same configuration on OpenBSD, and it's the same. As a smart card I use Aventra MyEID 4.5.5. As I am trying to learn as much as possible before using the technology in production, I have different card readers I can try: Cherry, Gemalto (now Thales) and SCM/Identiv.

I want to forward smart card request to a pc where smart card is connected but am unable to forward socket via ssh source : 10.169.213.211(server) destination : 10.169.41.124(client) what I attempt to achieve --> in this link some of the debug message are removed intentionally to follow the stack overflow rules.

user_id@hostname:~/samba/views/socket$ ssh -vvv -N -L/tmp/pcscd.comm:/run/pcscd/pcscd.comm -o StreamLocalBindUnlink=yes -o ClearAllForwardings=yes 10.169.213.211
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to 10.169.213.211 ([10.169.213.211]:22).
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: send packet: type 80
debug3: receive packet: type 82
debug3: send packet: type 80
debug3: receive packet: type 82
debug3: send packet: type 80
debug3: receive packet: type 82

Edit: Found answer in the serverfault page by @ijk.

The use case I'm looking for is that I walk up to a *headless* server and "unlock" it using a hardware key, where scripts on the server recognize that I've plugged it in and automatically use it without a pin or password or additional factors. The most primitive way of implementing this would be to have a USB thumb drive with unencrypted raw AES keys on it which the scripts on the server find and use to decrypt things. The downside is that the USB stick could be copied and there is no way to revoke it if it were lost. It also runs into trouble with possible filesystem corruption of the USB stick itself if the drive were removed when the scripts were still using it. It seems like a smartcard or Yubikey would be the obvious solution to these problems, but it also seems like most people describing Yubikey solutions pair it with gpg as a second factor of auth. I don't want "extra" auth factors, I want the key to be one of multiple possible decryption methods. I don't want to have to configure gpg on each host or have "identities" or expiration dates or trust chains or any of that. The other popular option is to integrate it with LUKS, but I was hoping for a more non-root userland option. I just want to take an encrypted AES key and directly ask the Yubikey to decrypt it with an RSA private key that lives in hardware (without entering a pin or password, but a short touch or long touch on the device is ok). Is there any existing tool that can accomplish this? Scripting language libraries are fine too.

I need to read some NFC cards by a USB reader on a Linaro/Debian OS. The USB reader has a HID profile. Presenting a 13,56 MHz card the keyboard returns a code. I read about a command to send to the device but, since it is a (virtual) keyboard, I cannot send commands, and toward which device? How to dump the memory of the card? Thanks

I am trying to install gnupg-pkcs11-scd in rhel with yum but its not there in repo. Tries searching with yum list *pkcs11* but no luck. But it's present in Debian! Am I searching it with wrong name or is there any alternative for RHEL?

I've got a fresh install of Fedora 34 installed and I'm trying to configure kinit to get kerberos tickets using my smartcard. I dont want to join the domain (which is Windows AD). I've been successful at configuring it to allow me to login with a password, but cannot get it to work with my smartcard. When i try, it prompts me for my pin, then prompts me for my password. pkcs15-tool lists the certificates from the smart card, it does have multiple certs on it. I'm not sure if i have the correct one selected in my krb5.conf file (not really sure what to look for). I've copied the PEM certs from the domain controller to /etc/ssl/certs/root, and the CA used from the smartcard. I've also copied the same certs to /etc/pki/nssdb using certutil Here is my krb5.conf file

[libdefaults]
    pkinit_anchors = DIR:/etc/ssl/certs/root/
    pkinit_pool = DIR:/etc/ssl/certs/sub/
    #pkinit_cert_match = || msScLogin,digitalSignature
    #pkinit_eku_checking = kpServerAuth
    pkinit_kdc_hostname = DC.DOMAIN.COM
    pkinit_identities = PKCS11:opensc-pkcs11.so:slotid=0:certid=01
    default_ccache_name = KEYRING:persistent:%{uid}
    default_realm = DC.DOMAIN.COM
    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
  DC.DOMAIN.COM = {
    kdc = DC.DOMAIN.COM:88
    admin_server = DC.DOMAIN.COM
    default_domain = DC.DOMAIN.COM
}

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.dc.domain.com = DC.DOMAIN.COM

The command i'm using to get the ticket

kinit -X 509_user_identity='PKCS11:opensc-pkcs11.so' username@DC.DOMAIN.COM

If i take out the -X option i can login with my password. What am i missing? Edit - Also added the certs to /etc/pki/nssdb Edit 2 - I'm pretty sure i'm selecting the correct certificate. I've also seen online many tutorials saying to run

modutil -add "OpenSC PKCS #11 Module" -libfile opensc-pkcs11.so -dbdir /etc/pki/nssdb

But when i do i get this error

ERROR: Failed to add module "OpenSC PKCS #11 Module". Probable cause : "Unknown PKCS #11 error.

I am running Manjaro 19.0.2, and I am struggling to get it to even detect a smart card reader I'm using: the SCR3310v2.0 . I need this to work in order to access online US Military resources using a CAC to verify and authenticate my identity. I am using Firefox 75.0 as my browser of choice. I have already followed all the steps laid out in the DoD Cyber Exchange guide to using CAC for Firefox in Linux . I have also followed MilitaryCAC's guide for Linux users . The following is a summary of the two guides linked above. For PKCS#11 implementation, I am using OpenSC . I have also installed the four packages prescribed by MilitaryCAC : > **pcsc-lite ** - PCSC Smart Cards Library **pcsc-ccid*** - generic USB CCID (Chip/Smart Card Interface Devices) driver **perl-pcsc ** - Abstraction layer to smart card readers **pcsc-tools ** - Optional but highly recommended, these tools are used to test a PCSC driver, card and reader *\*exact package name not found in pamac manager; installed ccid instead* I imported to Firefox all credentials located in https://militarycac.com/maccerts/AllCerts.zip (link provided by MilitaryCAC). I loaded a file called opensc-pkcs11.so in Firefox security settings. After doing all of this work, the smart card reader will not even light up upon connecting it to my PC, which is typical in Windows machines. There is no indication of the hardware being detected in the file explorer, either. I know there's nothing wrong with the reader itself, as it works just fine in a Windows. I also know it's not because of missing USB drivers, as they are installed with Manjaro from the get-go, or their faulty configurations, as my PC is able to detect and interface with other USB connected hardware, such as my phone. I am clueless as to what I could try next, save for running Windows in a virtual machine. I would much prefer to have it work in Linux, if possible. Any help is welcome and greatly appreciated. ---------- ## NOTE ## I managed to solve this problem. The solution that worked for me is found below. Also note that since this question was posted, my distro version was updated to v20.0

I am trying to improve the Security of my overall IT Infrastructure, so I started out to use a smart card for login. I have managed to configure a PIV Smart Card with a private key and a x.509 certificate and setup pam_pkcs#11 such that the Smart Card login works. As described in the docs, I have add this: auth [success=2 default=ignore] pam_pkcs11.so to etc/pam.d/common-auth and since than the smartcard login works. But now, if the reader and the smartcard is removed, the system falls back to a password login (gnome in the case). So my goal is to completely disable password login, no matter if there is a graphical interface or not. If the reader and the smartcard is not connected, login should not be possible. Somewhere I have read that passwd -l $(whoami) will set the password for a certain account inactive, but that doesn't feel right to me. Is it possible to do that with pam, such that password login is disabled for the whole machine? btw: right now I am using ubuntu 19.10

I tried to setup gpg for use with a smartcard, but the instructions specified edits to scdaemon.conf, which for some reason is missing from the .gnupg folder in the home directory. The folder does contain other files, and gpg seems to be working correctly. Using find to look for scdaemon.conf turned up nothing, reinstalling gpg and scdaemon didn't resolve the issue. Does anyone know what the issue might be? Thanks.

I cannot get my smartcard (Yubikey 5 Nano, setup with CCID and keys installed on a Windows system) to work on my CentOS 8 Stream machine. I would like to sign Github commits with it. It's a buildroot project where files from which are "illegal" in the Windows system.

--card-status

returns

: selecting card failed: No such device

: OpenPGP card not available: No such device

Scdaemon log shows

pcsc_connect failed: sharing violation (0x8010000b)

Also shows my Yubikey as a 4 for some reason

reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00'

I've done a lot of research and tried many things to no avail. Here are versions of installed software: - gpg (GnuPG) 2.2.20 - libgcrypt 1.8.5 - scdaemon (GnuPG) 2.2.20 - libksba 1.3.5 - pcsc-lite.x86_64 1.8.23-4.1.el8 - pcsc-lite-ccid.x86_64 1.4.29-5.1.el8 - pcsc-lite-libs.x86_64 1.8.23-4.1.el8 - pcsc-perl.x86_64 1.4.14-12.el8 - pcsc-tools.x86_64 1.5.3-3.el8 - pcsc-cyberjack.x86_64 3.99.5final.SP14-1.el8 - pcsc-cyberjack-cjflash.x86_64 3.99.5final.SP14-1.el8 - pcsc-cyberjack-examples.noarch 3.99.5final.SP14-1.el8 - pcsc-lite-doc.noarch 1.8.23-4.1.el8 - pcsc-lite-libs.i686 1.8.23-4.1.el8 - pcsc-tools-gscriptor.x86_64 1.5.3-3.el8 - pinentry-curses (pinentry) 1.1.0 I have followed several guides https://github.com/drduh/YubiKey-Guide https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4 https://stackoverflow.com/questions/43770378/failure-to-use-udev-rule-to-change-smart-card-device-ownership-in-xen-qubesos-vm I've setup udev rules for the Yubikey and tried to get the gnome-keyring to not start like some guides say since it's a known issue that the keyring will hold the smartcard up from being used by gpg. I think this is the issue but I cannot rectify it. Has anyone had any luck with getting this to work? Especially on CentOS 8 Stream? Thanks in advanced. If any other info is needed please don't hesitate to ask. I am not a Linux novice but I am not a Linux expert by any stretch of the imagination. Any help at all is welcome. ~ejc

I'm trying to figure out what I can and can't do with my Librem Key as far as using the key slots. I've generated an RSA 4096-bit key with signing, encryption, and authentication subkeys, backed it up to a CD, and then transferred the keys to the Librem Key using keytocard. I then removed the Librem Key, deleted the public and private keys for my generated key, and plugged the Librem Key back in. Now, I'm able to encrypt files using the public key stored on the card:

[test@localhost ~]$ gpg -r test@test.com --encrypt test_unencr
gpg: key [snipped-hex-string-1]: public key "test@test.com " imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: [snipped-hex-string-2]: There is no assurance this key belongs to the named user

sub  rsa4096/[snipped-hex-string-2] 2020-10-28 test@test.com 
 Primary key fingerprint: [snipped-hex-string-3]
      Subkey fingerprint: [snipped-hex-string-4]

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

[test@localhost ~]$ ls | grep test_unencr
test_unencr
test_unencr.gpg

But if I try to decrypt the file, I get an error:

[test@localhost ~]$ gpg --decrypt -r test@test.com test_unencr.gpg
gpg: encrypted with rsa4096 key, ID [snipped-hex-string-1], created 2020-10-28
      "test@test.com "
gpg: public key decryption failed: No secret key
gpg: decryption failed: No secret key

I thought part of the point of these smartcards was that they allowed you to take your private key with you and use it while preventing malicious software from reading your private key. Is there a way to use a GPG smartcard to decrypt files, or is this not possible?

I am on ubuntu 18.04 and I ran into a strange situation: After I execute sudo apt-get purge pcscd and sudo apt-get purge libpcsclite1: john@home:~/$ sudo apt-get purge pcscd Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: pcscd* 0 upgraded, 0 newly installed, 1 to remove and 167 not upgraded. 1 not fully installed or removed. After this operation, 175 kB disk space will be freed. Do you want to continue? [Y/n] Y (Reading database ... 190938 files and directories currently installed.) Removing pcscd (1.8.26-3) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... (Reading database ... 190928 files and directories currently installed.) Purging configuration files for pcscd (1.8.26-3) ... Processing triggers for ureadahead (0.100.0-21) ... Processing triggers for systemd (237-3ubuntu10.38) ... And then: john@home:~/$ sudo apt-get purge libpcsclite1 Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: fonts-dejavu-extra java-common libatk-wrapper-java libatk-wrapper-java-jni libgif7 Use 'sudo apt autoremove' to remove them. The following additional packages will be installed: gnome-control-center-data libnm0 libnma0 The following packages will be REMOVED: ca-certificates-java* default-jre* default-jre-headless* gnome-control-center* libpcsclite-dev* libpcsclite1* network-manager* network-manager-config-connectivity-ubuntu* network-manager-gnome* network-manager-pptp* network-manager-pptp-gnome* openjdk-11-jre* openjdk-11-jre-headless* openjdk-8-jre* openjdk-8-jre-headless* ubuntu-desktop* wpasupplicant* The following packages will be upgraded: gnome-control-center-data libnm0 libnma0 3 upgraded, 0 newly installed, 17 to remove and 158 not upgraded. Need to get 886 kB of archives. After this operation, 293 MB disk space will be freed. Do you want to continue? [Y/n] Y Get:1 http://jp.archive.ubuntu.com/ubuntu bionic-updates/main amd64 gnome-control-center-data all 1:3.28.2-0ubuntu0.18.04.6 [507 kB] Get:2 http://jp.archive.ubuntu.com/ubuntu bionic-updates/main amd64 libnm0 amd64 1.10.6-2ubuntu1.4 [298 kB] Get:3 http://jp.archive.ubuntu.com/ubuntu bionic-updates/main amd64 libnma0 amd64 1.8.10-2ubuntu3 [80.4 kB] Fetched 886 kB in 0s (3,392 kB/s) (Reading database ... 190927 files and directories currently installed.) Removing openjdk-8-jre:amd64 (8u275-b01-0ubuntu1~18.04) ... Removing default-jre (2:1.11-68ubuntu1~18.04.1) ... Removing openjdk-11-jre:amd64 (11.0.9.1+1-0ubuntu1~18.04) ... Removing openjdk-8-jre-headless:amd64 (8u275-b01-0ubuntu1~18.04) ... update-alternatives: removing manually selected alternative - switching java to auto mode update-alternatives: using /usr/lib/jvm/java-11-openjdk-amd64/bin/java to provide /usr/bin/java (java) in auto mode Removing default-jre-headless (2:1.11-68ubuntu1~18.04.1) ... Removing ubuntu-desktop (1.417.3) ... Removing gnome-control-center (1:3.28.2-0ubuntu0.18.04.4) ... Removing libpcsclite-dev (1.8.23-1) ... Removing network-manager-gnome (1.8.10-2ubuntu2) ... Removing network-manager-config-connectivity-ubuntu (1.10.6-2ubuntu1.1) ... Removing network-manager-pptp-gnome (1.2.6-1) ... Removing network-manager-pptp (1.2.6-1) ... Removing network-manager (1.10.6-2ubuntu1.1) ... Removing wpasupplicant (2:2.6-15ubuntu2.5) ... Removing ca-certificates-java (20180516ubuntu1~18.04.1) ... Removing openjdk-11-jre-headless:amd64 (11.0.9.1+1-0ubuntu1~18.04) ... Removing libpcsclite1:amd64 (1.8.23-1) ... (Reading database ... 190057 files and directories currently installed.) Preparing to unpack .../gnome-control-center-data_1%3a3.28.2-0ubuntu0.18.04.6_all.deb ... Unpacking gnome-control-center-data (1:3.28.2-0ubuntu0.18.04.6) over (1:3.28.2-0ubuntu0.18.04.4) ... Preparing to unpack .../libnm0_1.10.6-2ubuntu1.4_amd64.deb ... Unpacking libnm0:amd64 (1.10.6-2ubuntu1.4) over (1.10.6-2ubuntu1.1) ... Preparing to unpack .../libnma0_1.8.10-2ubuntu3_amd64.deb ... Unpacking libnma0:amd64 (1.8.10-2ubuntu3) over (1.8.10-2ubuntu2) ... Processing triggers for mime-support (3.60ubuntu1) ... Processing triggers for desktop-file-utils (0.23-1ubuntu3.18.04.2) ... Setting up libnm0:amd64 (1.10.6-2ubuntu1.4) ... Processing triggers for libglib2.0-0:amd64 (2.56.4-0ubuntu0.18.04.6) ... No such key 'Gtk/IMModule' in schema 'org.gnome.settings-daemon.plugins.xsettings' as specified in override file '/usr/share/glib-2.0/schemas/50_sogoupinyin.gschema.override'; ignoring override for this key. Setting up gnome-control-center-data (1:3.28.2-0ubuntu0.18.04.6) ... Processing triggers for libc-bin (2.27-3ubuntu1.2) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Processing triggers for gnome-menus (3.13.3-11ubuntu1.1) ... Setting up libnma0:amd64 (1.8.10-2ubuntu3) ... Processing triggers for dbus (1.12.2-1ubuntu1.2) ... Processing triggers for ca-certificates (20201027ubuntu0.18.04.1) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... updates of cacerts keystore disabled. done. Processing triggers for hicolor-icon-theme (0.17-2) ... (Reading database ... 190056 files and directories currently installed.) Purging configuration files for ca-certificates-java (20180516ubuntu1~18.04.1) ... Purging configuration files for network-manager-pptp (1.2.6-1) ... Purging configuration files for network-manager-gnome (1.8.10-2ubuntu2) ... Purging configuration files for wpasupplicant (2:2.6-15ubuntu2.5) ... Purging configuration files for openjdk-11-jre-headless:amd64 (11.0.9.1+1-0ubuntu1~18.04) ... Purging configuration files for network-manager (1.10.6-2ubuntu1.1) ... dpkg: warning: while removing network-manager, directory '/etc/NetworkManager/system-connections' not empty so not removed Purging configuration files for openjdk-8-jre-headless:amd64 (8u275-b01-0ubuntu1~18.04) ... Processing triggers for ureadahead (0.100.0-21) ... Processing triggers for libc-bin (2.27-3ubuntu1.2) ... Processing triggers for systemd (237-3ubuntu10.38) ... Processing triggers for dbus (1.12.2-1ubuntu1.2) ... john@home:~/$ Then I tried to install the two packages of a specific version, from downloaded .deb files: john@home:~/$ sudo dpkg -i 1804/libpcsclite1_1.8.26-3_amd64.deb 1804/pcscd_1.8.26-3_amd64.deb Selecting previously unselected package libpcsclite1:amd64. (Reading database ... 189980 files and directories currently installed.) Preparing to unpack .../libpcsclite1_1.8.26-3_amd64.deb ... Unpacking libpcsclite1:amd64 (1.8.26-3) ... Selecting previously unselected package pcscd. Preparing to unpack 1804/pcscd_1.8.26-3_amd64.deb ... Unpacking pcscd (1.8.26-3) ... Setting up libpcsclite1:amd64 (1.8.26-3) ... Setting up pcscd (1.8.26-3) ... Created symlink /etc/systemd/system/sockets.target.wants/pcscd.socket → /lib/systemd/system/pcscd.socket. Processing triggers for libc-bin (2.27-3ubuntu1.2) ... Processing triggers for systemd (237-3ubuntu10.38) ... Processing triggers for ureadahead (0.100.0-21) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... john@home:~/$ After that, I reboot the computer and the network card can no longer be detected. What happened?? How is pcscd and libpcsclite1 related to the network interface of the computer? How to fix it?

I have a custom made smartCardReader which i wrote it's firmware. Device is working well on Windows, but its problematic on Ubuntu. I installed necessary tools to test the device. Simply followed the guide here : - CCID driver from here - Opensc-tool - Pcsc-lite... - Added my vendorId, productId.. file at /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/info.plist As a last note my client application works fine with a well known smartcard reader on Ubuntu but not with my custom made smartcard reader. If I plug-in my smartCard reader and list smartcardreaders on terminal by opensc-tool -l command, i can see my smartcard reader. I can read ATR with opensc-tool -a command. I want to view all logs about the communication made between smartcard reader and PC. So as written in here after i kill any running pcscd process i restart pcscd exactly as sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee log.txt. But after this command if i list smartcard readers with opensc-tool -l command it says something like No smartcard readers found.. Why? What would be the reason of this device working well on Windows but not Ubuntu? Is there any better tool for diagnose smartcard reader problems on Ubuntu? Thanks.

Im trying to get the USB/Smartcard (Datev Smartcard Reader) redirected to my Windows Server 2019 Remote Desktop Service from my Fedora 31 machine. I tried rdesktop and xfreerdp but none of them are showing the results im looking for. What have i tried: - I installed opensc ccid pcsc-lite pcsc-tools and started the pcscd service in order to get it working in fedora. (Even if i think this is not necessary because its a Smartcard Reader not the smartcard) - I tried to redirect it with rdesktop with the following commands: rdesktop -u $USER -d WINDOWS -r scard rds.my.tld, here the conecction got stuck in the windows login screen. When i removed the -r scard everything worked well so there must be a problem with this switch somehow. - I tried to redirect it with xfreerdp with the following commands: xfreerdp -d WINDOWS -u $USER /usb:dbg,dev:VENDOOR:DEVICE rds.my.tdl xfreerdp -d WINDOWS -u $USER /usb:rules:allow rds.my.tdl xfreerdp -d WINDOWS -u $USER /usb:auto rds.my.tdl xfreerdp -d WINDOWS -u $USER /usb:VENDOOR:DEVICE rds.my.tdl xfreerdp -d WINDOWS -u $USER /smartcard rds.my.tdl With xfreerdp every session worked well but no device was visible anywhere. scardsvr on Windows is enabled and started. I installed all datev tools to make sure drivers are correctly installed. And even tried a normal usb data stick. That did not work too. I have no clue anymore. Am i missing something in windows? # xfreerdp --version This is FreeRDP version 2.0.0-dev5 (n/a) # rdesktop --version Version 1.9.0. Copyright (C) 1999-2016 Matthew Chapman et al.

I run a couple of PCs and they both multi-boot into more than one OS (Win10/Linux{Devuan}/FreeBSD & Win10/Linux{Devuan} respectively). I use Thunderbird + Enigmail (sticking with Version 68.x of the former for the moment as the integrated OpenGPG support coming in 78.x does not have SmartCard support working yet as I understand it). I have noted https://unix.stackexchange.com/q/184947/144991 but I am not sure it can work when the Secret key(s) are held in a Smart Card such as my OpenGPG (version 3.3) one. I am aware that an issue is that the secret keys themselves are normally supposed to be generated within the card's hardware and stored only on the card itself, with a fundamental part of the security being that they cannot be extracted **from** that card. I am also aware that the solution to this is to do the generation on an air-gapped PC, ideally running from a OS booted from Read-only material (CD/DVD) and to export and preserve in a **secure** manner the complete secret primary and separately the secret sub-keys and public keys. Then, on the first machine/OS one needs to reimport just the latter two of the those three and then use the keytocard feature to transfer the secret sub-keys to the card (it is a one-way trip!) which leaves special stubs in the secring.gpg that says "yes, we have these keys but they are stored on a card". Do I need to repeat the "importing the secret-sub-keys only and then use keytocard to generate the *secret-key-stubs* on each subsequent machine/OS" to get the secret key ring on each machine to have an awareness for that machine/OS that we have owner keys on a SmartCard; OR is there a short-cut method (perhaps copying the user's secring.gpg securely via sneakernet from the first machine/OS to the others) that should work?

I am carrying my SSH key in a [NitroKey](https://nitrokey.com) smartcard, meaning that in order to SSH into a remote server, I first have to plug in the NitroKey so the local computer can read the private key. However, I am wondering if I need to keep the private key available (i.e. keep the NitroKey plugged in) even after I've already established an active session? Does SSH continuously check whether the SSH private key is present during an active session? Or does it only check when connecting, and never afterwards? (meaning that I can remove the NitroKey without risking the session being interrupted)