When we install Fedora 26, pcsc-lite gets installed along with coolkey and opensc (I don't know why and I'm going to exclude them in future, but that's not the point). If I log in to a F26 machine remotely and start a VNC server containing a GNOME session, then this appears in the centre of the screen: Authentication is required to access the PC/SC daemon When cancelled, this just comes back again and again, so the session is unusable.
You have to find which gnome component prints that. Some part of your desktop tries to communicate with the smart card repeatedly when you login, and that's why you get that popup.
Please re-assign to the VNC server component as there is not much we can do here.
I did some debugging and I found that it is seahorse that is triggering this. So I suggest reassigning it there.
Apparently not all of them come from seahorse. A bunch at login seem to be generated by gnome-settings-daemon as well. :/
There must be some gnome component/library that generates such requests.
This also started cropping up on a local F27 GNOME Wayland session recently, when opening the overview and typing a couple of characters to search. In this case, I see two prompts; after cancelling both I don't see any more for while in the overview, or for a while afterwards. If I wait a while, then open the overview and search again, the prompts appear again (but this doesn't happen if I open the overview again immediately after seeing them the previous time). I've removed pcsc-lite (and the depending coolkey, opensc and pcsc-lite-ccid) packages, since apart from anything else it's a desktop with no SC reader... Regardless, this prompt definitely shouldn't show up when searching the overview (!) Maybe this has to do with a search provider in my case???
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
I see the same in F29 VNC.
I'm getting this on Fedora 29, in VNC session (xfce), as soon as I open Chrome browser. It's incredibly annoying. The Window title says "Authentication Required - PolicyKit1 KDE Agent" Action ID is: org.debian.pcsc-lite.access_pcsc I had policykit authentication agent disabled in xfce session settings, to avoid shit like this, but somehow its back, after upgrades.
This (annoying) behaviour can be stopped by doing systemctl stop pcscd.socket systemctl stop pcscd systemctl disable pcscd.socket systemctl disable pcscd.service At least that WORKSFORME. P.
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
This is happening on Fedora 30, and Firefox can this be reopened?
(In reply to RobbieTheK from comment #13) > This is happening on Fedora 30, and Firefox can this be reopened? I'm also getting this in Fedora 30 w/ Firefox and a few other apps.
I'm experiencing the issue as well on Fedora 30 with firefox-67.0.4-1.fc30.x86_64, pcsc-lite-1.8.25-1.fc30.x86_64, and kernel 5.1.16-300.fc30.x86_64.
Here too, using freshly installed Fedora 30 via vnc, lxde desktop. On Firefox start it prompts for password. Disabling pcsc works as a workaround for me as in my use case I do not need that support.
Reopening on the basis of the above comments.
Same issue here with F30 KDE desktop, opening Seamonkey in VNC session Remove opensc package is sufficient to stop the "noise"
happens with Fedora 30 and a freshly created useraccount via remote XRDP. The worst of it is, that it does not even say with which credentials you have to authenticate. Disabling pcscd did not solve the issue.
I get the same issue in Fedora 31. policykit prompts for a password to authenticate with pcscd
(In reply to Ryan from comment #20) > I get the same issue in Fedora 31. policykit prompts for a password to > authenticate with pcscd happens me too connecting to a Fedora 31 with xrdp. Comment #10 solved my issue.
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Can one pls switch it to rawhide?
same here xrdp on Fedora 32
Anyone having a look at this? It makes Fedora impossible to use remotely if removing smart card support isn't an option. I would suggest moving this to the pcsc-lite component as it seems to be a low level issue affecting everything trying to use smart cards.
Thanks! It solved for me. VNC from Fedora 32 - Workstation (In reply to Prarit Bhargava from comment #10) > This (annoying) behaviour can be stopped by doing > > systemctl stop pcscd.socket > systemctl stop pcscd > systemctl disable pcscd.socket > systemctl disable pcscd.service > > At least that WORKSFORME. > > P.
I just ran into this, too. Remote machine is a freshly installed Fedora 33 x86_64. Installed tigervnc-server and configured it as described in the man page. Connected from my local machine and immediately after logging in, an endless series of these dialogs started popping up. I will try the comment 10 remedy.
I am also having this same problem with Fedora 33 x86_64. Fix in comment 10 did not work. The problem seems a bit erratic. I think I was able to log in (vnc) a couple of days ago from cold boot. But that was a couple of 'dnf update' s ago.
On Fedora 33, I did the following to stop the Authorization pop up. [root@nvvpn ~]# systemctl status pcscd ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) Active: active (running) since Wed 2020-12-16 04:04:57 UTC; 11min ago TriggeredBy: ● pcscd.socket Docs: man:pcscd(8) Main PID: 873 (pcscd) Tasks: 8 (limit: 9502) Memory: 2.2M CPU: 60ms CGroup: /system.slice/pcscd.service └─873 /usr/sbin/pcscd --foreground --auto-exit Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00116336 auth.c:137:IsClientAuthorized() Process 3087 (user: 1001) is NOT authorized for action: access_pcsc Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00000019 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00027810 auth.c:137:IsClientAuthorized() Process 3088 (user: 1000) is NOT authorized for action: access_pcsc Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00000155 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00021179 auth.c:137:IsClientAuthorized() Process 3088 (user: 1000) is NOT authorized for action: access_pcsc Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00000146 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00030718 auth.c:137:IsClientAuthorized() Process 3088 (user: 1000) is NOT authorized for action: access_pcsc Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00000139 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Dec 16 04:13:16 nvvpn.kdjlab.com pcscd[873]: 99999999 auth.c:137:IsClientAuthorized() Process 6190 (user: 1001) is NOT authorized for action: access_pcsc Dec 16 04:13:16 nvvpn.kdjlab.com pcscd[873]: 00000296 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client [root@nvvpn ~]# systemctl stop pcscd Warning: Stopping pcscd.service, but it can still be activated by: pcscd.socket [root@nvvpn ~]# systemctl stop pcscd.socket [root@nvvpn ~]# systemctl disable pcscd.socket Removed /etc/systemd/system/sockets.target.wants/pcscd.socket. [root@nvvpn ~]# systemctl disable pcscd
How to find out who is triggering the socket? (I am on Fedora 33)
Anatoli, you can use the script list_pcsc_applications.sh https://github.com/LudovicRousseau/PCSC-contrib/blob/master/list_pcsc_applications.sh
I am on Fedora 33. Fedora 33 is setup in a virtual environment on VMware with a pretty fresh install and all updated today. I am getting the same bug. Comment 10 (https://bugzilla.redhat.com/show_bug.cgi?id=1478345#c10) helped me to fix it. Interesting to note: Before doing the update and a reboot the connection with xfreerdp worked without any bug. Hope that helps; good luck.
another me on fedora workstation 33. https://bugzilla.redhat.com/show_bug.cgi?id=1478345#c10 fixed the pcsd login panel issue.
Fedora should implement a new rule while installing or releleaseupgrades: do not install pcsc* , if there is no smartcard reader connected. That would solve so many cases, for next to no impact. A few SmartCardusers would need to install it manually afterwards, but that's it.
Thanks for removing pcsc* suggestion. I did that(dnf remove -y pcsc*) on my laptop. Following pkgs were removed, now I don't have often Auth request when using xrdp remotely. NetworkManager-openconnect-1.2.6-5.fc33.x86_64 NetworkManager-openconnect-gnome-1.2.6-5.fc33.x86_64 libpskc-2.6.6-1.fc33.x86_64 openconnect-8.10-3.fc33.x86_64 opensc-0.21.0-1.fc33.x86_64 pcsc-lite-1.9.0-2.fc33.x86_64 pcsc-lite-ccid-1.4.34-1.fc33.x86_64 pcsc-lite-libs-1.9.0-2.fc33.x86_64 stoken-libs-0.92-3.fc33.x86_64
Same; relatively new user to Linux...Fedora in particular...new install of Fedora 34 workstation beta with the exact same issue. This resolved the issue. (In reply to Guilherme Paulino from comment #26) > Thanks! It solved for me. > VNC from Fedora 32 - Workstation > > (In reply to Prarit Bhargava from comment #10) > > This (annoying) behaviour can be stopped by doing > > > > systemctl stop pcscd.socket > > systemctl stop pcscd > > systemctl disable pcscd.socket > > systemctl disable pcscd.service > > > > At least that WORKSFORME. > > > > P.
This message is a reminder that Fedora 32 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '32'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 32 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Same issue for Fedora 34 Disabling pc/sc daemon is not a solution for me: I _really_ use my smartcard reader when staying at console. But on remote access ( vpn, x2go and so ) it's annoying ¿Any ideas? Juan Antonio
(In reply to Juan Antonio Martinez from comment #38) > Same issue for Fedora 34 > > Disabling pc/sc daemon is not a solution for me: I _really_ use my smartcard > reader when staying at console. > But on remote access ( vpn, x2go and so ) it's annoying > > ¿Any ideas? > > Juan Antonio By creating file /etc/polkit-1/rules.d/03-allow-pcscd.rules as follows: ...... polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.isInGroup("wheel")) { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && subject.isInGroup("wheel")) { return polkit.Result.YES; } }); ...... And then restarting polkit daemon ( systemctl restart polkitd.service ) Problem goes off. So an idea could be create a group for users allowed to remote access Juan Antonio
> By creating file /etc/polkit-1/rules.d/03-allow-pcscd.rules as follows: > > ...... > polkit.addRule(function(action, subject) { > if (action.id == "org.debian.pcsc-lite.access_pcsc" && > subject.isInGroup("wheel")) { > return polkit.Result.YES; > } > }); > > polkit.addRule(function(action, subject) { > if (action.id == "org.debian.pcsc-lite.access_card" && > subject.isInGroup("wheel")) { > return polkit.Result.YES; > } > }); > ...... > And then restarting polkit daemon ( systemctl restart polkitd.service ) > Problem goes off. > > So an idea could be create a group for users allowed to remote access > > > Juan Antonio Thanks for the suggestion, but sadly this didn't solve the problem for me, and its getting really really annoying. I get it everytime I start vivaldi even though I applied your pcsc fix. Everytime I open firefox... I get the popup. I'm leaning towards this being a deeper issue with the way polkit works on kde on Fedora (I'm in F33) when you're remotely connected, because I needed to install a few flatpaks today things today using the Discover application in Fedora I had to enter my password 7 times per flatpak install. Trying to turn on Bluetooth... I get the popup. Simply looking to see what wireless networks are around... I get the popup. Practically anything and everything that gives me a polkit password popup.
The easiest way is to remove the package entirely.
(In reply to customercare from comment #41) > The easiest way is to remove the package entirely. Well, how do you suggest I use the smartcard slot on my laptop after I remove that? Disabling a users ability to use their hardware is not the answer for a software bug.
I'm sorry, that your part of the 1% that actually need it, honestly. This bug is so anoying, for years now. For all, who do not have a smardcard reader nor want to use it, the simpliest way is to remove it. It's hard to disable it reliable, due to the socket activation. If it would come up once and asks for the password and keeps it in cache for the rest of the session, it could be tolerable.
(In reply to jt from comment #40) > > Thanks for the suggestion, but sadly this didn't solve the problem for me, > and its getting really really annoying. The polkit rules worked for me on an FC34 host. There is just a small typo in the service. You need to run systemctl restart polkit.service to restart the correct service. Unfortunately the xrdp on FC34 seems not to be able to handle smardcard redirects. At least an pcsc_scan or an opensc-tool -l does not find any readers after the polkit change to allow access in the remote session.
(In reply to wolf from comment #44) > The polkit rules worked for me on an FC34 host. There is just a small typo > in the service. You need to run systemctl restart polkit.service to restart > the correct service. yup, I saw the error when I tried it and redid it with the correct spelling, but I'm still getting the popup spam. And maybe I'm wrong, but why would pcsc have anything to do with installing packages or turning on bluetooth? I'm getting these all the time. The network manager one happens about every 30 seconds, the others anytime I try to update or install a new application. org.freedesktop.NetworkManager.wifi.scan org.freedesktop.Flatpak.metadata-update org.freedesktop.Flatpak.appstream-update org.freedesktop.packagekit.system-update org.freedesktop.Flatpak.modify-repo org.freedesktop.Flatpak.runtime-update This is why I believe this is a VNC -> polkit issue and not just a pcsc issue.
Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Reproduces trivially on Fedora Server 34. Install Xdrp, attempt to use a remote Fedora Server desktop. You'll never be able to login as the smartcard tools will keep asking for authentication until they are forcefully uninstalled.
Steps to reproduce: 1. Install Xrdp 2. Install "Fedora Workstation" (GNOME, pulls in pcscd etc.) Steps to "fix": 1. Disable pcscd socket and service 2. Remove pcscd socket and service However that is not an acceptable longer term solution.
I'm wondering if the component on this ticket needs to be changed. Right now it's set to Seahorse, which from my understanding is the GNOME keyring stuff. I'm getting this on the KDE spin of Fedora, which i would think wouldnt be using gnome keyring. I know earlier in this bugs history, others were reporting the same problem on XFCE. Is this not being seen by the proper people so it can be addressed? This ticket is approaching 4 years.
I tried to get some more general attention at bug 1926113, but so far no one from Red Hat or Fedora has had a look. There is a link to some internal Jira, but I have no idea what goes on there.
I am sorry for a delay. I am just having a look into that and trying to figure out what is the issue and what would be the best way for Fedora to handle this. I just setup VNC and indeed I am getting flooded with the auth prompts. This is because the VNC session is considered "inactive" by polkit. The polkit can distinguish active, inactive sessions, which is quite much all. But these rules can take values what will happen in each case. For local/active user, it should be allowed to access the stuff, for non-local, it should not, by default, but we have "auth_admin", which basically allows administrative users to waive this requirements, but even accepting it once, does not stop you from flooding popups. As a first shot, I was able to minimize the effects by adding the "_keep" to the rules. This remembers the action for some time and does not bomb you indefinitely, but still, this is quite annoying: <allow_any>auth_admin_keep</allow_any> <allow_inactive>auth_admin_keep</allow_inactive> <allow_active>yes</allow_active> It still interactively asks for authentication, twice if I run for example "pkcs11-tool -L" from terminal if I cancel the prompt. It is annoying. Both of the requests are for the org.debian.pcsc-lite.access_pcsc. This is probably because OpenSC calls SCardEstablishContext() twice (if the first fails?), which is, I think hooked to the polkit authorization events. Looking into the upstream provided policy, it is even more strict, allowing only local users to access smart cards and preventing all other: <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> This is in for quite some time since https://github.com/LudovicRousseau/PCSC/commit/772edc85 and I think it might be considered as more sane default. If a system administrator requires some remote users to access local resources, he needs adjust the policy or rules anyway (and set up the vnc anyway). The above policy is still possible to override with rules like this: # cat /etc/polkit-1/rules.d/01-test-pcscd.rules polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "test") { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && action.lookup("reader") == 'whatever' && subject.user == "test") { return polkit.Result.YES; } }); So my suggestion would be to throw away the downstream policy and use what is provided by PCSC upstream. What do you think?
I submitted the PR here: https://src.fedoraproject.org/rpms/pcsc-lite/pull-request/2 If somebody hit this issue in the past and can test it, it would be hugely appreciated. I can provide scratch build or copr repo if needed. (and moving back to pcsc-lite, as it is where the issue comes from)
*** Bug 1926113 has been marked as a duplicate of this bug. ***
Thanks you for taking a look at this, Jakub. If possible, do you think you could also raise this issue more generally inside Red Hat/Fedora? Unfortunately this is not the only authentication prompt that harasses remote users so there are more defaults that ideally should be changed: > $ grep -l 'allow_any.*auth_admin' /usr/share/polkit-1/actions/* | wc -l > 32
To clarify, the pcsc issue was probably most visible because gsd-smartcard is monitoring smart cards actions from gnome desktop quite much all the time to capture insert or removal events. The other popups should not be that frequent and coming out of nowhere and if they do, it would be a good idea to report bugs for them for the particular component providing the particular policy/ Most of these are already auth_admin_keep, which should not really spam infinitely. I think most of these are already valid use case, where non-privileged user can elevate privileges with administrator password (whatever it is) to achieve some administrative task he should not be normally allowed to do. This can be for example org.fedoraproject.setroubleshootfixit.policy, org.freedesktop.accounts.policy, org.freedesktop.UDisks2.policy, ... I think the org.freedesktop.packagekit.policy can also have a use case, but it should not certainly ask from background processes. The same should apply for org.freedesktop.NetworkManager.policy or other network policies. This is quite out of my scope so if you are having issues with some of the policies, please report bugs to the particular components shipping them. I also added a Jan, who is maintaining polkit in Fedora if there is something he can add. If somebody should coordinate some changes in the polkit policies or set up some best practices or guidelines, it is the package maintainer. I am adding a reproducer I used to invoke this behavior. Set up a VM (used RHEL -- Fedora will have different package groups): dnf groupinstall -y "Server with GUI" dnf groupinstall -y "Smart Card Support" dnf install -y tigervnc-server xorg-x11-fonts-Type1 systemctl set-default graphical vim /etc/gdm/custom.conf useradd test #su - test # vncpasswd ## set the password for the user echo ':3=test' >> /etc/tigervnc/vncserver.users systemctl enable vncserver@:3.service systemctl start vncserver@:3.service Connect to the VNC: vncviewer 127.0.0.1:5903 Login, and hit "cancel" forever.
Will add my .02, I am on Fedora 34 (fresh install) and I have been getting this lately a lot when I open new tabs in Firefox. This only started up a few days ago out of several months since the machine was first loaded. I do weekly updates. I have also seen it on previous version of Fedora where for a time I get loads of the popups and other times I don't get them at all. Sometimes putting my password in works (like this time) and other times I keep getting them no matter how many times I authenticate.
Hello, from polkit's POV, this seems like a matter of configuration managed by pcsc-lite maintainers contained in the package-dropped .policy and .rules files. The solution suggested in comment#51 looks good. Of course, it's up to maintainers whether or not do they wish to allow remote connections to be authenticated automatically. If you suggest another solution involving change in polkit's code, please feel free to speak them out on polkit upstream https://gitlab.freedesktop.org/polkit/polkit.
I merged the PR for pcsc-lite in Rawhide/fedora 35. If you will hit the issue again (or similar issues), please open a new bug. https://src.fedoraproject.org/rpms/pcsc-lite/c/af345491c04da742e11d77c520375d5f8d314d86?branch=rawhide
This comment was flagged a spam, view the edit history to see the original text if required.