Bug 1478345 - Repeated authentication requests in remote session
Summary: Repeated authentication requests in remote session
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: pcsc-lite
Version: 34
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1926113 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-04 11:29 UTC by Ian Collier
Modified: 2021-08-02 07:17 UTC (History)
45 users (show)

Fixed In Version: pcsc-lite-1.9.1-5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-02 07:17:42 UTC
Type: Bug


Attachments (Terms of Use)

Description Ian Collier 2017-08-04 11:29:00 UTC
When we install Fedora 26, pcsc-lite gets installed along with coolkey and
opensc (I don't know why and I'm going to exclude them in future, but that's
not the point).

If I log in to a F26 machine remotely and start a VNC server containing a
GNOME session, then this appears in the centre of the screen:

 Authentication is required to access the PC/SC daemon

When cancelled, this just comes back again and again, so the session is
unusable.

Comment 1 Nikos Mavrogiannopoulos 2017-08-04 11:59:55 UTC
You have to find which gnome component prints that. Some part of your desktop tries to communicate with the smart card repeatedly when you login, and that's why you get that popup.

Comment 2 Nikos Mavrogiannopoulos 2017-08-04 14:56:36 UTC
Please re-assign to the VNC server component as there is not much we can do here.

Comment 3 Pierre Ossman 2017-09-11 15:07:46 UTC
I did some debugging and I found that it is seahorse that is triggering this. So I suggest reassigning it there.

Comment 4 Pierre Ossman 2017-09-12 13:51:28 UTC
Apparently not all of them come from seahorse. A bunch at login seem to be generated by gnome-settings-daemon as well. :/

Comment 5 Nikos Mavrogiannopoulos 2017-09-12 14:13:45 UTC
There must be some gnome component/library that generates such requests.

Comment 6 fednuc 2017-12-16 18:00:25 UTC
This also started cropping up on a local F27 GNOME Wayland session recently, when opening the overview and typing a couple of characters to search.

In this case, I see two prompts; after cancelling both I don't see any more for while in the overview, or for a while afterwards.

If I wait a while, then open the overview and search again, the prompts appear again (but this doesn't happen if I open the overview again immediately after seeing them the previous time).

I've removed pcsc-lite (and the depending coolkey, opensc and pcsc-lite-ccid) packages, since apart from anything else it's a desktop with no SC reader...

Regardless, this prompt definitely shouldn't show up when searching the overview (!)

Maybe this has to do with a search provider in my case???

Comment 7 Fedora End Of Life 2018-02-20 15:23:50 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 8 Tim Wilkinson 2018-11-27 16:09:08 UTC
I see the same in F29 VNC.

Comment 9 BugMasta 2019-04-03 11:40:51 UTC
I'm getting this on Fedora 29, in VNC session (xfce), as soon as I open Chrome browser.

It's incredibly annoying.

The Window title says "Authentication Required - PolicyKit1 KDE Agent"
Action ID is: org.debian.pcsc-lite.access_pcsc

I had policykit authentication agent disabled in xfce session settings, to avoid shit like this, but somehow its back, after upgrades.

Comment 10 Prarit Bhargava 2019-04-29 19:31:56 UTC
This (annoying) behaviour can be stopped by doing

systemctl stop pcscd.socket
systemctl stop pcscd
systemctl disable pcscd.socket
systemctl disable pcscd.service

At least that WORKSFORME.

P.

Comment 11 Ben Cotton 2019-05-02 19:37:52 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 12 Ben Cotton 2019-05-28 23:57:56 UTC
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 13 RobbieTheK 2019-06-14 15:51:45 UTC
This is happening on Fedora 30, and Firefox can this be reopened?

Comment 14 capitalist_dog 2019-07-03 21:49:32 UTC
(In reply to RobbieTheK from comment #13)
> This is happening on Fedora 30, and Firefox can this be reopened?

I'm also getting this in Fedora 30 w/ Firefox and a few other apps.

Comment 15 James Boyle 2019-07-08 20:41:20 UTC
I'm experiencing the issue as well on Fedora 30 with firefox-67.0.4-1.fc30.x86_64, pcsc-lite-1.8.25-1.fc30.x86_64, and kernel 5.1.16-300.fc30.x86_64.

Comment 16 Juha Luoma 2019-07-09 07:41:04 UTC
Here too, using freshly installed Fedora 30 via vnc, lxde desktop. On Firefox start it prompts for password. Disabling pcsc works as a workaround for me as in my use case I do not need that support.

Comment 17 Ian Collier 2019-07-09 09:19:02 UTC
Reopening on the basis of the above comments.

Comment 18 Knud Christiansen 2019-09-21 15:02:38 UTC
Same issue here with F30 KDE desktop, opening Seamonkey in VNC session

Remove opensc package is sufficient to stop the "noise"

Comment 19 customercare 2020-02-11 17:01:15 UTC
happens with Fedora 30 and a freshly created useraccount via remote XRDP.

The worst of it is, that it does not even say with which credentials you have to authenticate.

Disabling pcscd did not solve the issue.

Comment 20 Ryan 2020-04-03 03:27:03 UTC
I get the same issue in Fedora 31. policykit prompts for a password to authenticate with pcscd

Comment 21 Luca 2020-04-08 08:19:28 UTC
(In reply to Ryan from comment #20)
> I get the same issue in Fedora 31. policykit prompts for a password to
> authenticate with pcscd

happens me too connecting to a Fedora 31 with xrdp.

Comment #10 solved my issue.

Comment 22 Ben Cotton 2020-04-30 20:15:53 UTC
This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 23 customercare 2020-05-01 21:18:23 UTC
Can one pls switch it to rawhide?

Comment 24 Edouard Bourguignon 2020-05-25 12:00:23 UTC
same here xrdp on Fedora 32

Comment 25 Pierre Ossman 2020-06-01 12:24:51 UTC
Anyone having a look at this? It makes Fedora impossible to use remotely if removing smart card support isn't an option.

I would suggest moving this to the pcsc-lite component as it seems to be a low level issue affecting everything trying to use smart cards.

Comment 26 Guilherme Paulino 2020-06-19 14:03:28 UTC
Thanks! It solved for me.
VNC from Fedora 32 - Workstation

(In reply to Prarit Bhargava from comment #10)
> This (annoying) behaviour can be stopped by doing
> 
> systemctl stop pcscd.socket
> systemctl stop pcscd
> systemctl disable pcscd.socket
> systemctl disable pcscd.service
> 
> At least that WORKSFORME.
> 
> P.

Comment 27 Jerry James 2020-11-06 18:18:08 UTC
I just ran into this, too.  Remote machine is a freshly installed Fedora 33 x86_64.  Installed tigervnc-server and configured it as described in the man page.  Connected from my local machine and immediately after logging in, an endless series of these dialogs started popping up.  I will try the comment 10 remedy.

Comment 28 Bob Gustafson 2020-12-08 21:06:00 UTC
I am also having this same problem with Fedora 33 x86_64. Fix in comment 10 did not work.

The problem seems a bit erratic. I think I was able to log in (vnc) a couple of days ago from cold boot. But that was a couple of 'dnf update' s ago.

Comment 29 Kevin Jones 2020-12-16 04:28:45 UTC
On Fedora 33, I did the following to stop the Authorization pop up.

[root@nvvpn ~]# systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
     Active: active (running) since Wed 2020-12-16 04:04:57 UTC; 11min ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
   Main PID: 873 (pcscd)
      Tasks: 8 (limit: 9502)
     Memory: 2.2M
        CPU: 60ms
     CGroup: /system.slice/pcscd.service
             └─873 /usr/sbin/pcscd --foreground --auto-exit

Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00116336 auth.c:137:IsClientAuthorized() Process 3087 (user: 1001) is NOT authorized for action: access_pcsc
Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00000019 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00027810 auth.c:137:IsClientAuthorized() Process 3088 (user: 1000) is NOT authorized for action: access_pcsc
Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00000155 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00021179 auth.c:137:IsClientAuthorized() Process 3088 (user: 1000) is NOT authorized for action: access_pcsc
Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00000146 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00030718 auth.c:137:IsClientAuthorized() Process 3088 (user: 1000) is NOT authorized for action: access_pcsc
Dec 16 04:10:21 nvvpn.kdjlab.com pcscd[873]: 00000139 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Dec 16 04:13:16 nvvpn.kdjlab.com pcscd[873]: 99999999 auth.c:137:IsClientAuthorized() Process 6190 (user: 1001) is NOT authorized for action: access_pcsc
Dec 16 04:13:16 nvvpn.kdjlab.com pcscd[873]: 00000296 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

[root@nvvpn ~]# systemctl stop pcscd
Warning: Stopping pcscd.service, but it can still be activated by:
  pcscd.socket
[root@nvvpn ~]# systemctl stop pcscd.socket
[root@nvvpn ~]# systemctl disable pcscd.socket
Removed /etc/systemd/system/sockets.target.wants/pcscd.socket.
[root@nvvpn ~]# systemctl disable pcscd

Comment 30 Anatoli Babenia 2020-12-18 20:29:18 UTC
How to find out who is triggering the socket? (I am on Fedora 33)

Comment 31 Ludovic Rousseau 2020-12-18 21:44:26 UTC
Anatoli, you can use the script list_pcsc_applications.sh
https://github.com/LudovicRousseau/PCSC-contrib/blob/master/list_pcsc_applications.sh

Comment 32 schaefi 2021-02-05 17:55:51 UTC
I am on Fedora 33. Fedora 33 is setup in a virtual environment on VMware 
with a pretty fresh install and all updated today.
I am getting the same bug.

Comment 10 (https://bugzilla.redhat.com/show_bug.cgi?id=1478345#c10) helped me to fix it.

Interesting to note: 
Before doing the update and a reboot the connection with xfreerdp worked without any bug.

Hope that helps; good luck.

Comment 33 TJ Yang 2021-02-17 11:28:54 UTC
another me on fedora workstation 33.  https://bugzilla.redhat.com/show_bug.cgi?id=1478345#c10 fixed the pcsd login panel issue.

Comment 34 customercare 2021-02-17 13:21:04 UTC
Fedora should implement a new rule while installing or releleaseupgrades: do not install pcsc* , if there is no smartcard reader connected.

That would solve so many cases, for next to no impact. A few SmartCardusers would need to install it manually afterwards, but that's it.

Comment 35 TJ Yang 2021-02-17 15:49:23 UTC
Thanks for removing pcsc* suggestion. I did that(dnf remove -y pcsc*) on my laptop.
Following pkgs were removed, now I don't have often Auth request when using xrdp remotely.

NetworkManager-openconnect-1.2.6-5.fc33.x86_64
NetworkManager-openconnect-gnome-1.2.6-5.fc33.x86_64     
libpskc-2.6.6-1.fc33.x86_64            
openconnect-8.10-3.fc33.x86_64     
opensc-0.21.0-1.fc33.x86_64
pcsc-lite-1.9.0-2.fc33.x86_64                      
pcsc-lite-ccid-1.4.34-1.fc33.x86_64                      
pcsc-lite-libs-1.9.0-2.fc33.x86_64     
stoken-libs-0.92-3.fc33.x86_64

Comment 36 rewert 2021-04-05 03:48:58 UTC
Same; relatively new user to Linux...Fedora in particular...new install of Fedora 34 workstation beta with the exact same issue.  This resolved the issue.

(In reply to Guilherme Paulino from comment #26)
> Thanks! It solved for me.
> VNC from Fedora 32 - Workstation
> 
> (In reply to Prarit Bhargava from comment #10)
> > This (annoying) behaviour can be stopped by doing
> > 
> > systemctl stop pcscd.socket
> > systemctl stop pcscd
> > systemctl disable pcscd.socket
> > systemctl disable pcscd.service
> > 
> > At least that WORKSFORME.
> > 
> > P.

Comment 37 Fedora Program Management 2021-04-29 15:53:30 UTC
This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 38 Juan Antonio Martinez 2021-05-06 07:54:58 UTC
Same issue for Fedora 34

Disabling pc/sc daemon is not a solution for me: I _really_ use my smartcard reader when staying at console.
But on remote access ( vpn, x2go and so ) it's annoying

¿Any ideas?

Juan Antonio

Comment 39 Juan Antonio Martinez 2021-05-06 08:27:52 UTC
(In reply to Juan Antonio Martinez from comment #38)
> Same issue for Fedora 34
> 
> Disabling pc/sc daemon is not a solution for me: I _really_ use my smartcard
> reader when staying at console.
> But on remote access ( vpn, x2go and so ) it's annoying
> 
> ¿Any ideas?
> 
> Juan Antonio

By creating file /etc/polkit-1/rules.d/03-allow-pcscd.rules as follows:

......
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});
......
And then restarting polkit daemon ( systemctl restart polkitd.service ) Problem goes off. 

So an idea could be create a group for users allowed to remote access


Juan Antonio

Comment 40 jt@obs-sec.com 2021-05-20 22:51:27 UTC
> By creating file /etc/polkit-1/rules.d/03-allow-pcscd.rules as follows:
> 
> ......
> polkit.addRule(function(action, subject) {
>     if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
>         subject.isInGroup("wheel")) {
>             return polkit.Result.YES;
>     }
> });
> 
> polkit.addRule(function(action, subject) {
>     if (action.id == "org.debian.pcsc-lite.access_card" &&
>         subject.isInGroup("wheel")) {
>             return polkit.Result.YES;
>     }
> });
> ......
> And then restarting polkit daemon ( systemctl restart polkitd.service )
> Problem goes off. 
> 
> So an idea could be create a group for users allowed to remote access
> 
> 
> Juan Antonio

Thanks for the suggestion, but sadly this didn't solve the problem for me, and its getting really really annoying. I get it everytime I start vivaldi even though I applied your pcsc fix. Everytime I open firefox... I get the popup. I'm leaning towards this being a deeper issue with the way polkit works on kde  on Fedora (I'm in F33) when you're remotely connected, because I needed to install a few flatpaks today things today using the Discover application in Fedora I had to enter my password 7 times per flatpak install.  Trying to turn on Bluetooth... I get the popup.  Simply looking to see what wireless networks are around... I get the popup.  Practically anything and everything that gives me a polkit password popup.

Comment 41 customercare 2021-05-20 22:54:13 UTC
The easiest way is to remove the package entirely.

Comment 42 jt@obs-sec.com 2021-05-20 23:13:36 UTC
(In reply to customercare from comment #41)
> The easiest way is to remove the package entirely.

Well, how do you suggest I use the smartcard slot on my laptop after I remove that?  Disabling a users ability to use their hardware is not the answer for a software bug.

Comment 43 customercare 2021-05-21 08:31:08 UTC
I'm sorry, that your part of the 1% that actually need it, honestly. This bug is so anoying, for years now. For all, who do not have a smardcard reader nor want to use it, the simpliest way is to remove it. It's hard to disable it reliable, due to the socket activation. If it would come up once and asks for the password and keeps it in cache for the rest of the session, it could be tolerable.

Comment 44 wolf 2021-05-21 16:39:24 UTC
(In reply to jt@obs-sec.com from comment #40)
> 
> Thanks for the suggestion, but sadly this didn't solve the problem for me,
> and its getting really really annoying.

The polkit rules worked for me on an FC34 host. There is just a small typo in the service. You need to run systemctl restart polkit.service to restart the correct service. Unfortunately the xrdp on FC34 seems not to be able to handle smardcard redirects. At least an pcsc_scan or an opensc-tool -l does not find any readers after the polkit change to allow access in the remote session.

Comment 45 jt@obs-sec.com 2021-05-21 17:02:25 UTC
(In reply to wolf from comment #44)
> The polkit rules worked for me on an FC34 host. There is just a small typo
> in the service. You need to run systemctl restart polkit.service to restart
> the correct service. 

yup, I saw the error when I tried it and redid it with the correct spelling, but I'm still getting the popup spam.
And maybe I'm wrong, but why would pcsc have anything to do with installing packages or turning on bluetooth?
I'm getting these all the time.  The network manager one happens about every 30 seconds, the others anytime I try to update or install a new application.
org.freedesktop.NetworkManager.wifi.scan
org.freedesktop.Flatpak.metadata-update 
org.freedesktop.Flatpak.appstream-update
org.freedesktop.packagekit.system-update
org.freedesktop.Flatpak.modify-repo
org.freedesktop.Flatpak.runtime-update

This is why I believe this is a VNC -> polkit issue and not just a pcsc issue.

Comment 46 Ben Cotton 2021-05-25 14:57:48 UTC
Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 47 Jon Masters 2021-05-29 17:32:52 UTC
Reproduces trivially on Fedora Server 34. Install Xdrp, attempt to use a remote Fedora Server desktop. You'll never be able to login as the smartcard tools will keep asking for authentication until they are forcefully uninstalled.

Comment 48 Jon Masters 2021-05-29 17:35:58 UTC
Steps to reproduce:

1. Install Xrdp
2. Install "Fedora Workstation" (GNOME, pulls in pcscd etc.)

Steps to "fix":

1. Disable pcscd socket and service
2. Remove pcscd socket and service

However that is not an acceptable longer term solution.

Comment 49 jt@obs-sec.com 2021-06-14 14:15:21 UTC
I'm wondering if the component on this ticket needs to be changed.  Right now it's set to Seahorse, which from my understanding is the GNOME keyring stuff. I'm getting this on the KDE spin of Fedora, which i would think wouldnt be using gnome keyring. 
I know earlier in this bugs history, others were reporting the same problem on XFCE.  
Is this not being seen by the proper people so it can be addressed?  This ticket is approaching 4 years.

Comment 50 Pierre Ossman 2021-06-14 14:43:03 UTC
I tried to get some more general attention at bug 1926113, but so far no one from Red Hat or Fedora has had a look. There is a link to some internal Jira, but I have no idea what goes on there.

Comment 51 Jakub Jelen 2021-07-15 15:45:05 UTC
I am sorry for a delay. I am just having a look into that and trying to figure out what is the issue and what would be the best way for Fedora to handle this.

I just setup VNC and indeed I am getting flooded with the auth prompts. This is because the VNC session is considered "inactive" by polkit. The polkit can distinguish active, inactive sessions, which is quite much all. But these rules can take values what will happen in each case. For local/active user, it should be allowed to access the stuff, for non-local, it should not, by default, but we have "auth_admin", which basically allows administrative users to waive this requirements, but even accepting it once, does not stop you from flooding popups.

As a first shot, I was able to minimize the effects by adding the "_keep" to the rules. This remembers the action for some time and does not bomb you indefinitely, but still, this is quite annoying:

      <allow_any>auth_admin_keep</allow_any>
      <allow_inactive>auth_admin_keep</allow_inactive>
      <allow_active>yes</allow_active>

It still interactively asks for authentication, twice if I run for example "pkcs11-tool -L" from terminal if I cancel the prompt. It is annoying. Both of the requests are for the org.debian.pcsc-lite.access_pcsc. This is probably because OpenSC calls SCardEstablishContext() twice (if the first fails?), which is, I think hooked to the polkit authorization events.

Looking into the upstream provided policy, it is even more strict, allowing only local users to access smart cards and preventing all other:

      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>

This is in for quite some time since https://github.com/LudovicRousseau/PCSC/commit/772edc85 and I think it might be considered as more sane default. If a system administrator requires some remote users to access local resources, he needs adjust the policy or rules anyway (and set up the vnc anyway). The above policy is still possible to override with rules like this:

# cat /etc/polkit-1/rules.d/01-test-pcscd.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "test") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'whatever' &&
        subject.user == "test") {
            return polkit.Result.YES;
    }
});

So my suggestion would be to throw away the downstream policy and use what is provided by PCSC upstream. What do you think?

Comment 52 Jakub Jelen 2021-07-15 15:53:46 UTC
I submitted the PR here:

https://src.fedoraproject.org/rpms/pcsc-lite/pull-request/2

If somebody hit this issue in the past and can test it, it would be hugely appreciated. I can provide scratch build or copr repo if needed.

(and moving back to pcsc-lite, as it is where the issue comes from)

Comment 53 Jakub Jelen 2021-07-15 15:54:49 UTC
*** Bug 1926113 has been marked as a duplicate of this bug. ***

Comment 54 Pierre Ossman 2021-07-16 08:03:24 UTC
Thanks you for taking a look at this, Jakub. If possible, do you think you could also raise this issue more generally inside Red Hat/Fedora? Unfortunately this is not the only authentication prompt that harasses remote users so there are more defaults that ideally should be changed:

> $ grep -l 'allow_any.*auth_admin' /usr/share/polkit-1/actions/* | wc -l
> 32

Comment 55 Jakub Jelen 2021-07-16 14:32:01 UTC
To clarify, the pcsc issue was probably most visible because gsd-smartcard is monitoring smart cards actions from gnome desktop quite much all the time to capture insert or removal events. The other popups should not be that frequent and coming out of nowhere and if they do, it would be a good idea to report bugs for them for the particular component providing the particular policy/

Most of these are already auth_admin_keep, which should not really spam infinitely. I think most of these are already valid use case, where non-privileged user can elevate privileges with administrator password (whatever it is) to achieve some administrative task he should not be normally allowed to do. This can be for example org.fedoraproject.setroubleshootfixit.policy, org.freedesktop.accounts.policy, org.freedesktop.UDisks2.policy, ...

I think the org.freedesktop.packagekit.policy can also have a use case, but it should not certainly ask from background processes. The same should apply for org.freedesktop.NetworkManager.policy or other network policies.

This is quite out of my scope so if you are having issues with some of the policies, please report bugs to the particular components shipping them. I also added a Jan, who is maintaining polkit in Fedora if there is something he can add. If somebody should coordinate some changes in the polkit policies or set up some best practices or guidelines, it is the package maintainer.

I am adding a reproducer I used to invoke this behavior. Set up a VM (used RHEL -- Fedora will have different package groups):

  dnf groupinstall -y "Server with GUI"
  dnf groupinstall -y "Smart Card Support"
  dnf install -y tigervnc-server xorg-x11-fonts-Type1
  systemctl set-default graphical
  vim /etc/gdm/custom.conf 
  useradd test
  #su - test
  # vncpasswd
  ## set the password for the user
  echo ':3=test' >> /etc/tigervnc/vncserver.users
  systemctl enable vncserver@:3.service
  systemctl start vncserver@:3.service

Connect to the VNC:

  vncviewer 127.0.0.1:5903

Login, and hit "cancel" forever.

Comment 56 snichols4704 2021-07-23 16:50:27 UTC
Will add my .02, I am on Fedora 34 (fresh install) and I have been getting this lately a lot when I open new tabs in Firefox. This only started up a few days ago out of several months since the machine was first loaded. I do weekly updates. I have also seen it on previous version of Fedora where for a time I get loads of the popups and other times I don't get them at all. Sometimes putting my password in works (like this time) and other times I keep getting them no matter how many times I authenticate.

Comment 57 Jan Rybar 2021-07-29 07:50:18 UTC
Hello,
from polkit's POV, this seems like a matter of configuration managed by pcsc-lite maintainers contained in the package-dropped .policy and .rules files.  
The solution suggested in comment#51 looks good.  
Of course, it's up to maintainers whether or not do they wish to allow remote connections to be authenticated automatically.  
If you suggest another solution involving change in polkit's code, please feel free to speak them out on polkit upstream https://gitlab.freedesktop.org/polkit/polkit.

Comment 58 Jakub Jelen 2021-08-02 07:17:42 UTC
I merged the PR for pcsc-lite in Rawhide/fedora 35. If you will hit the issue again (or similar issues), please open a new bug.

https://src.fedoraproject.org/rpms/pcsc-lite/c/af345491c04da742e11d77c520375d5f8d314d86?branch=rawhide


Note You need to log in before you can comment on or make changes to this bug.