Does smart card redirection work?

[johnarnold]

I need smart card redirection in order to use certificates for 2 factor auth.

This issue #471 talks about support for pcsc, but the issue is still "Open" and doesn't really say if it's working.

Does pcsc support work? How do I verify it's working?

thanks!

[jsorg71]

#963 should be working now

[metalefty]

@johnarnold can you test?

[jsorg71]

To test
git clone --branch pcsc --recursive git://github.com/jsorg71/xrdp
Just build with no special configure options and compile and install.
get pcsc-tools installed if debian based. Not sure what EL package is called.
Connect with mstsc and smart card and run pcsc_scan in session or whatever you smart card app is.

[metalefty]

If you test it soon, we can ship it to the next release in December.

[metalefty]

Let's ship it to the next March release. Maybe cannot be well tested.

[jsorg71]

it would be nice to get this in. I think this release(December) will be what goes in Ubuntu 18.04 LTS

[metalefty]

Good point. I'll also test it.

[jsribeiro]

Testing the new code with Microsoft's RDP client (mstsc.exe), I can see the smart card reader on pcsc_scan and even identify the connected smart card:

• https://gist.github.com/jsribeiro/e7b5af3110c45c66b08a97bc55854088

On this gist you can find the output for two different cards, using the same reader.

The pcsc_scan utility hangs at the end of the shown output, and it's necessary to do a Ctrl-C or kill the process.

The opensc-tool -l tool (which should list the smart card reader and smart card) just hangs when executing.

I'm using CentOS on the server. By the way, the package which contains pcsc_scan is also called pcsc-tools (on the EPEL repository).

[jsribeiro]

By the way, using the old code (xrdp master branch), the behavior is similar with a few differences:

• pcsc_scan doesn't hang after giving info on the smart cards (it cycles and reports future changes like card removal and insertion of different card);
• opensc-tool -l doesn't hang and show correct card reader information (card reader name and card presence);
• opensc-tool -n correctly identifies some cards (eg. "Cryptoflex 32K e-gate") but fails to identify others (eg. "Portuguese ID Card"), showing "Failed to connect to card: Internal error";

Summarizing, the old code wasn't working completely, but the new code seems to miss some of the things the old code was doing correctly.

Also, with the old code, the "Portuguese ID Card" application (QT app to use some card functionalities, link) can communicate with the card without apparent problems. With the new code, it doesn't even open (hangs at startup).

[jsorg71]

Looks like issues, let's not hold off release. I can work on these issues and do another release later for just smart card improvements.

[johnarnold]

Sorry I had to disappear for a bit. I'm back. What's next step?

[metalefty]

Time's up for v0.9.5. We can make another release to be in time for Ubuntu 18.04 LTS.

[bolkedebruin]

Has this been resolved yet?

[metalefty]

Not yet.

[acharintsev]

Excuse me. Is there any release information with smart card redirection support? Maybe in 1.0.0? :-). In April ?

[bazcoIndustries]

My project has moved to a DevOps system that requires smart card authentication. I work in a Linux VM, so I'm interested in this capability. Looked at @jsorg71's fork which is now several version behind. Haven't had luck getting a GNOME session to start with his version--probably a configuration issue.

The changes make a lot of sense, in particular exposing a socket for pcsc. I can't find another workable solution to forwarding a smart card to a Linux VM at the moment. Any chance this could get merged into the mainline soon?

To the others: Have you found other solutions?

[matt335672]

@bazcoIndustries - we've looked into this a few times in the past, but at the moment we don't have the architecture sorted out correctly, in a way which will give us a maintainable solution. @zorgluf has done some more work on this (see #1825) which may be of interest to you.