Understanding/Documentation of why after ssh-ing to a system the card readers dissapear.

[cellarweasel]

Problem Description

I've found unexpected (to me) behavior and it might honestly be an important feature but I just wanted to ask the group if I'm understanding what I'm seeing.

evanroot@fedora ~> ssh-add -e /usr/lib64/opensc-pkcs11.so  
Card removed: /usr/lib64/opensc-pkcs11.so
evanroot@fedora ~> opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Identiv SCR3500 A Contact Reader [CCID Interface] (54302212603350) 00 00
evanroot@fedora ~> ssh localhost
evanroot@localhost's password: 
Last login: Sat Jun 22 14:01:26 2024 from ::1
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
evanroot@fedora ~> opensc-tool -l
No smart card readers found.
evanroot@fedora ~> 

Proposed Resolution

Maybe none as this might be required behavior. But perhaps some obvious documentation that this happens. (maybe I'm even just missing that bit of the wiki? But I've put a semi-decent amount of time into reading opensc's issues and docs so perhaps this is still obscure.)

Steps to reproduce

See the above cli session. Simpy create an ssh session and the 'presence' of my card reader disappears.

Logs

N/A, but let me know if you want to see anything else.

using version 0.25.0 of opensc on Fedora 39

evanroot@fedora ~> dnf info opensc
Last metadata expiration check: 0:10:33 ago on Sat 22 Jun 2024 01:57:02 PM MDT.
Installed Packages
Name         : opensc
Version      : 0.25.0
Release      : 1.fc39
Architecture : x86_64
Size         : 3.5 M
Source       : opensc-0.25.0-1.fc39.src.rpm
Repository   : @System
From repo    : updates
Summary      : Smart card library and applications
URL          : https://github.com/OpenSC/OpenSC/wiki
License      : LGPL-2.1-or-later AND BSD 3-Clause
Description  : OpenSC provides a set of libraries and utilities to work with
             : smart cards. Its main focus is on cards that support
             : cryptographic operations, and facilitate their use in security
             : applications such as authentication, mail encryption and digital
             : signatures. OpenSC implements the PKCS#11 API so applications
             : supporting this API (such as Mozilla Firefox and Thunderbird) can
             : use it. On the card OpenSC implements the PKCS#15 standard and
             : aims to be compatible with every software/card that does so, too.

Available Packages
Name         : opensc
Version      : 0.25.0
Release      : 1.fc39
Architecture : i686
Size         : 1.3 M
Source       : opensc-0.25.0-1.fc39.src.rpm
Repository   : updates
Summary      : Smart card library and applications
URL          : https://github.com/OpenSC/OpenSC/wiki
License      : LGPL-2.1-or-later AND BSD 3-Clause
Description  : OpenSC provides a set of libraries and utilities to work with
             : smart cards. Its main focus is on cards that support
             : cryptographic operations, and facilitate their use in security
             : applications such as authentication, mail encryption and digital
             : signatures. OpenSC implements the PKCS#11 API so applications
             : supporting this API (such as Mozilla Firefox and Thunderbird) can
             : use it. On the card OpenSC implements the PKCS#15 standard and
             : aims to be compatible with every software/card that does so, too.

lsusb shows the same usb devices of course inside or outside network connections.

evanroot@fedora ~> lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 004: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 004 Device 016: ID 058f:6364 Alcor Micro Corp. AU6477 Card Reader Controller
Bus 004 Device 017: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 004 Device 018: ID 413c:301a Dell Computer Corp. Dell MS116 Optical Mouse
Bus 004 Device 019: ID 046d:c534 Logitech, Inc. Nano Receiver
Bus 004 Device 021: ID 046d:c52b Logitech, Inc. Unifying Receiver
Bus 004 Device 025: ID 2516:0009 Cooler Master Co., Ltd. Storm Quick Fire PRO
Bus 004 Device 026: ID 04e6:5814 SCM Microsystems, Inc. SCR3500 A Contact Reader
evanroot@fedora ~> 

[dengert]

Its a security feature. By doing ssh localhost the new session is treated as a network user. Network user's do not get access to devices like: camera, microphone, usb drives, smart card readers. How it is done varies be OS. You can see the devices, but can not use them. opensc-tool -l is an attempt to use the device via PCSC.

For example, a remote user should not be able to ssh to your machine and use your smartcard which maybe unlocked, to sign anything.

There are ways to use the local devices from a remote host. Ssh tunneling can be used, Google for: "ssh tunnel smartcard" or Google for: "rdp"

[dengert]

Also see: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/assembly_controlling-access-to-smart-cards-using-polkit_security-hardening

[Jakuje]

Doug already explained the reasons. This is out of scope of the OpenSC as this is handled on the pcsc-layer so in any case, I would propose moving this to discussion.

[cellarweasel]

Thank you gentleman. Doug very kindly did point out where the protocol that does this is speicifed (pcsc), and Jakub is right, that this is technically not an issue or per say solved, but could be moved to discussions.