Smart Card Passthrough Doesn't seem to work

[tkuraku]

For a long time I couldn't get any flatpak applications to recognize my smart card. Non-flatpak applications worked as expected. Even the yubico application. com.yubico.yubioath, would not see my smart card. Recently there was an update and now com.yubico.yubioath can use the smart card, which is great, but the application that I really need to use is Remmina, org.remmina.Remmina, since there is no other option besides flatpak for Remmina on RHEL 8. I use Remmina to remote into computers that require the smart card to be passed through to login. This is a big blocker for me using RHEL 8 and flatpak in general.

The main difference between the two applications seems to be the runtime.

com.yubico.yubioath                         org.kde.Platform/x86_64/5.15-21.08
org.remmina.Remmina                         org.gnome.Platform/x86_64/41

They both have the sockets=pcsc; permission, so it seems to me that there is either something about the org.kde.Platform that is able to handle the Yubikey FIPS smart card while the org.gnome.Platform is not or something about the flatpak packaging of org.remmina.Remmina has a bug.

On other linux distributions like Debian or Fedora where there is normally packaged Remmina the smart card support works without issue, so it is specific to flatpak.

This is on RHEL 8 with everything updated to the latest as of 4 November 2021.

[tkuraku]

I also noticed that the manifest file for com.yubico.yubioath uses a pcsc-lite module instead of pcsc. I tried building the flatpak myself with that added module in the manifest, but that didn't solve the issue.

[antenore]

Try to start remmina in debug

https://gitlab.com/Remmina/Remmina/-/wikis/Usage/Remmina-debugging

[antenore]

And raise up the freerdp logging as well

[antenore]

I need those traces to see what happens

[tkuraku]

remmina.txt

Here is the log file from the session. I connect to the server, but the smart card is not recognized on the other side. Like i said this works with remmina in non-flatpak distributions.

[tkuraku]

I did see this note in the log that might be relevent.

(org.remmina.Remmina:2): libsecret-INFO: 07:53:35.666: secret portal is not available: 

GDBus.Error:org.freedesktop.DBus.Error.InvalidArgs: No such interface 'org.freedesktop.portal.Secret'

[antenore]

The secret service is used only to save passwords.

What I see is that the smart card is correctly recognized and shared.

I'll have to look at the code, because it's a long time I'm not working on this.

Be sure you have selected the correct authentication mechanism in the advanced tab.

I don't know when I will have time to look at this, in the next 20 days I won't be much connected.

[tkuraku]

I did a little more experimenting. I installed Fedora 35 in a vm and tried the remmina rpm from the repositories and from flathub. The remmina flatpak behaved exactly the same as on RHEL 8. The smart card doesn't seem to be shared. However, the rpm works as expected. I saved the log file from that session for a comparison to what is happening in the flatpak.

remmina_rpm.txt

Please let me know if there is anything else I can do to help track this down. It would be immensely helpful for me if this functionality worked with the flatpak distribution.

As a side note, I also tried the snap package on RHEL 8 and it didn't seem to be able to share the smart card either.

thank you so much for all your help!

[tkuraku]

Remmina finally got added to epel for RHEL 8. Same as fedora, the rpm version works to forward the smart card and the flatpak version does not. It would be cool to get this resolved. let me know if I can help with testing. thanks!

[antenore]

I think it's a sandboxing issue. I'll try to investigate it, the problem is that I don't have a smart card reader

[antenore]

sudo flatpak override --socket=pcsc org.remmina.Remmina

Can you try? Before and after to lunch remmina

Edit: fixed command. Also, it should be not relevant

[antenore]

You also need minimum https://www.fosslinux.com/13357/new-flatpak-1-3-2-uses-custom-fuse-filesystem-installation-technique.htm

[antenore]

Another thing to check is to compare how remmina and freerdp are built in Kodi, for red hat, and fedora. This is to see if we are missing any library or build flags in the fkatpak

[antenore]

Another test.

https://github.com/FreeRDP/FreeRDP/blob/master/packaging/flatpak/com.freerdp.FreeRDP.json

If you could test the freerdp flatpak we could at least ditch freerdp (or not)

[tkuraku]

The minimum flatpak version is fine. RHEL 8 is on 1.8.5 and I also tested it on the latest fedora with the same problems. I will try these other tests here in the next day or so. thanks!

[tkuraku]

I just tried with the flatpak after running sudo flatpak override --socket=pcsc org.remmina.Remmina as you suggested. In the log there is some more error messages related to the smart card that might be helpful. remmina flatpak.log

[antenore]

I'll have a look.

You should not run flatpak as root

[tkuraku]

I ran remmina as normal user, just set the override with sudo before running remmina.

Thanks. I'll work on testing the freerdp flatpak.

[tkuraku]

I wasn't able to get connected with freerdp (rpm or flatpak) at all. Not sure what I was doing wrong.

[antenore]

Can you show the options you have used Take your time, I won't reply very soon

[tkuraku]

I had a command like this;

flatpak run com.freerdp.FreeRDP /f /u:<user> /p:<pw> /v:<host> /d:<domain> /smartcard:"Yubico"

[antenore]

OK, a couple of things.

1. smartcard use.

Are you using it to authenticate on Windows? If it's the case you have to add /smartcard-logon, NLA is not supported, so you have to specify /sec:tls or rdp and in that case you will have to specify /smartcard-logon:rdp.

2. smartcard device

Do you have any other smartcard devices? If you have just the Yubiko, just use /smartcard

3. Security

If xfreerdp fails to connect, it's probably negotiating the protocol security, and it falls back to something that is not, for some reasons, supported, so you have to force it with , for instance, /sec:tls

4. Authentication

Sometimes instead of using /u, /d, better to use the /u:user@fqdn

[antenore]

I just tried with the flatpak after running sudo flatpak override --socket=pcsc org.remmina.Remmina as you suggested. In the log there is some more error messages related to the smart card that might be helpful. remmina flatpak.log

SCARD_E_UNKNOWN_READER comes from the pcsc library, not from FreeRDP.

pcsc_scan and other pcsc tools see correctly the reader (with your user, or the same that lunch remmina and/or xfreerdp)?

[tkuraku]

The pcsc_scan utility finds the smart card without any problems. I cannot figure out how to get xfreerdp to connect. I tried all manner of permutations of your suggestions.

[antenore]

Any obvious message when you try to connect?

You can add /log-level:DEBUG

[tkuraku]

freerdp.log

Here is my log and here is the command I ran

flatpak run com.freerdp.FreeRDP /f /u:user@domain.com /v:HOST /smartcard:rdp /smartcard:rdp /smartcard-logon /sec:rdp /log-level:DEBUG

Thanks for your patience.

[antenore]

No problem at all, but the command line should be probably:

flatpak run com.freerdp.FreeRDP /f /u:user@domain.com /v:HOST /smartcard /smartcard-logon /sec:rdp /log-level:DEBUG

Or better (because it looks like rdp is not working well):

flatpak run com.freerdp.FreeRDP /f /u:user@domain.com /v:HOST /smartcard /smartcard-logon /sec:tls /log-level:DEBUG

[tkuraku]

Unfortunately, neither of those options work to connect. first_option.log second_option.log

[antenore]

I've read the whole thread one more time, and still it's not clear to me your use case.

Are you trying to authenticate on the windows hos with the Yubikey? Or is it used on the Windows server for other authentication?

[tkuraku]

I connect to the windows computer with RDP, and then log in to my user account with the Yubikey. So at the login screen the Yubikey is recognized and then I can enter my pin to login.

[tkuraku]

Looks like this is probably related to: https://bugzilla.redhat.com/show_bug.cgi?id=2054826

[antenore]

If you can determine the latest version that works, we could 'impose' that version in the flatpak build, till we will get that bug fixxed.

I cannot just follow up on this, so I'll need help to get the version that works, and when the bug will be fixed upstream and a new version will be tagged.

[tkuraku]

Not sure there is a version of flatpak that ever worked for me. The rpm package for RHEL 8 and Fedora 35 both work. I think the best thing to do is just wait for this to be resolved upstream.