use existing pcsc library instead of building replacement

[hdeadman]

Update: From what I understand, based on comments below, xrdp builds it's own libpcsclite.so but the real library supports letting an environment variable (PCSCLITE_CSOCK_NAME) point back at xrdp which presents itself as a smart card (shared from the client). This issue was originally asking for some documentation but it seems to have some useful information so I am re-naming it.

Original: I see references (when googling) to people using smart cards with xrdp but they are all a few years old. I haven't found any instructions on how to get it working. I am running latest released xrdp (from EPEL package) on Red Hat 7 and I am able to connect from mstsc over TLS. Here are some questions I have, if answered I could add something to the wiki.

Is the smart card support in xrdp supposed to be for letting you login to xrdp or is it meant to allow you to use your smartcard in an application on the remote machine like using firefox to browse to a site requiring smart card authentication? Or are both possible?

Do I need to enable a channel in xrdp.ini for smartcard support? Are any other configuration changes required in xrdp.ini?

Is the XRDP PCSC fork still required? It's pretty out of date and the PCSC project seems active, has @LudovicRousseau ever been approached about making any changes necessary to support RDP? I see a reference in his code that talks about RDP: CCID

Would the smart card in the remote desktop session show up as a USB device?

[LudovicRousseau]

I think I have never been approached to add support of XRDP in pcsc-lite.

The code forked in https://github.com/neutrinolabs/pcsc/commits/master is quite old. For example it uses a shared memory to communicate between pcscd and libpcsclite. This is no more used since pcsc-lite 1.6.0 released in 2010. It looks like the fork uses pcsc-lite 1.5.5 released in 2009.

[jsorg71]

Hi @LudovicRousseau, that was me. Yes, pcsc fork under NeutrinoLabs is old and I'll delete it. There is smartcard support in xrdp under the devel branch. One hack that you need to do to use it is to overwrite libpcsclite.so on the system. It would be great if we could integrate what we've done in xrdp into libpcsclite. I think all we need to do is change libpcsclite.so so if see's an environment variable, use that to know what unix domin socket to connect to. xrdp will act like pcscd.

[hdeadman]

I cloned X11RDP-RH-Matic and built the devel branch on RedHat 7 with this command:

./X11RDP-RH-Matic.sh --branch devel --with-xorgxrdp --nox11rdp

I modified /etc/xrdp/startwm.sh to contain the line: xfce4-session prior to the line "pre_start".

I am now running the devel branch but I didn't see any libpcsclite.so get built.

I ran make in.~rpmbuild/BUILD/neutrinolabs-xrdp-f949201/sesman/chansrv/pcsc/Makefile and now I have libpcsclite.so. Should the symlink in /usr/lib64/libpcsclite.so.1 point at that? It's three years old and half the size of the version that ships with pcsclite 1.8.8.

What are the next steps for me to see if my smart card is visible in the xrdp session (now that I am running latest devel branch)? Any changes to anything under /etc/xrdp? I don't see any references to smart cards or pcsc in there.

Thanks.

[jsorg71]

@LudovicRousseau I was just lookign at winscard_msg.c function getSocketName(). It looks like it already is using the environment variable PCSCLITE_CSOCK_NAME so I think we're good. It looks like it was added 2010-11-04 with sha1 5fbc9db. I don't know how I missed it.

[LudovicRousseau]

I knew I added something like that. It is https://github.com/LudovicRousseau/PCSC/commit/5fbc9dbc70366ef18f8c7ebde0f00a64854b6c39

[johnarnold]

@jsorg71 is PCSC support working?

[jsorg71]

The current pcsc support in xrdp requires you to replace an .so file and it does not work great. I have new code that does not require any change to pcsclite and works much better. I have to clean it up and merge it in.

[jsribeiro]

I have to clean it up and merge it in.

@jsorg71 Do you have any ETA for that? In broad terms, of course.

I've been testing smartcard support on xrdp (with the replacement libpcsclite.so) and, although it works quite well when using Microsoft's RDC client, it starts breaking up when using FreeRDP-based clients.

Would love to see these updates on xrdp's smartcard functionality and would gladly test it extensively.

[johnarnold]

@jsorg71 Same, this is a priority for me. All of our services require 2FA now for users.

[mvalente]

@jsorg71 Same.

Currently using xrdp 0.9 with proprietary pcsclite and although pcsc_scan detects a card (shared from windows machine through rdp) I cant get the card to work, I get this on loop:

Waiting for the first reader...found one Scanning present readers... SCardListReaders: SCardListReaders: mszGroups (null) SCardListReaders: pcchReaders 1 send_message: 0000 06 00 00 00 00 00 00 00 00 00 00 00 ............ get_message: get_message: loop SCardListReaders: mszReaders (nil) pcchReaders 0x7fff5e9d6858 num_readers 0 SCardListReaders: status 0x00000000 SCardListReaders: SCardListReaders: mszGroups (null) SCardListReaders: pcchReaders 0 send_message: 0000 06 00 00 00 00 00 00 00 00 00 00 00 ............ get_message: get_message: loop SCardListReaders: mszReaders 0x5605a218f670 pcchReaders 0x7fff5e9d6858 num_readers 0 SCardListReaders: status 0x00000000

[jsorg71]

I added #963 for this.

[choman]

I know everyone is busy working this. I'm curious and I'm sure others are too. Can we get a small status update. No worries if not, just really excited to try out native pcsc-lite support. Also I'd like to try it out. is it too soon? what branch is this being work in?

Thanks again