1

I have a U2F yubikey device that works as expected, i.e. I can use it in Firefox and Chromium for U2F style authentication, and it even works on the command line with key-located/bound gpg and ssh sk keys.

However, whenever I browse the web in Firefox, my system journal is spammed with messages like the following:

Oct 03 13:27:13 example.org pcscd[3995]: 00627056 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:13 example.org pcscd[3995]: 00016093 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:18 example.org pcscd[3995]: 05082935 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:18 example.org pcscd[3995]: 00014093 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:18 example.org pcscd[3995]: 00126862 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:18 example.org pcscd[3995]: 00019371 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:19 example.org pcscd[3995]: 00969073 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:19 example.org pcscd[3995]: 00014576 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:59 example.org pcscd[3995]: 40081162 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:27:59 example.org pcscd[3995]: 00013050 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:28:00 example.org pcscd[3995]: 01170137 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:28:00 example.org pcscd[3995]: 00018057 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive Oct 03 13:28:24 example.org pcscd[3995]: 23750498 ../src/winscard.c:281:SCardConnect() Error Reader Exclusive

That means I can trigger those bursts of messages whenever I'm clicking on yet another link in firefox.

NB: This happens on all pages, i.e. also pages that doesn't try to do anything with U2F, also the U2F key isn't flashing nor requesting user-presence interaction, or something like that. Meanwhile, U2F features continue to work fine.

When running execsnoop in parallel, I can see that those messages correlates with bursts of /usr/bin/pkla-check-authorization invocations by /usr/lib/polkit-1/polkitd:

783.356 998 pkla-check-auth 3280463 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_card 783.381 998 pkla-check-auth 3280466 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_card 783.446 998 pkla-check-auth 3280470 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_card 783.469 998 pkla-check-auth 3280473 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_card 798.342 998 pkla-check-auth 3280737 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_card 798.359 998 pkla-check-auth 3280740 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_card 798.426 998 pkla-check-auth 3280743 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_card 798.440 998 pkla-check-auth 3280746 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_card 799.639 998 pkla-check-auth 3280788 1591 0 /usr/bin/pkla-check-authorization juser true true org.debian.pcsc-lite.access_pcsc

NB: process 1591 is polkitd

Curiously, I can trigger and observe the same behaviour when browsing with chromium ...

Naturally I want to fix these two things:

  1. stop that journal log spam
  2. eliminate that wasteful forking of all these pkla-check-authorization processes

How can I archive that?

Are there some firefox/chromium settings I need to look into and change?

Do I need to perhaps make play gpg play nicer together with polkitd/pcscd?

This happens on a Fedora 41 system.

Improve this question

1 Answer 1

Reset to default
2

The bogus pkla-check-authorization forks by polkitd can be eliminated by simply removing the polkit-pkla-compat package:

dnf remove polkit-pkla-compat

Its package description reads:

A polkit JavaScript rule and associated helpers that mostly provide compatibility with the .pkla file format supported in polkit <= 0.105 for users of later polkit releases.

On my f41 system, there isn't any package that depends on that compat package and I don't even have any *.pkla files installed under /etc or /usr ...

FWIW, that system was dnf system-upgraded a few times, thus the compat package might got pulled-in in ancient times ...

The ../src/winscard.c:281:SCardConnect() Error Reader Exclusive pcscd error messages are caused by gpg's scdaemon grabbing any U2F key (that also supports openpgp card features) exclusively, by default.

Then, even when not doing any U2F/webauth stuff in the browser, browsers like Firefox/chromium easily detect higher end U2F keys (such as most yubikeys) also as p11/piv style security device that they then try to init/query on every https handshake or similar (see also a comment in a related debian bug thread). Thus, since most web traffic is https secured nowadays, following a link likely triggers many of the above pcscd error message, when scdaemon is running with default settings.

This can be fixed by adding the following directives to ~/.gnupg/scdaemon.conf:

disable-ccid pcsc-shared

See also a blog post by the pcsc-lite maintainer on this topic:

With the above changes, all U2F/Webauth/gpg/ssh related U2F key operation continue to work, without the system journal getting spammed with pcsc errors.

FWIW, in shared mode, gpg's scdaemon doesn't seem to cache the 'smart card' PIN anymore, such that it needs to be entered, every time.

One thing that seems to break the PIN are accesses to the PIV/p11/pkcs11 functionality of the U2F key device, e.g. by gpg and a browser. Thus, as a workaround, if you just use U2F/webauth and not PIV in your browser you can disable that other stuff like this:

$ cat ~/.config/pkcs11/modules/opensc.module module: opensc-pkcs11.so disable-in: firefox chromium chromium-browser

(cf. /usr/share/p11-kit/modules/opensc.module, /etc/pkcs11/modules to make sure to have the system defaults included and pkcs11.conf(5))

Similarly, one can disable piv like this in gpg:

$ cat ~/.gnupg/scdaemon.conf disable-ccid pcsc-shared disable-application piv

In my case gpg still succeeds to work with the key located on that device, apparently because it's provided by yet another device 'application'. Without that extra disable-application piv line each gpg invocation that does something with the key seems to probe the PIV part fist which clears the PIN cache such that one has to enter the PIN each time.

Improve this answer
1
  • 1
    pcscd doesn't touch U2F keys – that's a completely incompatible protocol (and which browsers access through hidraw directly). Browsers use it solely for traditional, pre-U2F smartcard interfaces such as the PIV/CCID mode of a yubikey. Unfortunately PIV and OpenPGP are both implemented as two mutually exclusive modes of the same "smartcard" sub-device in the case of a yubikey (whereas U2F is an entirely separate sub-device). Commented Oct 3 at 16:32

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.