"pcscd PC/SC Smart Card Daemon" ?

chudak

After upgrade to 2.5.0 I see a new service "pcscd PC/SC Smart Card Daemon"

Don't actually recall installing anything like this and not sure what it's for, how to configure and use it.

Anybody can shed light ?

Thx

DaddyGo

@chudak said in "pcscd PC/SC Smart Card Daemon" ?:

I see a new service "pcscd PC/SC Smart Card Daemon"

Hi,

These can be useful

https://www.freebsd.org/cgi/man.cgi?query=pcscd&sektion=8&manpath=freebsd-release-ports
https://pcsclite.apdu.fr/

chudak

@daddygo said in "pcscd PC/SC Smart Card Daemon" ?:

https://www.freebsd.org/cgi/man.cgi?query=pcscd&sektion=8&manpath=freebsd-release-ports

Thx !
Why all of the sudden it's exposed in 2.5.0 ?

DaddyGo

@chudak said in "pcscd PC/SC Smart Card Daemon" ?:

Why all of the sudden it's exposed in 2.5.0 ?

That's a good question because it has been around for a long time:
https://www.freshports.org/devel/pcsc-lite

Maybe something new with SD cards + API(s) will be introduced to it

viktor_g

support for PKCS#11 authentication (e.g. hardware tokens such as Yubikey) for IPsec: https://redmine.pfsense.org/issues/9878

DaddyGo

@viktor_g said in "pcscd PC/SC Smart Card Daemon" ?:

e.g. hardware tokens such as Yubikey

Oh that's great

chudak

@viktor_g said in "pcscd PC/SC Smart Card Daemon" ?:

support for PKCS#11 authentication (e.g. hardware tokens such as Yubikey) for IPsec: https://redmine.pfsense.org/issues/9878

Ok makes sense, thx !

Is there a reason to keep it on and what the best way to disable it ?

Izaac

@chudak

Anybody can shed light?

NetGate decided that despite:

the fact that they don't ship a piece of hardware with such an inerface;
that almost no one uses smartcards for this purpose;
the Yubikeys are better handed by a different interface;
that using a Yubikey for this kind of authentication, i.e. leaving it plugged into your piece of network hardware at all times, pretty much undermines its security model;
would be entirely more appropriate as a package

it would make sense to have this privileged code running at all times on some of the most memory and processor constrained hardware, without any ability to configure or even disable it, and to plunge the entire system into an error state if should happen to not be running.

anthonys

@izaac In the face of it also having a memory leak
https://redmine.pfsense.org/issues/12095
which took my SG-1100 to 92% RAM, I have disabled

mw

You can stop the pcscd service from starting by editing your /etc/rc.bootup file.

Look for the following:

/* pcscd daemon must be started before IPsec */
echo "Starting PC/SC Smart Card Services...";
mwexec_bg("/usr/local/sbin/pcscd");
echo "done.\n";

Comment out the startup code, like this:

/* pcscd daemon must be started before IPsec */
/*
echo "Starting PC/SC Smart Card Services...";
mwexec_bg("/usr/local/sbin/pcscd");
echo "done.\n";
*/

This code was added in this revision.

chudak

@mw said in "pcscd PC/SC Smart Card Daemon" ?:

This code was added in

That's useful, thx

Wonder why it's enabled by default ?!

jimp

It won't be enabled by default for long:

https://redmine.pfsense.org/issues/11933

psp

@mw said in "pcscd PC/SC Smart Card Daemon" ?:

Comment out the startup code, like this:

Just for info, commenting out the startup code and using IPSec, logs are filled up by these errors:
-- Jul 20 09:28:46 charon 78779 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR

mw

@psp Thanks for the heads up. I don't currently make use of IPsec so didn't think about the consequences.

viktor_g

You can use 299.diff patch on 21.05/2.5.2

after applying you can disable pcscd on the VPN/ IPsec / Advanced Settings page:
Screenshot from 2021-07-21 11-21-38.png

chudak

@viktor_g said in "pcscd PC/SC Smart Card Daemon" ?:

You can use 299.diff patch on 21.05/2.5.2

after applying you can disable pcscd on the VPN/ IPsec / Advanced Settings page:

I applied the patch and enabled PKCS#11 Support (which I don't use BTW)

Saw the service go red and then green again, I guess restarted.

I thought the service would be completely removed and not sure what exactly changed ?

Thx

jimp

If you don't want it and don't use it, why did you go out of your way to enable it?

It's off by default which is what you'll want. After applying the patch, leave the box unchecked and then reboot.

chudak

@jimp said in "pcscd PC/SC Smart Card Daemon" ?:

If you don't want it and don't use it, why did you go out of your way to enable it?

See the initial post above, I am still trying to get rid of it exactly because I don't use it :)

It's off by default which is what you'll want. After applying the patch, leave the box unchecked and then reboot.

I did that and still see the red "pcscd PC/SC Smart Card Daemon" in the Service Status. Is it expected? If the answer is yes, why ?

jimp

The service is still there/defined but disabled. Several other services work the same way. Though it may not take much to hide it in this case. It's not a problem.

chudak

@jimp said in "pcscd PC/SC Smart Card Daemon" ?:

The service is still there/defined but disabled. Several other services work the same way. Though it may not take much to hide it in this case. It's not a problem.

OK I take that and thank you!

Before it was not possible to disable it.

It's just odd to see something disabled if you don't use it and even know where it's coming from.