On Fri, Oct 9, 2020 at 4:16 PM Marius Schwarz <fedora...@cloud-foo.de> wrote: > > Am 09.10.20 um 13:18 schrieb Nikos Mavrogiannopoulos: > > LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu > --color | tee log.txt > > This the unchanged output:
> 00492770 [140407774111296] auth.c:137:IsClientAuthorized() Process 33529 > (user: 1001) is NOT authorized for action: access_pcsc ^^^ What's this process? (you'll need to figure in your current system) > Main-problem with it: ABORT just loops to the same requester again and again, > resulting in an endless loop > First thing to change to pcscd, accept an abort for what it is and don't ask > again. > That would solve the major problem, still anoying, but at least it doesn't > stop the session login. What you see is not coming from pcscd. This is a polkit dialog you are seeing because the process above in your system decided to do some actions on smart cards. pcscd has no way to know whether that's a new or a repeating request. > Second thing to chance: just ask, if a usable hw is found. Asking permission > for an impossible task is the definition of madnes > > Back to your request to change the policy: > > I don't see any restrictions for remote access. ( F33 has same as > https://pastebin.com/Mn8mzjVp ) > > <allow any>auth_admin > <allow_inactive>auth_admin > <allow_active>yes > > and I have no clue, besides setting those above to "no", which had the hoped > result(tested), how to change the file to ignore or skip the request it > generates via polkit when gnome starts.But I'm pretty sure, changing the > policy file, just makes thing unusable in case a smartcardread is really > available in the system. Try setting the access daemon part from auth_admin to yes. Does it address the issue? > As all the opensc tools supplied just return "No smart card readers found.", > an invoke of the accessrequest should only be made, if a smartcard is really > accessed and not everytime someone logs in. > And from what i can see on the net, you're the man who knows the answeres ;) Unfortunately I don't :) regards, Nikos _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
