SmartCards and Fedora
Attempting to use my second Librem Key with Fedora presented some
challenges in dealing with pcscd. The root cause is that polkit does not allow
normal users access to pcsc or the smartcard itself. This can be resolved with
a single rule:
In /etc/polkit-1/rules.d/42-pcsc.rules:
polkit.addRule(
function(action, subject) {
if ((action.id == "org.debian.pcsc-lite.access_pcsc" ||
action.id == "org.debian.pcsc-lite.access_card") &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
For the subject.isInGroup condition, I used the group wheel as I am the only
member of that group on the system in question. Use your own descretion here, or
use an even more specific condition to allow only one user like subject.user == "foo".
Additional Points
While this does allow access through pkcs11 and pkcs15 tools or gpg,
I have not yet found the magic potion that will allow me to use both. Whichever tools
are used first have a monopoly on the device. That said, on a modern Linux distro just
using pkcs11 ought to do the trick.
Update: 2021-06-18
You can simply kill gpg-agent if you wish to use the pkcs11 interface after gpg
takes a greedy lock on the device.
Encryption
Use -engine pkcs11 with openssl subcommands that support it:
openssl rsautl -engine pkcs11 -keyform e -inkey <KEY_ID> -encrypt -in <INPUT> -out <OUTPUT>
SSH
Use "pkcs11:id=%<KEY_ID>?pin-value=<PIN>" as the identity file argument for ssh either
on the command line, or in an ssh_config file. You will likely wish to get the PIN value
itself from somewhere so it's not just in plaintext in your history:
ssh -i "pkcs11:id=%03?pin-value=123456" user@host
Or in an ssh_config file:
Host host
IdentityFile "pkcs11:id=%03?pin-value=123456"
User user