Comments (9)
The annoying thing here is that the ONLY place this doesn't work is in ChromeOS. It works with chrome browser on any other supported OS (BSD, Linux, Windows, and MacOS). For a company that touts 2-factor, physical tokens, and FIDO - it's a bit annoying that their OS doesn't actually allow this.
As much as I would like to continue to use ChromeOS/PixelBooks as a daily portable driver, I've been forced back to a Linux laptop to be able to access gitlab/github, my passwords (gopass), sign releases, etc. Basically, if you've bought into 2-factor GPG/SSH/FIDO, you have no realistic way of using ChromeOS unless EVERYTHING you do can be done via Chrome Apps/Browser.
from chromeos_smart_card_connector.
It appears there might be a way to share access if one or the other process isn't "actively" using the smart card.
https://wiki.archlinux.org/index.php/GnuPG#Shared_access_with_pcscd
Thanks, but AFAICS that article talks about sharing access between multiple clients of the single pcscd daemon.
Here, in case of Chrome OS / Crostini, we have a different problem: it's a conflict between two different pcscd daemons. One daemon is running inside the Smart Card Connector app, and another one is the "standard" pcscd running inside the guest OS in Crostini.
from chromeos_smart_card_connector.
+1 this would solve a number of problems. It would be even better if it wouldn't take exclusive use, if possible. That would mean you wouldn't have to go frob it off, then frob it back on later.
from chromeos_smart_card_connector.
Changing the exclusive use would be pretty hard, both from the implementation perspective (involving significant rework of the CCID free software driver) and also from the practical usefulness (since a smart card middleware like CSSI will anyway keep a constantly opened connection to the reader/token in order to notify Chrome about changes).
Tackling this problem in a correct way might be related to the ongoing effort of converging the smart card stack on Chrome OS, like exposing it to PWAs. That'll be a long road though, especially for Crostini where smart cards haven't been prioritized yet.
So I'm afraid the manual disconnection would have to be our short- and middle-term solution.
from chromeos_smart_card_connector.
The thing that gives me hope is that smart card sharing between multiple applications in a host/guest scenario is something that has been solved by VMware and Parallels and possibly Virtualbox already, so hopefully the incredibly clever folks at Google can work this out, especially with the decline of NaCl applications and the switch to WebASM for a lot of things.
from chromeos_smart_card_connector.
For the sharing smart card support between Crostini and the host OS, please file an issue into the Chromium tracker (https://crbug.com), which in particular tracks the Crostini-related tasks. This would need to be a separate effort, since there's no trivial way how this would work (as you cannot access the same USB device from two OS'es simultaneously, and since the standard PC/SC-Lite daemon always keeps an open connection to the reader).
from chromeos_smart_card_connector.
It appears there might be a way to share access if one or the other process isn't "actively" using the smart card.
https://wiki.archlinux.org/index.php/GnuPG#Shared_access_with_pcscd
from chromeos_smart_card_connector.
BTW, in case anyone would like to contribute the disconnect/disable workaround proposed in this issue (as on our side working on this issue isn't prioritized yet), the implementation could follow the pattern of the Libusb.ChromeLoginStateHook
class that is also implementing a proxy for the USB API that dynamically hides devices based on some criteria. (The main difference is that this Libusb.ChromeLoginStateHook
class shows/hides all devices at once, and that it doesn't have any user-visible UI/controls. But the implementation idea could be the same.)
from chromeos_smart_card_connector.
FWIW, smart card access in Crotstini is now working for me on 92 beta, if I disable the Smart Card Connector app in chrome://extensions/ using the toggle and if I go to settings and attach the USB token to the Linux container under Settings -> Developers -> Linux development environment -> Manage USB devices
(or using vmc
in crosh
).
It would still be nice if the Smart Card connector app could automagically release the smart card or even allow access / attachment to Crostini instead, tho.
from chromeos_smart_card_connector.
Related Issues (20)
- ASan test flakiness in Libusb HOT 2
- ASan test flakiness in SmartCardConnectorApplicationTest.ShutdownWithActiveClient
- Replace for loops in SCardStatus tests with something more deterministic
- Test shutdown hangs for 10min if reader is added shortly before HOT 2
- Test flakiness in SmartCardConnectorApplicationSingleClientTest.SCardConnectProtocolMismatch HOT 1
- ASan use-after-free report in case multiple readers are used HOT 1
- ASan use-after-free in EHTryToUnregisterClientForEvent HOT 1
- Flaky "No smart card inserted" SCardConnect errors in tests HOT 1
- Test flakiness due to eventCount
- Test flakiness on "Check "is_closed_" failed"
- Error -2146435049 since last update HOT 13
- Test flakiness on "Check "result" failed" HOT 3
- Avoid duplicate concurrent transfer USB API calls
- How to add extension to allowlist HOT 1
- Still getting permission despite adding admin policy HOT 3
- Double errors HOT 2
- Re-enable `INCOMING_MODULE_JS_API` in WebAssembly builds
- Popup dialogs are created with wrong width HOT 2
- Switch Smart Card Connector to Extensions Manifest V3 HOT 4
- Flaky "Timed out receiving message from renderer" error in tests HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chromeos_smart_card_connector.