How to find out which process is accessing the card?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to find out which process is accessing the card?

František Řezáč
Hi,

I'm using smart card for almost everything in my daily work, but I have a problem which drives me crazy. I'm using YubiKey in two scenarios: pkcs11 based PAM and SSH authentication and also as a GPG‎ smart card. I understand that accesing one card via pkcs11 and scdaemon in turns is troubling, because GPG tends to lock the access to the card for itself full time, but I can handle that by manualy terminating scdaemon.

But I have also come across the opossite situation many times - something locks access to the card via pkcs11 which prevents the access from scdaemon with the dreaded "PC/SC OPEN failed: sharing violation". The problem is that I don't know which process is using the card so I don't know how to deal with it except for restarting the whole pcscd. Also this problem seems to happen randomly so I don't have any clue if it's pam module or ssh agent or something else and it also randomly disappears. If I know what is using the card, I could try to configure it better or deal with it more gently.

And that's my question - how to find out what is currently accessing/locking the card at a given time? I tried to figure it out myself, but after I have seen this schema https://blog.flameeyes.eu/2011/04/additional-notes-about-the-smartcard-components-diagram/ I realized that I don't even know at which level I should look for that information.

--
František
http://calavera.info/

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: How to find out which process is accessing the card?

Ludovic Rousseau
2017-09-27 21:58 GMT+02:00 František Řezáč <[hidden email]>:
Hi,

Hello,
 

I'm using smart card for almost everything in my daily work, but I have a problem which drives me crazy. I'm using YubiKey in two scenarios: pkcs11 based PAM and SSH authentication and also as a GPG‎ smart card. I understand that accesing one card via pkcs11 and scdaemon in turns is troubling, because GPG tends to lock the access to the card for itself full time, but I can handle that by manualy terminating scdaemon.

But I have also come across the opossite situation many times - something locks access to the card via pkcs11 which prevents the access from scdaemon with the dreaded "PC/SC OPEN failed: sharing violation". The problem is that I don't know which process is using the card so I don't know how to deal with it except for restarting the whole pcscd. Also this problem seems to happen randomly so I don't have any clue if it's pam module or ssh agent or something else and it also randomly disappears. If I know what is using the card, I could try to configure it better or deal with it more gently.

And that's my question - how to find out what is currently accessing/locking the card at a given time? I tried to figure it out myself, but after I have seen this schema https://blog.flameeyes.eu/2011/04/additional-notes-about-the-smartcard-components-diagram/ I realized that I don't even know at which level I should look for that information.


Please tell me if it works for you or if you need something different.

Bye

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: How to find out which process is accessing the card?

František Řezáč
I was surprised by your solution based on proc/maps, I expected something more specific to the pcsc stack, but I gave it a try and I think I have found what I'm looking for. But it wasn't straightforward so I'm sending some notes back.

Most importantly I was surprised how many processes are running with pcsc lib all the time. For example I definitely wasn't expecting wpasupplicant. Those processes however were not accessing smart card at all so I had to conduct a better analysis looking at those processes found by your tool for a longer time and I found a behavior pattern which pointed to the final offender (gdm-session-worker). So although it wasn't as simple as I would like, your tool helped a lot, thanks.

2017-09-28 14:45 GMT+02:00 Ludovic Rousseau <[hidden email]>:
2017-09-27 21:58 GMT+02:00 František Řezáč <[hidden email]>:
Hi,

Hello,
 

I'm using smart card for almost everything in my daily work, but I have a problem which drives me crazy. I'm using YubiKey in two scenarios: pkcs11 based PAM and SSH authentication and also as a GPG‎ smart card. I understand that accesing one card via pkcs11 and scdaemon in turns is troubling, because GPG tends to lock the access to the card for itself full time, but I can handle that by manualy terminating scdaemon.

But I have also come across the opossite situation many times - something locks access to the card via pkcs11 which prevents the access from scdaemon with the dreaded "PC/SC OPEN failed: sharing violation". The problem is that I don't know which process is using the card so I don't know how to deal with it except for restarting the whole pcscd. Also this problem seems to happen randomly so I don't have any clue if it's pam module or ssh agent or something else and it also randomly disappears. If I know what is using the card, I could try to configure it better or deal with it more gently.

And that's my question - how to find out what is currently accessing/locking the card at a given time? I tried to figure it out myself, but after I have seen this schema https://blog.flameeyes.eu/2011/04/additional-notes-about-the-smartcard-components-diagram/ I realized that I don't even know at which level I should look for that information.


Please tell me if it works for you or if you need something different.

Bye

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle



--

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: How to find out which process is accessing the card?

Ludovic Rousseau
2017-10-24 10:28 GMT+02:00 František Řezáč <[hidden email]>:
I was surprised by your solution based on proc/maps, I expected something more specific to the pcsc stack, but I gave it a try and I think I have found what I'm looking for. But it wasn't straightforward so I'm sending some notes back.

Most importantly I was surprised how many processes are running with pcsc lib all the time. For example I definitely wasn't expecting wpasupplicant.

wpasupplicant has support of EAP-SIM authentication scheme. To read the SIM card it needs to use PC/SC.

Those processes however were not accessing smart card at all so I had to conduct a better analysis looking at those processes found by your tool for a longer time and I found a behavior pattern which pointed to the final offender (gdm-session-worker). So although it wasn't as simple as I would like, your tool helped a lot, thanks.

libpcsclite can be loaded by a chain of library. My tool [1] will only give you the name of the process.
I don't think it it possible to tell which library loaded libpcsclite.so.1 just at looking at the /proc/*/maps files.

I am happy my (simple) tool helped you.

Bye

[1] https://github.com/LudovicRousseau/contrib/blob/master/list_pcsc_applications.sh

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle