Skip to content
Find file
Fetching contributors…
Cannot retrieve contributors at this time
109 lines (86 sloc) 4.14 KB

udev Rules for PC/SC Smartcard Readers

Introduction

Using OpenPGP smartcards under Debian-based systems is not as straightforward as it should be. In order to use your smartcard with GNU Privacy Guard (GPG), you need to make sure that the device is recognized by the system, and that authorized users can access the device without root privileges.

Supposedly, GPG will support certain card readers "out of the box," but that certainly hasn’t been my experience. If your smartcard reader is compatible with the PC/SC CCID standard, then this mini-project should help.

Installation

First, you will need to install pcscd, and ensure users who should have access to the card reader are added to the appropriate group. If you are running a Debian-based system, just follow the steps below; otherwise, please adapt as necessary for your particular distribution.

Installing pcscd
sudo aptitude install pcscd
sudo addgroup --system pcscd
sudo adduser <username> pcscd

Next, you will need to install the current udev rules.

Installing pcscd_rules
sudo cp -i 99-pcscd-local.rules /etc/udev/rules.d/

If your reader isn’t currently listed in the rules file, install the udev_rulegen.sh helper script. This script will help you generate new entries for /etc/udev/rules.d/99-pcscd-local.rules based on the USB devices currently attached to your system.

Installing udev_rulegen.sh
sudo cp -i udev_rulegen.sh /usr/local/sbin/

To add your device to the udev rules, run udev_rulegen.sh and select your smartcard reader from the list. The script will print out a rule suitable for inclusion in the rules file, or you can just append it as follows.

Adding your own CCID devices
/usr/local/sbin/udev_rulegen.sh |
sudo tee -a /etc/udev/rules.d/99-pcscd-local.rules
Sample output from udev_rulegen.sh
# SCM Microsystems, Inc.
ATTR{idVendor}=="04e6", ATTR{idProduct}=="511f", MODE="0660", GROUP="pcscd"

The next time the smartcard reader is attached to the USB bus, users should be able to access the reader properly without elevated privileges.

Note
This list of devices is community-maintained. If you add a device that isn’t listed in the rules file, please submit a patch so that others can benefit as well.

Testing

Once the udev rules are in place, you can test that all has gone according to plan.

  1. Remove any smartcards from the reader.

  2. Unplug your smartcard reader.

  3. Wait a few seconds.

  4. Plug the reader back in.

  5. Login as a mortal user.
    Note: You will need a fresh login in order for recent changes to group membership to take effect.

  6. Insert your OpenPGP smartcard.

  7. Check the status of the card:
    gpg --card-status

Troubleshooting

If anything goes wrong, here are some basic troubleshooting steps.

  1. Find your reader using lsusb output.

  2. Check permissions on the device:
    ls -l _/dev/bus/usb/<bus>/<id>_

  3. Permissions should look similar to the following:
    crw-rw---- 1 root pcscd 189, 11 2011-04-13 06:41 /dev/bus/usb/001/012

  4. If the group isn’t pcscd, there’s probably an issue with the udev rules.

  5. Ask for help on the gnupg or pcscd mailing lists.

Jump to Line
Something went wrong with that request. Please try again.